what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 3 of 3 RSS Feed

CVE-2004-1172

Status Candidate

Overview

Stack-based buffer overflow in the Agent Browser in Veritas Backup Exec 8.x before 8.60.3878 Hotfix 68, and 9.x before 9.1.4691 Hotfix 40, allows remote attackers to execute arbitrary code via a registration request with a long hostname.

Related Files

Veritas Backup Exec Name Service Overflow
Posted Nov 26, 2009
Authored by H D Moore | Site metasploit.com

This Metasploit module exploits a vulnerability in the Veritas Backup Exec Agent Browser service. This vulnerability occurs when a recv() call has a length value too long for the destination stack buffer. By sending an agent name value of 63 bytes or more, we can overwrite the return address of the recv function. Since we only have ~60 bytes of contiguous space for shellcode, a tiny findsock payload is sent which uses a hardcoded IAT address for the recv() function. This payload will then roll the stack back to the beginning of the page, recv() the real shellcode into it, and jump to it. This Metasploit module has been tested against Veritas 9.1 SP0, 9.1 SP1, and 8.6.

tags | exploit, shellcode
advisories | CVE-2004-1172
SHA-256 | ade9d685f4e04cd21d9269d47266dd64392c89471c0f98b8675986dc2199bac2
veritasABS.c
Posted Jan 12, 2005
Authored by class101

Remote stack overflow exploit for Veritas Backup Exec. Works for versions 9.1.4691.SP1, 9.1.4691.SP0, and 8.5.3572. Allows for a shell to be bound to port 101 or it spawn a reverse shell as well.

tags | exploit, remote, overflow, shell
advisories | CVE-2004-1172
SHA-256 | 66d099090c243e36b9f7564b05d434f6f4b2b0d4406b819eb60322f646d6b2fc
iDEFENSE Security Advisory 2004-12-16.5
Posted Dec 30, 2004
Authored by Patrik Karlsson, iDefense Labs | Site idefense.com

iDEFENSE Security Advisory 12.16.2004-5 - Remote exploitation of a stack-based buffer overflow vulnerability in Veritas Backup Exec allows attackers to execute arbitrary code. The vulnerability specifically exists within the function responsible for receiving and parsing registration requests. The registration request packet contains the hostname and connecting TCP port of the client which is stored in an array on the stack. An attacker can send a registration request with an overly long hostname value to overflow the array and take control of the saved return address to execute arbitrary code.

tags | advisory, remote, overflow, arbitrary, tcp
advisories | CVE-2004-1172
SHA-256 | a924ddb439be900e0f1e0eb48321e5e919eec5354788d3a7cc611c97a744d51f
Page 1 of 1
Back1Next

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close