Vulnerability & Exploit Database

Back to search

Veritas Backup Exec Name Service Overflow

This module exploits a vulnerability in the Veritas Backup Exec Agent Browser service. This vulnerability occurs when a recv() call has a length value too long for the destination stack buffer. By sending an agent name value of 63 bytes or more, we can overwrite the return address of the recv function. Since we only have ~60 bytes of contiguous space for shellcode, a tiny findsock payload is sent which uses a hardcoded IAT address for the recv() function. This payload will then roll the stack back to the beginning of the page, recv() the real shellcode into it, and jump to it. This module has been tested against Veritas 9.1 SP0, 9.1 SP1, and 8.6.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name

exploit/windows/backupexec/name_service

Authors

  • hdm <x [at] hdm.io>

References

Targets

  • Veritas BE 9.1 SP0/SP1
  • Veritas BE 8.5

Platforms

  • windows

Reliability

Development

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/backupexec/name_service msf exploit(name_service) > show targets ...targets... msf exploit(name_service) > set TARGET <target-id> msf exploit(name_service) > show options ...show and set options... msf exploit(name_service) > exploit