EMC NetWorker 7.6 sp3 – Denial of Service

• Exploit Database
• 118 阅读

• 作者： Luigi Auriemma
  日期： 2012-03-14
• 类别：

  • dos
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/18601/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123

  #######################################################################   Luigi Auriemma   Application:EMC NetWorker (Legato) http://www.emc.com/backup-and-recovery/networker/networker.htm Versions: <= 7.6 sp3 (7.6.3.2 Build 860) Platforms:AIX, HP-UX, Linux, Solaris, Windows Bug:invalid read access Exploitation: remote Date: 14 Mar 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web:aluigi.org     #######################################################################     1) Introduction 2) Bug 3) The Code 4) Fix     #######################################################################   =============== 1) Introduction ===============     From vendor&apos;s homepage: "EMC NetWorker backup and recovery software centralizes, automates, and accelerates data backup and recovery across your IT environment. NetWorker delivers record-breaking performance and a wide range of data protection options to safeguard your critical business data."     #######################################################################   ====== 2) Bug ======     nsrexecd is a service listening on some default ports (like 111, 7937 and 7938) plus another couple of random ones usually over port 8000.   Through a malformed RPC packet sent to one these random ports it&apos;s possible to crash the service due to the hash calculation performed over an arbitrary amount of data.   From librpc.dll:   0038B3CF 8B4424 3CMOV EAX,DWORD PTR SS:[ESP+3C] ; my_size 0038B3D3 8B6D 00MOV EBP,DWORD PTR SS:[EBP] 0038B3D6 2BF0 SUB ESI,EAX 0038B3D8 897424 38MOV DWORD PTR SS:[ESP+38],ESI 0038B3DC 8B33 MOV ESI,DWORD PTR DS:[EBX]; size 0038B3DE 8B9C24 90000000MOV EBX,DWORD PTR SS:[ESP+90] 0038B3E5 2BF0 SUB ESI,EAX ; size - my_size 0038B3E7 8B43 10MOV EAX,DWORD PTR DS:[EBX+10] 0038B3EA 50 PUSH EAX 0038B3EB 8D4C24 3CLEA ECX,DWORD PTR SS:[ESP+3C] 0038B3EF 51 PUSH ECX 0038B3F0 8D5424 48LEA EDX,DWORD PTR SS:[ESP+48] 0038B3F4 52 PUSH EDX 0038B3F5 2BF7 SUB ESI,EDI 0038B3F7 53 PUSH EBX 0038B3F8 897424 54MOV DWORD PTR SS:[ESP+54],ESI ; the new size 0038B3FC 896C24 50MOV DWORD PTR SS:[ESP+50],EBP ... 0038AFC5 8D4C24 0CLEA ECX,DWORD PTR SS:[ESP+C] 0038AFC9 51 PUSH ECX 0038AFCA 8B4C24 1CMOV ECX,DWORD PTR SS:[ESP+1C] 0038AFCE 8D5424 0CLEA EDX,DWORD PTR SS:[ESP+C] 0038AFD2 52 PUSH EDX 0038AFD3 8B51 04MOV EDX,DWORD PTR DS:[ECX+4]; new size 0038AFD6 8B09 MOV ECX,DWORD PTR DS:[ECX] 0038AFD8 52 PUSH EDX 0038AFD9 8B5424 2CMOV EDX,DWORD PTR SS:[ESP+2C] 0038AFDD 51 PUSH ECX 0038AFDE 8B48 20MOV ECX,DWORD PTR DS:[EAX+20] 0038AFE1 52 PUSH EDX 0038AFE2 8B50 1CMOV EDX,DWORD PTR DS:[EAX+1C] 0038AFE5 51 PUSH ECX 0038AFE6 52 PUSH EDX 0038AFE7 E8 04E3FFFFCALL LIBRPC.cryptoiface_get_hmac; hash crash   Note: after the crash it&apos;s necessary to restart also the other services so that the situation can return normal and the bug can be tested again.     #######################################################################   =========== 3) The Code ===========     http://aluigi.org/poc/nsrexecd_1.dat https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18601.dat   nc SERVER PORT < nsrexecd_1.dat   it&apos;s enough to scan all the ports from 8000 to 10000 to catch the correct one automatically.     #######################################################################   ====== 4) Fix ======     No fix.     #######################################################################