Implement feedback from the PR

zeroSteiner · zeroSteiner · commit e52edf447c8c · 2024-11-20T13:51:39.000-05:00
diff --git a/documentation/modules/exploit/windows/misc/ivanti_agent_portal_cmdexec.md b/documentation/modules/exploit/windows/misc/ivanti_agent_portal_cmdexec.md
@@ -1,10 +1,14 @@
 ## Vulnerable Application
 This module leverages an unauthenticated RCE in Ivanti's EPM Agent Portal where a RPC client can invoke a method
 which will run an attacker-specified string on the remote target as NT AUTHORITY\SYSTEM.
+This vulnerability is present in versions prior to EPM 2021.1 Su4 and EPM 2022 Su2.
 
 ## Verification Steps
 
 1. Install the application
+1. Determine which port the vulnerable AgentPortal service is listening on. It has a non-static value.
+   1. The port used by the AgentPortal service can be found in the registry at `HKLM\SOFTWARE\LANDesk\SharedComponents\LANDeskAgentPortal`
+   1. Or you could scan for it and probe the high ports (testing suggests it should be in the 49000 - 50000 range).
 1. Start msfconsole
 1. Do: `use exploit/windows/misc/ivanti_agent_portal_cmdexec`
 1. Set the `RPORT`, `PAYLOAD` and any payload-related options
diff --git a/modules/exploits/windows/misc/ivanti_agent_portal_cmdexec.rb b/modules/exploits/windows/misc/ivanti_agent_portal_cmdexec.rb
@@ -17,6 +17,7 @@ def initialize(info = {})
         'Description' => %q{
           This module leverages an unauthenticated RCE in Ivanti's EPM Agent Portal where a RPC client can invoke a method
           which will run an attacker-specified string on the remote target as NT AUTHORITY\SYSTEM.
+          This vulnerability is present in versions prior to EPM 2021.1 Su4 and EPM 2022 Su2.
         },
         'Author' => [
           'James Horseman', # original poc
@@ -26,6 +27,7 @@ def initialize(info = {})
         'License' => MSF_LICENSE,
         'References' => [
           ['CVE', '2023-28324'],
+          ['URL', 'https://forums.ivanti.com/s/article/SA-2023-06-06-CVE-2023-28324?language=en_US'],
           ['URL', 'https://github.com/horizon3ai/CVE-2023-28324'],
         ],
         'Platform' => 'win',
@@ -34,7 +36,7 @@ def initialize(info = {})
           [ 'Automatic', {} ],
         ],
         'DefaultTarget' => 0,
-        'DisclosureDate' => '2023-06-30', # NVD publish date
+        'DisclosureDate' => '2023-06-07', # Ivanti article created date
         'Notes' => {
           'Stability' => [ CRASH_SAFE, ],
           'SideEffects' => [ ],
@@ -44,7 +46,7 @@ def initialize(info = {})
     )
 
     register_options([
-      Opt::RPORT()
+      Opt::RPORT(nil, true, 'The target port is not static. For more info, see this module\'s Verifications Steps in the docs.'),
     ])
     deregister_options('SSL')
   end
@@ -54,8 +56,8 @@ def check
     return CheckCode::Safe('Command execution failed.') unless cwd.to_s =~ /.:\\Windows\\System32/i
 
     CheckCode::Vulnerable("Command execution test succeeded. Current working directory: #{cwd}")
-  rescue Rex::SocketError
-    CheckCode::Safe('MS-NRTP connection failed.')
+  rescue Rex::SocketError => e
+    CheckCode::Safe("MS-NRTP connection failed. #{e.class}: #{e.message}")
   end
 
   def exploit
