This Metasploit module exploits a stack overflow in the Veritas BackupExec Windows Agent software. This vulnerability occurs when a client authentication request is received with type '3' and a long password argument. Reliable execution is obtained by abusing the stack overflow to smash a SEH pointer.
ba61f8839cb62683a0ecb79152b2af142df471dba3d77bf8cfeb996178ca8a7d
Veritas Backup Exec Agent CONNECT_CLIENT_AUTH Request exploit that makes use of a stack overflow.
4da972cff3f585c3eb26236ddd07ebf71b8f600f2078def3ce58f2880b98c3b3
iDEFENSE Security Advisory 06.23.05-1 - Exploitation of a buffer overflow vulnerability in Veritas Software Corp.'s Backup Exec allows remote attackers to execute arbitrary code. Veritas Backup Exec uses the standard NMDP protocol to communicate with the listening agents. The NMDP protocol allows multiple authentication types, including support for Windows user credentials. The vulnerability specifically exists because of insufficient input validation on CONNECT_CLIENT_AUTH requests.
7e933c29fc49623bd4988caa2ab27aaf3de8ced4a8dcaa75b645a887c3a92529