bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/33071.txt
Offensive Security d63de06c7a DB: 2022-11-10 
2776 changes to exploits/shellcodes/ghdb
2022-11-10 16:39:50 +00:00

54 lines
No EOL
2.6 KiB
Text
Raw Permalink Blame History

# Exploit Title: McAfee ePolicy Orchestrator 4.6.0-4.6.5 (ePowner) - Multiple vulnerabilities
# Date: 20 November 2012
# Exploit Author: st3n@funoverip.net (a.k.a. jerome.nokin@gmail.com)
# Vendor Homepage: http://www.mcafee.com/uk/products/epolicy-orchestrator.aspx
# Version: 4.6.0 -> 4.6.5
# Tested on: Windows 2003/2008
# CVE : CVE-2013-0140 , CVE-2013-0141
# More info on: http://funoverip.net/?p=1685 & https://github.com/funoverip/epowner
PoC:
v0.2.1- https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/33071-2.tar.gz (epowner-0.2.1.zip)
=====================================================================================================
INTRODUCTION
=====================================================================================================
- In short, this tool registers a rogue agent on the ePo server and then takes advantage of the
following vulnerabilities to perform multiple actions :
- CVE-2013-0140 : Pre-auth SQL Injection
- CVE-2013-0141 : Pre-auth Directory Path Traversal
- The tool manages the following actions, called "mode" :
-r, --register Register a new agent on the ePo server (it's free)
--check Check the SQL Injection vunerability
--add-admin Add a new web admin account into the DB
--readdb Retrieve various information from the database
--get-install-path Retrieve the installation path of ePo software (needed for other modes)
--ad-creds Retrieve and decrypt cached domain credentials from ePo database.
--wipe Wipe our traces from the database and file system
--srv-exec Perform remote command execution on the ePo server
--srv-upload Upload files on the ePo server
--cli-deploy Deploy commands or softwares on clients
- It is strongly advised to read the manual which explains how to use these modes (see below).
But basically, your two first actions must be :
1) Register a rogue agent using '--register'
2) Setup Remote Code execution using '--srv-exec --wizard'
- Usage examples are provided at the end of this file. It is recommended to read the doc before
any of usage of them.
- You may find a vulnerable version of the ePo software on my blog. Deploy 2 VMs (eposrv + epocli) and
test it !
- The tool was developed/tested on Backtrack 5r3, Kali Linux 1.0.6 and Ubuntu 12.04.
It won't work under Windows due to linux tools dependencies.
. ePolicy Orchestrator was running on Win2003 and Win2003 R2
. The managed station were running on WinXPsp3 and Win7
Reference in a new issue View git blame Copy permalink