mailing list archives
Bug in auxiliary/admin/backupexec/dump
From: Robin Wood <robin () digininja org>
Date: Thu, 2 Jun 2011 11:35:30 +0100
There is a bug in the auxiliary/admin/backupexec/dump module. In this
code if the length is less than 4 then get_once is called but as the
length is less than 4 when 4 is subtracted you are requesting a
def ndmp_recv(nsock = self.sock)
# Attempt to read at least four bytes (the length value)
if (self.recv_buff.length < 4)
self.recv_buff << ( sock.get_once(self.recv_buff.length - 4, 5) || '' )
This is the exception thrown in my situation as the initial length is
0 so a length of -4 is requested.
msf auxiliary(dump) > exploit
[*] Attempting to retrieve C:\boot.ini...
[-] Auxiliary failed: ArgumentError negative length -4 given
[-] Call stack:
[-] /Users/robin/src/msf/lib/rex/io/stream.rb:71:in `read_nonblock'
[-] /Users/robin/src/msf/lib/rex/io/stream.rb:71:in `read'
[-] /Users/robin/src/msf/lib/rex/io/stream.rb:201:in `get_once'
[-] /Users/robin/src/msf/lib/msf/core/exploit/ndmp.rb:91:in `ndmp_recv'
[-] (eval):85:in `run'
[*] Auxiliary module execution completed
It either needs to request a correct length or this if needs removing
and the next one that just returns if length is less than 4 left in.
- Bug in auxiliary/admin/backupexec/dump Robin Wood (Jun 02)