forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
18 changes to exploits/shellcodes Active WebCam 11.5 - Unquoted Service Path ECOA Building Automation System - Missing Encryption Of Sensitive Information Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai ECOA Building Automation System - Hard-coded Credentials SSH Access Men Salon Management System 1.0 - Multiple Vulnerabilities ECOA Building Automation System - Weak Default Credentials ECOA Building Automation System - Path Traversal Arbitrary File Upload ECOA Building Automation System - Directory Traversal Content Disclosure ECOA Building Automation System - 'multiple' Cross-Site Request Forgery (CSRF) ECOA Building Automation System - Cookie Poisoning Authentication Bypass ECOA Building Automation System - Configuration Download Information Disclosure ECOA Building Automation System - Hidden Backdoor Accounts and backdoor() Function ECOA Building Automation System - Remote Privilege Escalation ECOA Building Automation System - Local File Disclosure ECOA Building Automation System - Arbitrary File Deletion Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload Apartment Visitor Management System (AVMS) 1.0 - SQLi to RCE Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)
- Loading branch information
Offensive Security
committed
Sep 14, 2021
1 parent
99b8f09
commit 629e350
Showing
20 changed files
with
2,015 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,109 @@ | ||
| # Exploit Title: ECOA Building Automation System - Missing Encryption Of Sensitive Information | ||
| # Date: 25.06.2021 | ||
| # Exploit Author: Neurogenesia | ||
| # Vendor Homepage: http://www.ecoa.com.tw | ||
|
|
||
| ECOA Building Automation System Missing Encryption Of Sensitive Information | ||
|
|
||
|
|
||
| Vendor: ECOA Technologies Corp. | ||
| Product web page: http://www.ecoa.com.tw | ||
| Affected version: ECOA ECS Router Controller - ECS (FLASH) | ||
| ECOA RiskBuster Terminator - E6L45 | ||
| ECOA RiskBuster System - RB 3.0.0 | ||
| ECOA RiskBuster System - TRANE 1.0 | ||
| ECOA Graphic Control Software | ||
| ECOA SmartHome II - E9246 | ||
| ECOA RiskTerminator | ||
|
|
||
| Summary: | ||
| #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are | ||
| designed to provide you with the latest in the Human Machine Interface (HMI) technology, | ||
| for completely monitoring and controlling management. It may be used singly for small and | ||
| medium sized facilities, could be linked together via the high-speed Ethernet to other | ||
| servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more | ||
| sophisticated applications. The Risk-Terminator practice Web basic conception that with | ||
| operation simply and conveniently, totally share risk and make sure of security. Even | ||
| remote sites may be controlled and monitored through Ethernet port, which base on standard | ||
| transferring protocol like XML, Modbus TCP/IP or BACnet or URL. | ||
|
|
||
| #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP | ||
| networking technologies. It incorporates an embedded web server that can deliver user-specific | ||
| web pages to any PC or mobile terminal running internet browser software. A user with an | ||
| appropriate security codes can made adjustment or monitor the network control unit form | ||
| any internet access point in the world. It also provides network management, integration | ||
| and process control functions for any existing or new building controllers and microprocessor | ||
| based equipments or system in buildings. The management function provided by the RiskBuster | ||
| such as trend log and alarm generation improves building controllers and microprocessor | ||
| based equipments or system management and audit trail capabilities. The integration function | ||
| provided by the RiskBuster allows seamless integration such as information sharing (read/write) | ||
| between building controllers and microprocessor based equipments or system without any need | ||
| of major upgrade or equipments replacement and allow cost saving. The process control functions | ||
| provided by the RiskBuster allow global control action to be implemented across any building | ||
