Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-9441 PoC — Nortek Control Linear eMerge E3-Series 安全漏洞

Source
https://github.com/adhikara13/CVE-2024-9441
Associated Vulnerability
Title:Nortek Control Linear eMerge E3-Series 安全漏洞 (CVE-2024-9441)
Description:Nortek Control Linear eMerge E3-Series是美国Nortek Control公司的一种门禁控制器。可指定人员在指定时间可以使用哪些门进出指定地点。 Nortek Control Linear eMerge E3-Series 1.00-07版本及之前版本存在安全漏洞。攻击者利用该漏洞通过login_id参数执行任意操作系统命令。
Description
Nortek Linear eMerge E3 Pre-Auth RCE PoC (CVE-2024-9441)
Readme
## Nortek Linear eMerge E3 Pre-Auth RCE PoC (CVE-2024-9441)

### Description:
This repository contains a Proof of Concept (PoC) exploit for **Nortek Linear eMerge E3** (CVE-2024-9441), which is vulnerable to **Remote Code Execution (RCE)** in a pre-authentication state. The vulnerability is triggered via a flaw in the password recovery feature, which allows an attacker to inject malicious PHP code into the system, leading to arbitrary code execution.

This PoC allows you to:
- Exploit the vulnerability by sending a crafted request.
- Execute arbitrary commands on the target system.
- Scan multiple targets using a mass scan feature from a list of IPs and ports.
- Perform single target scans using customizable parameters (IP, port, command, etc.).

### Vulnerability Details:
- **CVE**: [CVE-2024-9441](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9441)
- **Affected Product**: Nortek Linear eMerge E3 (all versions prior to patch)
- **Type**: Pre-Auth Remote Code Execution
- **Attack Vector**: HTTP POST request exploiting the password recovery mechanism.

### Usage:

#### Requirements:
- Python 3.x
- `requests` library (`pip install requests`)

#### Single Scan Example:

```bash
python3 exploit.py --ip <target_ip> --port <port> --cmd "<command>"
```

#### Mass Scan Example:
Prepare a text file (e.g., `targets.txt`) with a list of target IPs and ports (one per line), then run:

```bash
python3 exploit.py --list targets.txt --cmd "<command>"
```

#### Notes:
- Replace `<command>` with the actual command you want to execute on the target.
- The PoC defaults to executing `/bin/ls -al /spider/web` if no command is provided.

### Disclaimer:
This PoC is for educational and research purposes only. Use responsibly and only against systems for which you have explicit permission to test. The author is not responsible for any misuse of this tool.

### Reference:
- https://ssd-disclosure.com/ssd-advisory-nortek-linear-emerge-e3-pre-auth-rce/
File Snapshot

 [4.0K]  /data/pocs/4c3910c286de28cf78e50f84c54b40c2a3e7c014
├── [2.3K]  exploit.py
└── [1.9K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.