CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/documentation/modules/exploit/linux/http/cayin_cms_ntp.md
Views: 1904
Vulnerable Application
This module exploits an authenticated RCE in Cayin CMS <= 11.0. The RCE is executed in the system_service.cgi
file's ntpIp
Parameter. The field is limited in size, so repeated requests are made to achieve a larger payload. Cayin CMS-SE is built for Ubuntu 16.04 (20.04 failed to install correctly), so the environment should be pretty set and not dynamic between targets. Results in root level access.
With CMS-SE's UI there are several options for NTP server.
Test (this runs the RCE 3 times, thus is exploitable, a different strategy like
wget
would be required)Save (saves the data, but doesn't run it)
Update (what was used in this exploit)
Default authentication for the system is administrator:admin from Guide
Verification Steps
Install the application on Ubuntu 16.04
Start msfconsole
Do:
exploits/linux/http/cayin_cms_ntp
Do:
set rhosts [ip]
Do:
run
You should get a root shell.