| controllers and microprocessor based equipments or system to allow full building control. The | ||
| RiskBuster provide a truly cost effective solution for any building automation or high level | ||
| integration application. A truly Ethernet network compliant feature allows the RiskBuster to | ||
| be install anywhere in the building. | ||
|
|
||
| #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for | ||
| Building Automate System; Environment control system; HVAC control system and other types of | ||
| equipment. Being fully programmable it ensures complete application versatility, allowing | ||
| specific products to be created according to customer requests. This controller is a configurable | ||
| unitary controller based on the 32bit series microcomputer, with an on-board clock, have two | ||
| RS-485 local bus. | ||
|
|
||
| #4 The ECS0000160 is a Router Controller for building and industry products based on various | ||
| microprocessors. It not only accessing information but also monitoring and controlling across | ||
| Internet directly. The ECS0000160 can totally replace and improve a typical system that always | ||
| has tedious panel and complex working process. An obviously benefit to our customers is that | ||
| ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed | ||
| to connect with singular specific operating system. It's like a whole package, which provides | ||
| browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all | ||
| through web-pages operating, which works base on standard transmission Internet protocol. The | ||
| ECS0000160 provides a low industry cost. A truly friendly network interface which is simple | ||
| and easy to apply on factory floors. It supports from serial ports with options of RS485. | ||
|
|
||
| #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden | ||
| installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A | ||
| conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, | ||
| integral and differential (P+I+D) and dead-zone control to control accurately. The controller | ||
| features contains the sensing system, proportional control systems, computing modules, control | ||
| modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, | ||
| air monitoring, lighting and power control, the use of premises for buildings, factories, offices, | ||
| conference rooms, restaurants, hotels, etc. | ||
|
|
||
| Desc: | ||
| The BAS controller stores sensitive data (backup exports) in clear-text. | ||
|
|
||
| Tested on: EMBED/1.0 | ||
| Apache Tomcat/6.0.44 | ||
| Apache Tomcat/6.0.18 | ||
| Windows Server | ||
| MySQL Version 5.1.60 | ||
| MySQL Version 4.0.16 | ||
| Version 2.0.1.28 20180628 | ||
|
|
||
|
|
||
| Vulnerability discovered by Neurogenesia | ||
| @zeroscience | ||
|
|
||
|
|
||
| Advisory ID: ZSL-2021-5676 | ||
| Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5676.php | ||
|
|
||
|
|
||
| 25.06.2021 | ||
|
|
||
| -- | ||
|
|
||
|
|
||
| Missing Encryption of Sensitive Information | ||
| ------------------------------------------- | ||
|
|
||
| - Data stored on the system is not protected/encrypted. | ||
|
|
||
| sql_[DATE]linux.dat reveals clear-text password from backup. | ||
|
|
||
| Excerpt from DB: | ||
|
|
||
| Insert into userlist (userid,userpwd,userClass,userfrm,duetime,modidate,userMenu,usertel,usermobil,usermail,gpname,userCname,usergrp) values (?,?,?,?,?,?,?,?,?,?,?,?,?)%%2%%1user%%3user%%312%%3%%30%%320100630133229%%3null%%3%%3%%3%%3%%3%%3%%3%%1guest%%3guest%%31%%3%%30%%320100630133229%%3null%%3%%3%%3%%3%%3%%3%%3%%1humex%%3humex4377 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,114 @@ | ||
| # Exploit Title: ECOA Building Automation System - Hard-coded Credentials SSH Access | ||
| # Date: 25.06.2021 | ||
| # Exploit Author: Neurogenesia | ||
| # Vendor Homepage: http://www.ecoa.com.tw | ||
|
|
||
| ECOA Building Automation System Hard-coded Credentials SSH Access | ||
|
|
||
|
|
||
| Vendor: ECOA Technologies Corp. | ||
| Product web page: http://www.ecoa.com.tw | ||
| Affected version: ECOA ECS Router Controller - ECS (FLASH) | ||
| ECOA RiskBuster Terminator - E6L45 | ||
| ECOA RiskBuster System - RB 3.0.0 | ||
