module
Veritas Backup Exec Name Service Overflow
| Disclosed | Created |
|---|---|
| 2004-12-16 | 2018-05-30 |
Disclosed
2004-12-16
Created
2018-05-30
Description
This module exploits a vulnerability in the Veritas Backup
Exec Agent Browser service. This vulnerability occurs when a
recv() call has a length value too long for the destination
stack buffer. By sending an agent name value of 63 bytes or
more, we can overwrite the return address of the recv
function. Since we only have ~60 bytes of contiguous space
for shellcode, a tiny findsock payload is sent which uses a
hardcoded IAT address for the recv() function. This payload
will then roll the stack back to the beginning of the page,
recv() the real shellcode into it, and jump to it. This
module has been tested against Veritas 9.1 SP0, 9.1 SP1, and
8.6.
Exec Agent Browser service. This vulnerability occurs when a
recv() call has a length value too long for the destination
stack buffer. By sending an agent name value of 63 bytes or
more, we can overwrite the return address of the recv
function. Since we only have ~60 bytes of contiguous space
for shellcode, a tiny findsock payload is sent which uses a
hardcoded IAT address for the recv() function. This payload
will then roll the stack back to the beginning of the page,
recv() the real shellcode into it, and jump to it. This
module has been tested against Veritas 9.1 SP0, 9.1 SP1, and
8.6.
Author
hdm x@hdm.io
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.