Arkeia Backup Agent Remote Access: Buffer Overflow Exploit Analysis

On February 18th, 2005 "John Doe" posted a remote buffer overflow exploit for the Arkeia Network Backup Client. This vulnerability affected all known versions of the software, going back as far as the 4.2 series (when the company was called Knox). The buffer overflow occurs when a large data section is sent with a packet marked as type 77. The Arkeia Network Backup Client is your typical backup agent; it runs with the highest privileges available (root or LocalSystem) and waits for a connection from the backup server. The Arkeia client and server both use TCP port 617 for communication. According to the SANS ISC, the kids are wasting no time.

A few hours after the exploit was posted, I started to investigate the flaw and port the code to the Metasploit Framework. On the Windows platform, it was possible switch from a plain return address smash to a SEH frame overwrite. This provides room for about 1000 bytes of payload and avoids the heap tricks used in the original exploit. When overwriting the SEH frame, a pop/pop/ret opcode is used to redirect execution to [esp+8], which happens to always point 4 bytes before the smashed SEH function pointer. Since Windows 2003 and Windows XP SP2 block SEH returns to system libraries, the best return address to use is one found inside the executable itself

The link for this article located at MetaSploit is no longer available.