Veritas Backup Exec Name Service Overflow
This module exploits a vulnerability in the Veritas Backup Exec Agent Browser service. This vulnerability occurs when a recv() call has a length value too long for the destination stack buffer. By sending an agent name value of 63 bytes or more, we can overwrite the return address of the recv function. Since we only have ~60 bytes of contiguous space for shellcode, a tiny findsock payload is sent which uses a hardcoded IAT address for the recv() function. This payload will then roll the stack back to the beginning of the page, recv() the real shellcode into it, and jump to it. This module has been tested against Veritas 9.1 SP0, 9.1 SP1, and 8.6.
- hdm <x [at] hdm.io>
- Veritas BE 9.1 SP0/SP1
- Veritas BE 8.5
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/windows/backupexec/name_service msf exploit(name_service) > show targets ...targets... msf exploit(name_service) > set TARGET <target-id> msf exploit(name_service) > show options ...show and set options... msf exploit(name_service) > exploit