Implement feedback from the PR
This commit is contained in:
Spencer McIntyre
@@ -1,10 +1,14 @@
|
||||
## Vulnerable Application
|
||||
This module leverages an unauthenticated RCE in Ivanti's EPM Agent Portal where a RPC client can invoke a method
|
||||
which will run an attacker-specified string on the remote target as NT AUTHORITY\SYSTEM.
|
||||
This vulnerability is present in versions prior to EPM 2021.1 Su4 and EPM 2022 Su2.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install the application
|
||||
1. Determine which port the vulnerable AgentPortal service is listening on. It has a non-static value.
|
||||
1. The port used by the AgentPortal service can be found in the registry at `HKLM\SOFTWARE\LANDesk\SharedComponents\LANDeskAgentPortal`
|
||||
1. Or you could scan for it and probe the high ports (testing suggests it should be in the 49000 - 50000 range).
|
||||
1. Start msfconsole
|
||||
1. Do: `use exploit/windows/misc/ivanti_agent_portal_cmdexec`
|
||||
1. Set the `RPORT`, `PAYLOAD` and any payload-related options
|
||||
|
||||
Reference in New Issue
Block a user