The Metasploit Project hosts the world's largest database of quality assured exploits, including hundreds of remote exploits, auxiliary modules, and payloads. You can even review the Metasploit Framework source code of any module - or write your own.

Search for modules

Veritas Backup Exec Name Service Overflow

This module exploits a vulnerability in the Veritas Backup Exec Agent Browser service. This vulnerability occurs when a recv() call has a length value too long for the destination stack buffer. By sending an agent name value of 63 bytes or more, we can overwrite the return address of the recv function. Since we only have ~60 bytes of contiguous space for shellcode, a tiny findsock payload is sent which uses a hardcoded IAT address for the recv() function. This payload will then roll the stack back to the beginning of the page, recv() the real shellcode into it, and jump to it. This module has been tested against Veritas 9.1 SP0, 9.1 SP1, and 8.6.

Rank

• Average

Authors

• hdm < hdm [at] metasploit.com >

References

• CVE-2004-1172
• OSVDB-12418
• BID-11974
• http://www.idefense.com/application/poi/display?id=169&type=vulnerabilities

Exploit Targets

• 0 - Veritas BE 9.1 SP0/SP1 (default)
• 1 - Veritas BE 8.5

Development

• Source Code
• History

Similar Modules

• exploit/windows/backupexec/remote_agent

Usage Information

Module Options