| ECOA RiskBuster System - TRANE 1.0 | ||
| ECOA Graphic Control Software | ||
| ECOA SmartHome II - E9246 | ||
| ECOA RiskTerminator | ||
|
|
||
| Summary: | ||
| #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are | ||
| designed to provide you with the latest in the Human Machine Interface (HMI) technology, | ||
| for completely monitoring and controlling management. It may be used singly for small and | ||
| medium sized facilities, could be linked together via the high-speed Ethernet to other | ||
| servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more | ||
| sophisticated applications. The Risk-Terminator practice Web basic conception that with | ||
| operation simply and conveniently, totally share risk and make sure of security. Even | ||
| remote sites may be controlled and monitored through Ethernet port, which base on standard | ||
| transferring protocol like XML, Modbus TCP/IP or BACnet or URL. | ||
|
|
||
| #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP | ||
| networking technologies. It incorporates an embedded web server that can deliver user-specific | ||
| web pages to any PC or mobile terminal running internet browser software. A user with an | ||
| appropriate security codes can made adjustment or monitor the network control unit form | ||
| any internet access point in the world. It also provides network management, integration | ||
| and process control functions for any existing or new building controllers and microprocessor | ||
| based equipments or system in buildings. The management function provided by the RiskBuster | ||
| such as trend log and alarm generation improves building controllers and microprocessor | ||
| based equipments or system management and audit trail capabilities. The integration function | ||
| provided by the RiskBuster allows seamless integration such as information sharing (read/write) | ||
| between building controllers and microprocessor based equipments or system without any need | ||
| of major upgrade or equipments replacement and allow cost saving. The process control functions | ||
| provided by the RiskBuster allow global control action to be implemented across any building | ||
| controllers and microprocessor based equipments or system to allow full building control. The | ||
| RiskBuster provide a truly cost effective solution for any building automation or high level | ||
| integration application. A truly Ethernet network compliant feature allows the RiskBuster to | ||
| be install anywhere in the building. | ||
|
|
||
| #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for | ||
| Building Automate System; Environment control system; HVAC control system and other types of | ||
| equipment. Being fully programmable it ensures complete application versatility, allowing | ||
| specific products to be created according to customer requests. This controller is a configurable | ||
| unitary controller based on the 32bit series microcomputer, with an on-board clock, have two | ||
| RS-485 local bus. | ||
|
|
||
| #4 The ECS0000160 is a Router Controller for building and industry products based on various | ||
| microprocessors. It not only accessing information but also monitoring and controlling across | ||
| Internet directly. The ECS0000160 can totally replace and improve a typical system that always | ||
| has tedious panel and complex working process. An obviously benefit to our customers is that | ||
| ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed | ||
| to connect with singular specific operating system. It's like a whole package, which provides | ||
| browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all | ||
| through web-pages operating, which works base on standard transmission Internet protocol. The | ||
| ECS0000160 provides a low industry cost. A truly friendly network interface which is simple | ||
| and easy to apply on factory floors. It supports from serial ports with options of RS485. | ||
|
|
||
| #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden | ||
| installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A | ||
| conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, | ||
