10
CVSSv2

CVE-2004-1172

Published: 10/01/2005 Updated: 11/07/2017
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

Stack-based buffer overflow in the Agent Browser in Veritas Backup Exec 8.x prior to 8.60.3878 Hotfix 68, and 9.x prior to 9.1.4691 Hotfix 40, allows remote malicious users to execute arbitrary code via a registration request with a long hostname.

Vulnerable Product Search on Vulmon Subscribe to Product

symantec veritas backup exec 8.0

symantec veritas backup exec 8.5

symantec veritas backup exec 8.6

symantec veritas backup exec 9.0

symantec veritas backup exec 9.1

Exploits

## # $Id: name_servicerb 9583 2010-06-22 19:11:05Z todb $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions Please see the Metasploit # Framework web site for more information on licensing and terms of use # metasploitcom/framework/ ## require 'msf/core' class Meta ...
/* Got to give it to class101 on this one * Tested and penetrated / str0ke */ /* VERITAS Backup Exec v914691SP1 v914691SP0 v853572 Agent Browser Service, Remote Stack Overflow Highly Critical All credits to: -iDEFENSE(discovery-wwwiDEFENSEcom), -Thor Doomen(iat-syscall[at]inboxlv), -HD Moore(scode ...

Metasploit Modules

Veritas Backup Exec Name Service Overflow

This module exploits a vulnerability in the Veritas Backup Exec Agent Browser service. This vulnerability occurs when a recv() call has a length value too long for the destination stack buffer. By sending an agent name value of 63 bytes or more, we can overwrite the return address of the recv function. Since we only have ~60 bytes of contiguous space for shellcode, a tiny findsock payload is sent which uses a hardcoded IAT address for the recv() function. This payload will then roll the stack back to the beginning of the page, recv() the real shellcode into it, and jump to it. This module has been tested against Veritas 9.1 SP0, 9.1 SP1, and 8.6.

msf > use exploit/windows/backupexec/name_service
      msf exploit(name_service) > show targets
            ...targets...
      msf exploit(name_service) > set TARGET <target-id>
      msf exploit(name_service) > show options
            ...show and set options...
      msf exploit(name_service) > exploit