CVE-2004-1172
published 2005-01-10CVE-2004-1172: Stack-based buffer overflow in the Agent Browser in Veritas Backup Exec 8.x before 8.60.3878 Hotfix 68, and 9.x before 9.1.4691 Hotfix 40, allows remote…
PriorityP264critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
81.79%
99.6th percentile
Stack-based buffer overflow in the Agent Browser in Veritas Backup Exec 8.x before 8.60.3878 Hotfix 68, and 9.x before 9.1.4691 Hotfix 40, allows remote attackers to execute arbitrary code via a registration request with a long hostname.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
| symantec_veritas | backup_exec | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x02\x00\x32\x00\x20\x00
bytes↗
\x02\x00\x32\x00\x90\x90\x90\x90
bytes↗
\x31\xf6\xc1\xec\x0c\xc1\xe4\x0c\x89\xe7\x89\xfb\x6a\x01\x8b\x74\x24\xfe\x31\xd2\x52\x42\xc1\xe2\x10\x52\x57\x56
- →The exploit targets TCP port 6101 (Veritas Backup Exec Agent Browser service). Monitor for unexpected or malformed TCP connections to this port, especially from external/untrusted hosts. ↗
- →The exploit sends a two-stage payload: first a small findsock/stack-pivot shellcode (~51 bytes) followed by the real shellcode. Detect the two rapid sequential sends to port 6101 from the same source. ↗
- →The registration request packet begins with the magic bytes \x02\x00\x32\x00 followed by shellcode. Alert on packets to port 6101 starting with this 4-byte header where the agent name field is 63 bytes or longer. ↗
- →The vulnerability is triggered by sending an agent name value of 63 bytes or more in the registration request, overwriting the return address of recv() in bnetns.exe. ↗
- →The findsock stage shellcode pivots the stack to the beginning of the page using shr/shl esp,0xc. Detect this characteristic stack-alignment sequence in shellcode: \xC1\xEC\x0C\xC1\xE4\x0C. ↗
- →The exploit packet ends with the two-byte sequence \xEB\x80 or \xEB\x81 (short backward jump), which is a characteristic trailer of the registration request. Use this as a network signature anchor. ↗
- ·The hardcoded IAT/return addresses in the exploit are version-specific. The Metasploit module targets Veritas BE 9.1 SP0/SP1 and 8.5/8.6 only; using wrong target offsets will crash the service rather than achieve code execution. ↗
- ·The exploit requires only ~60 bytes of contiguous stack space for the first stage; the real shellcode is delivered in a second send. Detection must account for both packets, not just the initial registration request. ↗
- ·The C PoC (exploit-db 750) notes timing sensitivity: submitting the second-stage shellcode too quickly or too slowly relative to service processing can cause instability or missed execution. ↗
- ·The reverse-shell shellcode (scode1) embeds the target connect-back IP and port at fixed offsets (memcpy at payload[282] and payload[289]); ensure IP does not contain null bytes when using reverse mode. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Veritas Backup Exec Name Service - Remote Overflow (Metasploit)
exploitdb·2010-06-22
CVE-2004-1172 Veritas Backup Exec Name Service - Remote Overflow (Metasploit)
Veritas Backup Exec Name Service - Remote Overflow (Metasploit)
---
##
# $Id: name_service.rb 9583 2010-06-22 19:11:05Z todb $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Veritas Backup Exec Name Service Overflow',
'Description' => %q{
This module exploits a vulnerability in the Veritas Backup
Exec Agent Browser service. This vulnerability occurs when a
recv() call has a length value too long for the destination
stack buffer. By sending an agent name value of 63 bytes or
more, we can overwrite the return address of the recv
function. Si
Exploit-DB
Veritas Backup Exec Agent 8.x/9.x - Browser Overflow
exploitdb·2005-01-11
CVE-2004-1172 Veritas Backup Exec Agent 8.x/9.x - Browser Overflow
Veritas Backup Exec Agent 8.x/9.x - Browser Overflow
---
/* Got to give it to class101 on this one.
* Tested and penetrated. / str0ke
*/
/*
VERITAS Backup Exec v9.1.4691.SP1
v9.1.4691.SP0
v8.5.3572
Agent Browser Service, Remote Stack Overflow
Highly Critical
All credits to:
-iDEFENSE(discovery-www.iDEFENSE.com),
-Thor Doomen(iat-syscall[at]inbox.lv),
-H.D. Moore(scode-www.metasploit.com),
-Matt Miller(scode-www.hick.org)
ExtraNotes:
All my tests/debugs where a bit long (some days) firstly due to the big size
of Backup Exec and the unstability accross differents windows versions
to make working that IAT method with 100% success and the difficulty to debug it.
(As a recall, due to the 60 bytes only free, a tiny shellcode is send in first to scan
the recv function of benetns.exe and j
Metasploit
Veritas Backup Exec Name Service Overflow
metasploit
Veritas Backup Exec Name Service Overflow
Veritas Backup Exec Name Service Overflow
This module exploits a vulnerability in the Veritas Backup Exec Agent Browser service. This vulnerability occurs when a recv() call has a length value too long for the destination stack buffer. By sending an agent name value of 63 bytes or more, we can overwrite the return address of the recv function. Since we only have ~60 bytes of contiguous space for shellcode, a tiny findsock payload is sent which uses a hardcoded IAT address for the recv() function. This payload will then roll the stack back to the beginning of the page, recv() the real shellcode into it, and jump to it. This module has been tested against Veritas 9.1 SP0, 9.1 SP1, and 8.6.
No writeups or analysis indexed.
http://secunia.com/advisories/13495/http://seer.support.veritas.com/docs/273419.htmhttp://seer.support.veritas.com/docs/273420.htmhttp://seer.support.veritas.com/docs/273422.htmhttp://seer.support.veritas.com/docs/273850.htmhttp://www.frsirt.com/exploits/20050111.101_BXEC.cpp.phphttp://www.idefense.com/application/poi/display?id=169http://www.kb.cert.org/vuls/id/907729http://www.securityfocus.com/bid/11974https://exchange.xforce.ibmcloud.com/vulnerabilities/18506http://secunia.com/advisories/13495/http://seer.support.veritas.com/docs/273419.htmhttp://seer.support.veritas.com/docs/273420.htmhttp://seer.support.veritas.com/docs/273422.htmhttp://seer.support.veritas.com/docs/273850.htmhttp://www.frsirt.com/exploits/20050111.101_BXEC.cpp.phphttp://www.idefense.com/application/poi/display?id=169http://www.kb.cert.org/vuls/id/907729http://www.securityfocus.com/bid/11974https://exchange.xforce.ibmcloud.com/vulnerabilities/18506
2005-01-10
Published