New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SonicWall XML-RPC Remote Code Execution Exploit Module #10305
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Is it possible to provide a pcap? |
|
Here is a pcap: |
|
Thank you |
|
Nicely done! I would have asked about encoding with XML entities, but it looks like you've noted |
wvu
added a commit
that referenced
this pull request
Jul 30, 2018
msjenkins-r7
pushed a commit
that referenced
this pull request
Jul 30, 2018
Release NotesThe exploit/unix/sonicwall/sonicwall_xmlrpc_rce module has been added to the framework. It targets SonicWall Global Management System's XML-RPC service. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Re-submission of pull request #10259 from a unique branch of my repo.
sonicwall_xmlrpc_rce is a remote exploit against SonicWall Global Management
System Virtual Appliance and is written by Michael Flanders of Trend
Micro Zero Day Initiative with assistance by @kernelsmith of Trend Micro Zero
Day Initiative. It is considered a reliable exploit, and allows you to remotely
execute commands as root.
Vulnerable Application
This exploit works against a vulnerable SonicWall Global Management System
Virtual Appliance (A.K.A. Sonicwall GMSVP) of versions 8.1 (Build 8110.1197) and
earlier. The virtual appliance can be downloaded here:
This module exploits the virtual appliance's lack of checking on user-supplied
parameters to XML-RPC calls to a vulnerable Java service running on port 21009.
A call to a shell script is made using this user-supplied parameter contained in
backticks allowing command substitution and remote code execution.
To reliably determine whether the target virtual appliance is vulnerable,
you will have to examine the web console's login page. This is also automatically
done in the check function of the exploit.
Verification Steps
msfconsoleuse exploit/unix/sonicwall/sonicwall_xmlrpc_rceset RHOSTto the IP address of the vulnerable virtual applianceset RPORTto 21009set payloadto the desired payloadexploitOptions
been configured to use SSL.
SonicWall GMVSP this is typically http://[ip]:80; therefore, this option is set
by default to 80 (or 443 if
set SSL true).Scenarios
SonicWall GMSVP version 8.0 (Build 8046.1396):