Metasploit Penetration Testing Framework
Veritas Backup Exec Server Registry Access
This modules exploits a remote registry access flaw in the BackupExec Windows Server RPC service. This vulnerability was discovered by Pedram Amini and is based on the NDR stub information information posted to openrce.org. Please see the action list for the different attack modes.
Rank
- Normal
Authors
- hdm < hdm [at] metasploit.com >
References
- OSVDB-17627
- CVE-2005-0771
- http://www.idefense.com/application/poi/display?id=269&type=vulnerabilities
Development
Similar Modules
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/admin/backupexec/registry
msf auxiliary(registry) > set RHOST [TARGET IP]
msf auxiliary(registry) > run
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/admin/backupexec/registry
msf auxiliary(registry) > set RHOST [TARGET IP]
msf auxiliary(registry) > run
Module Options
| RHOST | The target address |
| RPORT | The target port (default: 6106) |
| WARN | The warning to display for the Logon Notice action (default: Compromised by Metasploit! ) |
| CHOST | The local client address |
| CPORT | The local client port |
| ConnectTimeout | Maximum number of seconds to establish a TCP connection |
| DCERPC::ReadTimeout | The number of seconds to wait for DCERPC responses |
| Proxies | Use a proxy chain |
| SSL | Negotiate SSL for outgoing connections |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) |
| WORKSPACE | Specify the workspace for this module |
| DCERPC::fake_bind_multi | Use multi-context bind calls |
| DCERPC::fake_bind_multi_append | Set the number of UUIDs to append the target |
| DCERPC::fake_bind_multi_prepend | Set the number of UUIDs to prepend before the target |
| DCERPC::max_frag_size | Set the DCERPC packet fragmentation size |
| DCERPC::smb_pipeio | Use a different delivery method for accessing named pipes (accepted: rw, trans) |
| TCP::max_send_size | Maxiumum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |
Metasploit Framework
Copyright © 2003-2010 Rapid7 LLC
Rapid7 Privacy Statement
Rapid7 Privacy Statement