Exploit module for CVE-2017-8895, UAF in Backup Exec Windows agent #8442
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This module exploits a use-after-free vulnerability in the handling of SSL NDMP connections in Veritas/Symantec Backup Exec's Remote Agent for Windows. When SSL is re-established on a NDMP connection that previously has had SSL established, the
BIO
struct for the connection's previous SSL session is reused, even though it has previously been freed.Successful exploitation will give remote code execution as the user of the Backup Exec Remote Agent for Windows service, almost always
NT AUTHORITY\SYSTEM
.Verification
msfconsole
.check
command.set target [TARGET]
.exploit
command.NT AUTHORITY\SYSTEM
shell :)An example session is as follows:
More detail in the commit that adds documentation!
I appreciate that the exploit module itself is rather large, but a large part is ROPchains for multiple stages across multiple versions of both 32- and 64-bit agents. Keen to know if there's a better way that exploits normally include such ROPchains in MSF code.
In addition, this adds a new mixin,
Msf::Exploit::Remote::NDMPSocket
. This provides theNDMP::Socket
andNDMP::Message
classes to an exploit, which is used for NDMP protocol handling. There's the existingMsf::Exploit::Remote::NDMP
mixin but this only allows a single socket to be used, and has limited handling of packet fragmentation and message (de-)serialisation. I realise a doubleup of functionality is not ideal, but I'm hesitant to rewrite the existing exploits that make use of the old module. Some guidance as to if this approach is acceptable or what to do instead would be great too.