| integral and differential (P+I+D) and dead-zone control to control accurately. The controller | ||
| features contains the sensing system, proportional control systems, computing modules, control | ||
| modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, | ||
| air monitoring, lighting and power control, the use of premises for buildings, factories, offices, | ||
| conference rooms, restaurants, hotels, etc. | ||
|
|
||
| Desc: | ||
| The BAS controller is vulnerable to hard-coded credentials within its Linux distribution image. | ||
| These sets of credentials are never exposed to the end-user and cannot be changed through any | ||
| normal operation of the device. | ||
|
|
||
| Tested on: EMBED/1.0 | ||
| Apache Tomcat/6.0.44 | ||
| Apache Tomcat/6.0.18 | ||
| Windows Server | ||
| MySQL Version 5.1.60 | ||
| MySQL Version 4.0.16 | ||
| Version 2.0.1.28 20180628 | ||
|
|
||
|
|
||
| Vulnerability discovered by Neurogenesia | ||
| @zeroscience | ||
|
|
||
|
|
||
| Advisory ID: ZSL-2021-5675 | ||
| Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5675.php | ||
|
|
||
|
|
||
| 25.06.2021 | ||
|
|
||
| -- | ||
|
|
||
|
|
||
| Hard-coded Credentials / Remote SSH Access | ||
| ------------------------------------------ | ||
|
|
||
| - Exercise for the nation-state actors and actresses. | ||
|
|
||
|
|
||
| root:$1$ILT0V4Sf$AR4nYzAFri3Cqi2BwFD/h.:16183:0:99999:7::: | ||
| user:$1$pJefShJL$CoX8T20vn1g.ug0jZIczM.:11851:0:99999:7::: | ||
| webs:$1$ZP8rifJj$8Nq6pvZfZleSOM1NxQAck0::::::: | ||
| admin:$1$7BGOwUYp$dgzOcdE9eXPmxZ0PomIOR0::::::: | ||
| ecoa:$1$Ux/uar1o$RlMzoY0I7KEMkmNzDqzFz1:-5835:0:99999:7::: | ||
| humex:$1$1v5rveDi$bXRhL1q20wpYM5vo3aZ050:-5877:0:99999:7::: | ||
| guest:$1$Zb9DELKT$IK8/EnLI8o0G36kjjBjWj1:6845:0:99999:7::: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,117 @@ | ||
| # Exploit Title: ECOA Building Automation System - Weak Default Credentials | ||
| # Date: 25.06.2021 | ||
| # Exploit Author: Neurogenesia | ||
| # Vendor Homepage: http://www.ecoa.com.tw | ||
|
|
||
|
|
||
| ECOA Building Automation System Weak Default Credentials | ||
|
|
||
|
|
||
| Vendor: ECOA Technologies Corp. | ||
| Product web page: http://www.ecoa.com.tw | ||
| Affected version: ECOA ECS Router Controller - ECS (FLASH) | ||
| ECOA RiskBuster Terminator - E6L45 | ||
| ECOA RiskBuster System - RB 3.0.0 | ||
| ECOA RiskBuster System - TRANE 1.0 | ||
| ECOA Graphic Control Software | ||
| ECOA SmartHome II - E9246 | ||
| ECOA RiskTerminator | ||
|
|
||
| Summary: | ||
| #1 The Risk-Terminator Web Graphic control BEMS (Building Energy Management System) are | ||
| designed to provide you with the latest in the Human Machine Interface (HMI) technology, | ||
| for completely monitoring and controlling management. It may be used singly for small and | ||
| medium sized facilities, could be linked together via the high-speed Ethernet to other | ||
| servers that suit to World Wide Web (WWW) or Local Area Network (LAN) for large and more | ||
| sophisticated applications. The Risk-Terminator practice Web basic conception that with | ||
| operation simply and conveniently, totally share risk and make sure of security. Even | ||
| remote sites may be controlled and monitored through Ethernet port, which base on standard | ||
| transferring protocol like XML, Modbus TCP/IP or BACnet or URL. | ||
|
|
||
| #2 The RiskBuster is a Web enabled network Router Server that uses Ethernet and TCP/IP | ||
| networking technologies. It incorporates an embedded web server that can deliver user-specific | ||
| web pages to any PC or mobile terminal running internet browser software. A user with an | ||
| appropriate security codes can made adjustment or monitor the network control unit form | ||
| any internet access point in the world. It also provides network management, integration | ||
| and process control functions for any existing or new building controllers and microprocessor | ||
| based equipments or system in buildings. The management function provided by the RiskBuster | ||
| such as trend log and alarm generation improves building controllers and microprocessor | ||
| based equipments or system management and audit trail capabilities. The integration function | ||
