Emc alphastor #3686
Emc alphastor #3686
Conversation
| 'Brent Morris' # inkrypto@gmail.com | ||
| ], | ||
| 'License' => MSF_LICENSE, | ||
| 'Version' => '$Revision: $', |
There was a problem hiding this comment.
Version can be deleted, SVN related, we don't use it anymore, thanks!
|
I have the feeling modules/auxiliary/server/emc_alphastor_75_cmd_injection.rb is the same thing than modules/auxiliary/admin/emc/alphastor/_devicemanager_exec.rb, isn't it? If it's the same thing I don't think worths to add a second module with the same thing. Thoughts? |
| # 96 bytes | ||
| rop = [ | ||
| 0x77bb2563, # pop eax/ retn | ||
| 0x77ba1114, # ptr to kernel32!virtualprotect |
There was a problem hiding this comment.
Fix indentation for the rop chain, please!
|
Hi @inkrypto thanks very much for your collaboration! Did some comments, feel free to discuss anything! On the other hand, I haven't a EMC AlphaStor Device Manager :\ Do you know if there is a free trial or whatever out there for testing? Otherwise, once code review is finished we'll nee dyou to send pcap's / screenshots of modules working ! (once code review is finished! :)) |
|
I miss feedback from @inkrypto about the next question:
According to his last comment on #3648 he hasn't availability right now. Will let this open and will wait for his feedback, once he can handle it! No rush! Thanks @inkrypto ! |
|
When it's ready, I might be able to test, looking into that now
|
|
Hi Juan, The /emc/alphastor/_devicemanager_exec.rb module currently found in the Below, we can see that the packet from Breakpoint 1 hit In the above, we can see the call at 0x00403130 takes 3 arguments; 1 is a The packet sent via auxiliary/server/emc_alphastor_75_cmd_injection is Breakpoint 1 hit Using the new packet we see that a 1 (matching) is returned into EAX. Its Inside the function at 00403130 is a simple strncmp .text:0040356E push edx ; MaxCount On Fri, Aug 22, 2014 at 9:51 AM, Juan Vazquez notifications@github.com
|
|
Another note to add is it doesn't matter the command, as long as a command On Tue, Aug 26, 2014 at 10:19 AM, inkrypto inkrypto@gmail.com wrote:
|
|
Working on randomizing the buffers and stuff. Thanks everyone! On Fri, Aug 22, 2014 at 1:24 PM, Juan Vazquez notifications@github.com
|
|
@jvazquez-r7 I do have the installer if you need it. I'll get to this if you don't, but it might be a lil while. |
|
Whoops sorry I just did another pull request to master. once I realized I BTW I randomized the aux module but couldn't do the exploits because the Screenshots and pcaps coming. On Tue, Aug 26, 2014 at 12:50 PM, Josh notifications@github.com wrote:
|
|
Trying to test modules! |
Indeed, there isn't a lot of space available for the payload, and several badchars. At least being able to run windows meterpreter is desired. |
|
When using "meterpreter/reverse_ord_tcp" I don't get a session but the next crash: MSF options: |
|
emc_alphastor_72 also makes rrobotd to crash, no session: msf options: |
|
About the emc_alphastor_75_cmd_injection, it's okey if it's allowing to work with a new check in more recent versions of alphastor. Anyway, if you're able to inject remote commands it shouldn't be an auxiliary module, but an exploit. You can use an ARCH_CMD payload or a CmdStager in order to achieve native payload executions. The reasons to write an exploit instead of an auxiliary modules are mainly two: (1) sessions use to be more powerful than just execute command by command, (2) auxiliary modules lack of badchars / space analysis, so if someone includes badchars (for example) in the CMD it will fail silently, without any apparent reason for the user. One last thing! Handling several modules in the same pull request makes handling / landing harder, normally doing one pull request by module allows to land modules faster, once they are ready, without having to wait for everything to be ready :) |
|
Due to the max length of the packet and the small size available for the msf > use exploit/windows/emc/emc_alphastor_41 [] Started reverse handler on 192.168.1.19:4444 msf exploit(emc_alphastor_41) > back [] All up in the process space of 'rrobotd.exe'! On Thu, Aug 28, 2014 at 10:25 AM, Juan Vazquez notifications@github.com
|
|
Advisory says "EMC AlphaStor 4.0 prior to build 814 (All platforms)" http://www.securityfocus.com/archive/1/525474 I'm using AS_4.0.Build.116 for testing, which should be vulnerable. Indeed looks like vulnerable because it's crashing / memory is being corrupted =) If you're targeting an specific version of AlphaStor, it should be pointed in the Finally, definitely I would recommend to work in the space limitation to allow windows/meterpreter/reverse_tcp (windows/meterpreter/bind_tcp) at least. For example, looks like you have some space there before overwriting target.ret: What about storing the payload there? Or chars restrictions? What about two requests? one to put the payload in memory, a second one to exploit and use egghunting to find the full payload in memory? (just some options :)) |
|
@inkrypto do you mind to review: #3756 I'm trying to help converting the aux module into an exploit, so hopefully we can land something from this pull request soon :) Would love to see this target covered by msf! Thanks! |
|
Juan, can you please send me the AS_4.0.Build.116 software you're using? Thanks man On Thu, Aug 28, 2014 at 1:09 PM, Juan Vazquez notifications@github.com
|
Plz no piracy thx. :)Sent from a tiny computer. |
|
@todb, I think it's just to test on a different minor version to pin down the problem
|
EMC AlphaStore Modules.