McAfee ePolicy Orchestrator 4.6.0 < 4.6.5 - 'ePowner' Multiple Vulnerabilities

• Exploit Database
• 105 阅读

• 作者： st3n
  日期： 2014-04-28
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/33071/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55

  # Exploit Title: McAfee ePolicy Orchestrator 4.6.0-4.6.5 (ePowner) - Multiple vulnerabilities # Date: 20 November 2012 # Exploit Author: st3n@funoverip.net (a.k.a. jerome.nokin@gmail.com) # Vendor Homepage: http://www.mcafee.com/uk/products/epolicy-orchestrator.aspx # Version: 4.6.0 -> 4.6.5 # Tested on: Windows 2003/2008 # CVE : CVE-2013-0140 , CVE-2013-0141 # More info on: http://funoverip.net/?p=1685 & https://github.com/funoverip/epowner   PoC: v0.2.1- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/33071-2.tar.gz (epowner-0.2.1.zip)   ===================================================================================================== INTRODUCTION =====================================================================================================   - In short, this tool registers a rogue agent on the ePo server and then takes advantage of the following vulnerabilities to perform multiple actions :   - CVE-2013-0140 : Pre-auth SQL Injection - CVE-2013-0141 : Pre-auth Directory Path Traversal   - The tool manages the following actions, called "mode" :   -r, --registerRegister a new agent on the ePo server (it's free) --check Check the SQL Injection vunerability --add-admin Add a new web admin account into the DB --readdbRetrieve various information from the database --get-install-pathRetrieve the installation path of ePo software (needed for other modes) --ad-credsRetrieve and decrypt cached domain credentials from ePo database. --wipeWipe our traces from the database and file system --srv-execPerform remote command execution on the ePo server --srv-uploadUpload files on the ePo server --cli-deployDeploy commands or softwares on clients     - It is strongly advised to read the manual which explains how to use these modes (see below). But basically, your two first actions must be :   1) Register a rogue agent using '--register'   2) Setup Remote Code execution using '--srv-exec --wizard'   - Usage examples are provided at the end of this file. It is recommended to read the doc before any of usage of them.   - You may find a vulnerable version of the ePo software on my blog. Deploy 2 VMs (eposrv + epocli) and test it !   - The tool was developed/tested on Backtrack 5r3, Kali Linux 1.0.6 and Ubuntu 12.04. It won't work under Windows due to linux tools dependencies. . ePolicy Orchestrator was running on Win2003 and Win2003 R2 . The managed station were running on WinXPsp3 and Win7