| provided by the RiskBuster allows seamless integration such as information sharing (read/write) | ||
| between building controllers and microprocessor based equipments or system without any need | ||
| of major upgrade or equipments replacement and allow cost saving. The process control functions | ||
| provided by the RiskBuster allow global control action to be implemented across any building | ||
| controllers and microprocessor based equipments or system to allow full building control. The | ||
| RiskBuster provide a truly cost effective solution for any building automation or high level | ||
| integration application. A truly Ethernet network compliant feature allows the RiskBuster to | ||
| be install anywhere in the building. | ||
|
|
||
| #3 ECM0000160 Digital Logic Controller (DLC) are Pre-programmed controller it intended for | ||
| Building Automate System; Environment control system; HVAC control system and other types of | ||
| equipment. Being fully programmable it ensures complete application versatility, allowing | ||
| specific products to be created according to customer requests. This controller is a configurable | ||
| unitary controller based on the 32bit series microcomputer, with an on-board clock, have two | ||
| RS-485 local bus. | ||
|
|
||
| #4 The ECS0000160 is a Router Controller for building and industry products based on various | ||
| microprocessors. It not only accessing information but also monitoring and controlling across | ||
| Internet directly. The ECS0000160 can totally replace and improve a typical system that always | ||
| has tedious panel and complex working process. An obviously benefit to our customers is that | ||
| ECS0000160 enabling them to interact with their systems anytime, anywhere, not only just allowed | ||
| to connect with singular specific operating system. It's like a whole package, which provides | ||
| browsers an easy platform to monitor and control the doors, alarms, devices, etc. that all | ||
| through web-pages operating, which works base on standard transmission Internet protocol. The | ||
| ECS0000160 provides a low industry cost. A truly friendly network interface which is simple | ||
| and easy to apply on factory floors. It supports from serial ports with options of RS485. | ||
|
|
||
| #5 HOME SERVER-EHC9246150 - This web basic home-server is with the specifications of hidden | ||
| installation, 32bits microcomputer and I/O Peripheral expansion circuit, which include: D/A | ||
| conversion circuit, A/D conversion circuit and optical isolation circuit, using default proportional, | ||
| integral and differential (P+I+D) and dead-zone control to control accurately. The controller | ||
| features contains the sensing system, proportional control systems, computing modules, control | ||
| modules, alarm detection system, and so on. It mainly used in building control, plant monitoring, | ||
| air monitoring, lighting and power control, the use of premises for buildings, factories, offices, | ||
| conference rooms, restaurants, hotels, etc. | ||
|
|
||
| Desc: | ||
| The BAS controller uses weak set of default administrative credentials that can be easily guessed | ||
| in remote password attacks and gain full control of the system. | ||
|
|
||
| Tested on: EMBED/1.0 | ||
| Apache Tomcat/6.0.44 | ||
| Apache Tomcat/6.0.18 | ||
| Windows Server | ||
| MySQL Version 5.1.60 | ||
| MySQL Version 4.0.16 | ||
| Version 2.0.1.28 20180628 | ||
|
|
||
|
|
||
| Vulnerability discovered by Neurogenesia | ||
| @zeroscience | ||
|
|
||
|
|
||
| Advisory ID: ZSL-2021-5668 | ||
| Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5668.php | ||
|
|
||
|
|
||
| 25.06.2021 | ||
|
|
||
| -- | ||
|
|
||
|
|
||
| Default / Weak Credentials | ||
| -------------------------- | ||
|
|
||
| - Attacker can use default credentials and authenticate to the SmartHome, Building Automation and Access Control System. | ||
|
|
||
|
|
||
| Credentials: | ||
|
|
||
| guest:guest | ||
| user:user | ||
| admin:admin | ||
| root:embed | ||
| embed:power | ||
| administrator:empty | ||
| humex:humex4377 | ||
| ecoa:ecoa4377 |
Oops, something went wrong.