Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

Exploiting CA Client License Overflow.

From: hdm at metasploit.com (H D Moore)
Date: Fri, 18 Mar 2005 01:45:30 -0600
Hello,

The original version of the metasploit exploit would only work on older 
versions of the client/server (1.5x). I updated these modules to exploit 
both versions with the same request. The new exploit modules will be 
pushed into msfupdate in a few minutes :-)

I downloaded a copy of the eTrust Pest Patrol software evaluation and 
successfully tested the new modules. You need to set the TARGET variable 
to 3 (Windows XP English SP2) and only have one shot to exploit the flaw. 
If you are attacking the software from a non-Windows system, you may need 
to run "nmbd" or add a DNS entry for your IP address. When exploiting 
this bug on apps like the CA eTrust IDS, it will only work if the client 
can reverse-resolve your IP address and connect back to the fake "license 
server" that the exploit emulates.

To clarify, when you exploit the License Server, you simply connect to the 
port and send the request. When you exploit the License Client (which is 
enabled on nearly everything made by CA, where the Server is not), the 
exploit first connects to the client port and sends a request, causing 
the client to reverse-resolve the IP address of the attacking machine, 
and then connect back to it. The exploit accepts the connection from the 
client, queries it for the remote version number, and then exploits it. 
If your attacking system is behind a firewall, this will prevent the 
client from connecting back and recieving the exploit request.

If you run into any problems with the new modules, please let me know.

-HD

PS. The last couple weeks have been busy for the metasploit staff -- 
spoonm and I were on the west coast at one conference while skape was on 
the east coast giving a talk at Interz0ne 4. Keep an eye on the web site 
over the next week for some updates...

On Friday 11 March 2005 09:48, Michael Cameron wrote:

I've tried numerous times to exploit CA License Overflow.
I've installed eTrust Pest Patrol 5 on a English Windows XP SP2
machine.
Previous By Date Next
Previous By Thread Next

Current thread: